Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample Name:Setup.exe
Analysis ID:612091
MD5:37c6031e6d7ed0910fab1ab8d18f76f4
SHA1:37e4ea50f7668a52abe951fb540c7ced71c6500a
SHA256:1200ec02f814bcd7a6de8035ec139548a80b628601b90f4a13a5b35cf976a4e0
Infos:

Detection

Score:6
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks for available system drives (often done to infect USB drives)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • Setup.exe (PID: 6404 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 37C6031E6D7ED0910FAB1AB8D18F76F4)
    • additional.exe (PID: 3956 cmdline: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\ MD5: 36A497196AD65CDBD3A4F50B1760DED1)
      • conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DLC3A4.exe (PID: 6084 cmdline: DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG" MD5: F501A103478D855B0088A41117A4D4EC)
  • msiexec.exe (PID: 5484 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6748 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6744 cmdline: C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 C MD5: 4767B71A318E201188A0D0A420C8B608)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

There are no malicious signatures, click here to show all signatures.

Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\Setup.exe, ProcessId: 6404, TargetFilename: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\, CommandLine: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe, ParentCommandLine: "C:\Users\user\Desktop\Setup.exe" , ParentImage: C:\Users\user\Desktop\Setup.exe, ParentProcessId: 6404, ParentProcessName: Setup.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\, ProcessId: 3956, ProcessName: additional.exe
Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\, ParentImage: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe, ParentProcessId: 3956, ParentProcessName: additional.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 3572, ProcessName: conhost.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Setup.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb7 source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ResourceCleaner.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\wrk\tlprj\_ToriLogic\Products\TL-USBNET\_main\bin\Release_660\Win32\tl-usbnet.pdb source: dl-usbnet-ncm.sys.4.dr
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdbGCTL source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\tempFiles.pdb source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.672305509.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678066911.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\Setup.pdb source: Setup.exe
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\DisplayLinkUsbCo2.pdb source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: VDESTnivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkHotDeskServiceDisplayLinkDriverSwapService source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: DpInst.pdbH source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, MSI2AF1.tmp.16.dr
Source: Binary string: nivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sys@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyFtdbrGegS7rfhDfPuGrggE@@@@AAAAAAAAAAAAAAAAAAAAAMZzznyrmIJFsrO9g5Y1Msu9KKJoYFaArulb25hktfpmWSPp1quvgQeTXwZPHDwCRA==@@ != [options]Utility to clean DisplayLink (DL) files, devices & registryCleaner@/ source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\Cleaner.pdb source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb+ source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbV source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdb source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1dW
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: DpInst.pdb source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Dnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1d
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_00406FF9 __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,4_2_00406FF9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00414085 FindFirstFileW,FindClose,CloseHandle,CloseHandle,16_2_00414085
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FA310 FindFirstFileW,GetLastError,FindClose,16_2_003FA310
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00414B3A FindFirstFileW,FindClose,16_2_00414B3A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_004083C7 __EH_prolog3_GS,FindFirstFileW,FindClose,16_2_004083C7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041C5A8 FindFirstFileW,FindClose,16_2_0041C5A8
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041A78C __EH_prolog3_GS,_wcslen,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,16_2_0041A78C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0042697F FindFirstFileW,FindNextFileW,_wcsrchr,_wcsrchr,_wcsrchr,FindNextFileW,FindClose,FindClose,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,16_2_0042697F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041AA08 __EH_prolog3_GS,FindFirstFileW,FindClose,16_2_0041AA08
Source: DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: AShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.google.comhttp://www.example.comhttp://www.yahoo.comtin9999.tmpHEAD.part123charsetutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: IShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.google.comhttp://www.example.comhttp://www.yahoo.comtin9999.tmpHEAD.part123charsetutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: DLC3A4.exeString found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://ocsp.digicert.com0N
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://ocsp.digicert.com0O
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://s.symcd.com06
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://t2.symcb.com0
Source: DLC3A4.exe, 00000010.00000002.678461490.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://tl.symcd.com0&
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://www.digicert.com/CPS0
Source: DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.597504194.0000000004E29000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: http://www.displaylink.com/
Source: DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmpString found in binary or memory: http://www.displaylink.com/DlPublicSoftwareBannerpublicSoftwareBanner.bmpAI_REQUIRED_WINDOWS_INSTALL
Source: DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.displaylink.com/m
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpString found in binary or memory: http://www.displaylink.com/support/compcheckredirect.php
Source: DLC3A4.exeString found in binary or memory: http://www.google.com
Source: DLC3A4.exe, 00000010.00000002.686271597.000000000B742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: DLC3A4.exeString found in binary or memory: http://www.yahoo.com
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://d.symcb.com/cps0%
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://d.symcb.com/rpa0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://www.advancedinstaller.com
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drString found in binary or memory: https://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.displaylink.com/downloads/windows
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.displaylink.com/downloads/windows.
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.displaylink.com/downloads/windows.x
Source: DLC3A4.exe, 00000010.00000002.678461490.0000000003C48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.thawte.com/cps
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://www.thawte.com/cps0/
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm.catJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.catJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.catJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.catJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.catJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.catJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.catJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.catJump to dropped file
Source: Setup.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\INF\oem0.PNFJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_004172D24_2_004172D2
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_0041738A4_2_0041738A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_004155D74_2_004155D7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_004187A04_2_004187A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_004119574_2_00411957
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_00417D654_2_00417D65
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FD3A016_2_003FD3A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003EBC5016_2_003EBC50
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FC12016_2_003FC120
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003DE27016_2_003DE270
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FC24016_2_003FC240
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_004043D016_2_004043D0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0046265916_2_00462659
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0047869C16_2_0047869C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_004687A016_2_004687A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0046288816_2_00462888
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FE9A016_2_003FE9A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00404C4016_2_00404C40
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00470D4D16_2_00470D4D
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0045CD7D16_2_0045CD7D
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003EADC016_2_003EADC0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00402EB016_2_00402EB0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: String function: 00405205 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: String function: 004182C0 appears 230 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 00395BC3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 0045B7F5 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 0045B7BE appears 52 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 0045B753 appears 198 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 0045B787 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 00384285 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: String function: 00460C46 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003AC0B9 __EH_prolog3_GS,ShowWindow,ShowWindow,NtdllDefWindowProc_W,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW,16_2_003AC0B9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00390558 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,16_2_00390558
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003ACC2E __EH_prolog3,GetWindowDC,NtdllDefWindowProc_W,SetWindowLongW,DeleteDC,16_2_003ACC2E
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00394E43 NtdllDefWindowProc_W,16_2_00394E43
Source: Setup.exeStatic PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows
Source: Setup.exeStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Setup.exeStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Setup.exeStatic PE information: Resource name: EXE type: Microsoft Cabinet archive data, 2366 bytes, 3 files
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
Source: 1033.dll.16.drStatic PE information: No import functions for PE file found
Source: Setup.exe, 00000000.00000000.397564451.0000000003D85000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA990.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394875681.0000000003619000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA8EE.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395942226.0000000003893000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA929.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397257181.0000000003BC0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA96C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397311625.0000000003C1B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA970.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403320737.0000000004EF8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1FB4.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395354503.00000000036CF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA8F6.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397603782.0000000003DE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA9A3.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403212112.0000000004E9E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1FB0.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397041045.0000000003AAF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA950.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402762623.0000000004C23000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F75.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397161617.0000000003B65000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA968.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395416571.000000000372A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA909.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396848996.0000000003A55000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA94C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401795284.0000000004842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F1A.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396602963.00000000039FC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA948.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402448700.0000000004A5F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F51.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402404220.0000000004A05000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F4D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395876045.0000000003838000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA915.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402222245.0000000004951000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F36.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402573549.0000000004B13000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F69.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402168220.00000000048F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F32.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396140123.00000000038EE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA92D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397101404.0000000003B0A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA964.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396545760.00000000039A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA935.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401504419.000000000478D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F12.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394723346.00000000035BE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA8EA.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397369950.0000000003C76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA984.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401097433.00000000046D7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1EFA.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402884981.0000000004CD9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F8C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401725846.00000000047E7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F16.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402719446.0000000004BC8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F71.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403149031.0000000004E43000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1FAC.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394642517.000000000354D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameDisplayLinkIDD.exeJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.400269093.0000000004621000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1EF2.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397740984.0000000003E95000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA9AB.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397513008.0000000003D2B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA98C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402673872.0000000004B6E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F6D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.399807278.00000000045B1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameDisplayLinkIDD.exeJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA9AF.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDecoder.dllF vs Setup.exe
Source: Setup.exe, 00000000.00000000.402805488.0000000004C7E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F88.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395137577.0000000003674000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA8F2.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402490235.0000000004AB8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F55.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403040455.0000000004DE8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1FA8.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402993984.0000000004D8E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F94.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401963591.000000000489B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F2E.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.400582528.000000000467C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1EF6.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395476245.0000000003784000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA90D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401299181.0000000004732000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F0E.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395670432.00000000037DF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA911.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397695554.0000000003E3B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA9A7.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396343095.0000000003949000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA931.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397428372.0000000003CD0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameresA988.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402935636.0000000004D33000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F90.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402305408.00000000049AC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameres1F3A.tmpJ vs Setup.exe
Source: Setup.exeBinary or memory string: OriginalFilename7z.sfx.exe, vs Setup.exe
Source: Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: additional.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DLC3A4.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DLC3A4.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DisplayLinkCore64.dat.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DisplayLinkCore.dat.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1033.dll.16.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeSection loaded: davhlpr.dllole32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeSection loaded: lpk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sysJump to behavior
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 C
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DLS07D4.logJump to behavior
Source: classification engineClassification label: clean6.winEXE@11/123@0/0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041B2EA GetDiskFreeSpaceExW,16_2_0041B2EA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003F67C0 FormatMessageW,GetLastError,16_2_003F67C0
Source: C:\Users\user\Desktop\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DisplayLinkSetupPrevInstanceDetector
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
Source: Setup.exeString found in binary or memory: @@AAAAAAAAAAAAAAAAAAAAAL28CPxQI0YkGYZlxQ6iJWrOffRuz1SwtZ0fHJLxsH/u@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSBos7TAxWxwixehqRJv8mo05B9etbfGjii4Z49KfHI+Q==@@DLUSBAUDIODLCDCNCMDL-USBNET-NCMadditional.exe -y -o@@AAAAAAAAAAAAAAAAAAAAAB22Hr0gH0JIrzLXlfKGd51DOroTEZAmxe2eNdSAtBxz@@x64DLIDUSBx86Windows7Windows8.1W2K8R2W2K12W2K12R2-productionNIVOWindows10DisplayLinkCore.datDisplayLinkCore64.datUSB\VID_17E9&PID_%x,&pid=DisplayLinkDriverSwapServiceSetDefaultDllDirectorieskernel32.dllDLSInstall DisplayLink GraphicsSetupnorebootnoAutomaticUpdateCheckssuppressUpToDateInfosilentstageDriversignoreCompatibilitydisableInstallCompleteNotificationuninstalloverrideOsLimitmupLogFileextractAsDriverArguments: KB2533623 not detected and installer defaulted to using insecure library loading during its execution. See Microsoft security advisory 2269637 and Microsoft update: https://support.microsoft.com/en-us/help/2533623/DisplayLink Setup is already runningPrevious version: Not installedPrevious versionUpdate versionUninstalling software...Uninstallation finished with success: YesExtracting drivers failed.USB driver does not embed Core installer. Unable to stage drivers.Extracting drivers.&productId=http://www.displaylink.com/support/installcomplete.php?version=Restart required for installation to finish.Installation completed successfully.Installation failed. != @@AAAAAAAAAAAAAAAAAAAAALzZGcUlxt9Bl4iepFdB+YI=@@@@AAAAAAAAAAAAAAAAAAAAAIy8+Cf55znbXGQu4x8bbJhVZe7LPH4vx38WbwA23g2FXJICmP3Efz1PfijxQ35+BQ==@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRWGx6nUiF2UNbCZmmD7+wdg==@@@@AAAAAAAAAAAAAAAAAAAAAOCLjRcTGrvpkAzT95lGwXU=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5S8/p/ML5YMI3hpkjIJZiQ8+3jxefYkciusBVXSXag92g==@@\VarFileInfo\Translation@@AAAAAAAAAAAAAAAAAAAAALMm1tB7/fbSJngrdNPZTy0=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5SIrfn0agufqQYuDFDHTxjDIVdFsruxWsnhaWwRjfxcR71t8DTnFwoDqN22EDBhyko=@@\StringFileInfo\%04hX%04hX\%s@@AAAAAAAAAAAAAAAAAAAAACCR+vH+fde75ruK7q3jSLo=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5SIrfn0agufqQYuDFDHTxjDpkydJ304yOkE1nBaziHXbw==@@DriverStoreFileRepository\@@AAAAAAAAAAAAAAAAAAAAAHzIysQ+4PNkUCXjt7Aa09I4kdL/wTxvuJYRS26pFoefyFAuDG6m92tueNBo90TcMg==@@@@AAAAAAAAAAAAAAAAAAAAABK8T69D96w72B4KKbdWCMsuC5WKWvvm0pQD1n7J37FT@@ProductVersion@@AAAAAAAAAAAAAAAAAAAAAGHfjp2rlzz0oKWiYOfFpeM=@@@@AAAAAAAAAAAAAAAAAAAAADNbZws8ULb6hXNHTxxpjklEWwYIjC7NiggOGhkd146mKtCp+OvMcEGEJWFks2o9/mgOoqDbXUPQfNwQf7UxLwk=@@@@AAAAAAAAAAAAAAAAAAAAACYuIg2ANPkdDeJ5WTruE2Q=@@@@AAAAAAAAAAAAAAAAAAAAACYuIg2ANPkdDeJ5WTruE2Q=@@@@AAAAAAAAAAAAAAAAAAAAAJEl96fKbWReI3tHq9spsLoAj5nd/mssM5h6uJ73yATK/dWK+1c8SpLDWWS4o8X5zg==@@@@AAAAAAAAAAAAAAAAAAAAAF6pfBaJaLAwHGF246qQi0U=@@@@AAAAAAAAAAAAAAAAAAAAANz/lQEEGf8cHjbO+Zpkt9v5/VAGSuOUpaq++fTXhvWwxvVjD//SQScX1OfzQx0NcY/MZvuvRCDI0l+XttrRy31N2kvC7aQ/hotOziyAJSsfPe/wP0/JGQZ5vtg3D7BEXQ==@@\sysWOW64nivoco.dllCompanyNameProductNameProvider@@AAAAAAAAAAAAAAAAAAAAAKhMw0A02VE4olEewoR6ze/cdHzgyaxgTzEZ1sBxbd1S@@DriverVer@@AAAAAAAAAAAAAAAAAAAAAFgHRJCSSmm
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeAutomated click: Accept
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeAutomated click: Accept
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup.exeStatic file information: File size 79416048 > 1048576
Source: Setup.exeStatic PE information: certificate valid
Source: Setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x165600
Source: Setup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x49eec00
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Setup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb7 source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ResourceCleaner.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\wrk\tlprj\_ToriLogic\Products\TL-USBNET\_main\bin\Release_660\Win32\tl-usbnet.pdb source: dl-usbnet-ncm.sys.4.dr
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdbGCTL source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\tempFiles.pdb source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.672305509.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678066911.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\Setup.pdb source: Setup.exe
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\DisplayLinkUsbCo2.pdb source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: VDESTnivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkHotDeskServiceDisplayLinkDriverSwapService source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: DpInst.pdbH source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, MSI2AF1.tmp.16.dr
Source: Binary string: nivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sys@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyFtdbrGegS7rfhDfPuGrggE@@@@AAAAAAAAAAAAAAAAAAAAAMZzznyrmIJFsrO9g5Y1Msu9KKJoYFaArulb25hktfpmWSPp1quvgQeTXwZPHDwCRA==@@ != [options]Utility to clean DisplayLink (DL) files, devices & registryCleaner@/ source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\Cleaner.pdb source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb+ source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbV source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdb source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1dW
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: DpInst.pdb source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Dnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1d
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_004182C0 push eax; ret 4_2_004182DE
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003D0713 push ecx; mov dword ptr [esp], 3F800000h16_2_003D077B
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00388AD8 push ecx; mov dword ptr [esp], ecx16_2_00388ADA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00388AD8 push ecx; mov dword ptr [esp], ecx16_2_00388B52
Source: DisplayLinkUsbCo64.dll.4.drStatic PE information: section name: _RDATA
Source: dlidusb.dll.4.drStatic PE information: section name: .didat
Source: dlidusb.dll.4.drStatic PE information: section name: _RDATA
Source: dlidusb2.dll.4.drStatic PE information: section name: .didat
Source: dlidusb2.dll.4.drStatic PE information: section name: _RDATA
Source: dlidusb3.dll.4.drStatic PE information: section name: .didat
Source: dlidusb3.dll.4.drStatic PE information: section name: _RDATA
Source: dlidusb.dll0.4.drStatic PE information: section name: .didat
Source: dlidusb2.dll0.4.drStatic PE information: section name: .didat
Source: dlidusb3.dll0.4.drStatic PE information: section name: .didat
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003F68D0 LoadLibraryW,GetProcAddress,FreeLibrary,16_2_003F68D0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb2.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb3.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2DB2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2C59.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore.datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4D75.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI28CD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST32\DpInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI345A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2707.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI23B9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2AF1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore64.datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\1033.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI257F.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo.sysJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4A86.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI206C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI414C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI38DF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST64\DpInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\decoder.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\cl_6709.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\shi1E77.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4852.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeFile created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile created: C:\Users\user\AppData\Local\Temp\MSI98D7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI345A.tmpJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2AF1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore64.datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI257F.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\1033.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo.sysJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4A86.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.dllJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C59.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore.datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI38DF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST64\DpInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio_x64.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4D75.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sysJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cl_6709.exeJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1E77.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST32\DpInst.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4852.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeMemory allocated: 71A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003DAE83 __EH_prolog3_GS,GetProcAddress,GetCurrentProcess,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,16_2_003DAE83
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_00406FF9 __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,4_2_00406FF9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00414085 FindFirstFileW,FindClose,CloseHandle,CloseHandle,16_2_00414085
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003FA310 FindFirstFileW,GetLastError,FindClose,16_2_003FA310
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00414B3A FindFirstFileW,FindClose,16_2_00414B3A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_004083C7 __EH_prolog3_GS,FindFirstFileW,FindClose,16_2_004083C7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041C5A8 FindFirstFileW,FindClose,16_2_0041C5A8
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041A78C __EH_prolog3_GS,_wcslen,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,16_2_0041A78C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0042697F FindFirstFileW,FindNextFileW,_wcsrchr,_wcsrchr,_wcsrchr,FindNextFileW,FindClose,FindClose,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,16_2_0042697F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0041AA08 __EH_prolog3_GS,FindFirstFileW,FindClose,16_2_0041AA08
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215} FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215} FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\4D81215 FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: Setup.exeBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7NPOPrgKLC8b7UjWzM80E98VTy+htvcxDuEsjTG71bqo=@@
Source: DLC3A4.exe, 00000010.00000003.672155660.0000000003BA7000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678169218.0000000003BC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.Q
Source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ERSAuthenticated UsersAUGRP_EVERYONEEveryoneWDUSR_ANONYMOUSAnonymousANUSR_NETWORK_SERVICENetwork ServiceNSGRP_ACCOUNT_OPSAccount OperatorsAOGRP_SERVER_OPSServer OperatorsSOGRP_PRINT_OPSPrint OperatorsPOGRP_BACKUP_OPSBackup OperatorsBOGRP_CRYPTO_OPSCryptographic OperatorsCYGRP_IIS_USERSIIS_IUSRSISGRP_ADMINISTRATORSAdministratorsGRP_USERSUsersGRP_GUESTSGuestsGRP_POWER_USERSPower UsersGRP_REPLICATORReplicatorGRP_RAS_SERVERSRAS and IAS ServersGRP_PREW2KCOMPACCESSPre-Windows 2000 Compatible AccessGRP_REMOTE_DESKTOP_USERSRemote Desktop UsersGRP_NETWORK_CONFIGURATION_OPSNetwork Configuration OperatorsGRP_RID_INCOMING_FOREST_TRUST_BUILDERSIncoming Forest Trust BuildersGRP_MONITORING_USERSPerformance Monitor UsersGRP_LOGGING_USERSPerformance Log UsersGRP_DCOM_USERSDistributed COM UsersGRP_EVENT_LOG_READERSEvent Log ReadersGRP_TS_LICENSE_SERVERSTerminal Server License ServersGRP_AUTHORIZATION_ACCESSWindows Authorization Access GroupGRP_CERTSVC_DCOM_ACCESSCertificate Service DCOM AccessGRP_HYPER_V_ADMINISTRATORSHyper-V AdministratorsS-1-5-32-578GRP_ACCESS_CONTROL_ASSISTANCE_OPSAccess Control Assistance OperatorsS-1-5-32-579GRP_REMOTE_MANAGEMENT_USERSRemote Management UsersS-1-5-32-580GRP_SYSTEM_MANAGED_ACCOUNTSSystem Managed Accounts GroupS-1-5-32-581Getting localized credentials and storing them in properties...LookupUserGroupFromRid failedLookupUserGroupFromRidSDDL failedLookupAliasFromRid failedLookupUserGroupFromSid failedLookupAliasFromRid:Target empty, so account name translation begins on the local system.LookupAccountSidW returned AllocateAndInitializeSid failed and returned LookupUserGroupFromRidSDDL:ConvertStringSidToSid successful!ConvertStringSidToSid failed!Freeing sid..Freeing sid done.LookupUserGroupFromRid:NetUserModalsGet will use empty target computer name.NetUserModalsGet failed with:subAuthorityCount:Initialized Sid successfullyCopying subauthorities...Copying subauthorities done.Appending Rid to new Sid...Appending Rid to new Sid done.resolving for SID: Failed to allocate memory for pSid.Freeing buffers..Buffers freed.LookupUserGroupFromSid:ConvertStringSidToSid succeeded!Freeing sid...Closing window AI_CLOSEAPP_WINDOW_FLAGSProcess32FirstWProcess32NextWCreateToolhelp32SnapshotStoppedAI_PROCESS_STATERunningkernel32.dllAI_SERVICE_STATEStartedNot FoundAI_SERVICES_LISTServicesActiveAI_LOGON_AS_SERVICE_ACCOUNTSResolveServicePropertiesResolveServiceProperties start.ResolveServiceProperties end.AI_SetLogOnAsServiceaction starting ...Get the user accounts list ...CustomActionData: LSA open policy return code: SeServiceLogonRightSetting <Log on as a service> policy ...Getting user account SID ...User: lookup account name error: user NOT found!SID value: SID type: Setting security policy for this account ...LSA add account rights return code: LSA close policy ...action completed.AiStyleConditionsOriginalDatabaseAI_DISABLED_FEATURESSELECT `Cabinet` FROM `Media` WHERE `Media`.`Cabinet`='SELECT * FROM `Condition` WHERE `Condition`.`Feature_`='' .cab
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: DL.Compatibility.InstallationInsideVirtualMachine
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7i8Txv+xGyie0tfG4u8vyGFPy11ZhlnBDwDKYyzA7OFAfr5NC9DoUDk2I4kcHTxOc@@
Source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXI4U9fxLVrIngnhBYSmwdtZSQemuRwTngPG80H9sRm83Q==@@
Source: Setup.exeBinary or memory string: VmCI"
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EscX5//CpWHMWqdB8JAvfv8lo=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAKvyBEkNGVvl8QFKut8DVWU=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol79zud105n+f8rkaSGH0kWBPTufQU28sW1ZeJsOriuyXF/VBn+qwvwRn9kUKWCQ2by@@errorLiwarningLi</a>" target="_new"><a href=""><li class="<p></p></li><ul></ul>
Source: Setup.exeBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@@@AAAAAAAAAAAAAAAAAAAAAHq67FWq3Z1COkL1ffhDgq8kDF6sJoubZeH49A9CJ4iJ@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fAM3YlHEPIe2/X+itnTmj4SIl+y3k0LsExtUth5TN+4w=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DF/40wns2SIdsTdKKJ9UO0E=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DPmXvGvb6eYaBhEwizVpEZcDWIlYVKV0rTFzosamobQ5@@@@AAAAAAAAAAAAAAAAAAAAAHfAwsCX7mA7i8LsWwqjnE8=@@@@AAAAAAAAAAAAAAAAAAAAADJ+JbJ5tLfaXKpTglbEDRA=@@@@AAAAAAAAAAAAAAAAAAAAAKz5YMst2ZgAmLDuTk68a0bRaJM+5tSYZkU36/1NXh0m@@dl::tk::gui::resource::OpenURL@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUTMmaTa+Yapk3JRzEzwW1fb+2EBmu9psugsgpyDoZrpBDUvmDSL45TvGABG4KD/z08=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAADNv+tueGQXc7/c9BOtz8iM=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6Bu0/XiTvxej2F3BzkBp2PRC@@@@AAAAAAAAAAAAAAAAAAAAAAcSShTcJyt/gC0myC2tMaOqXStVUNU58LMy8jWf/0qM@@@@AAAAAAAAAAAAAAAAAAAAAE9VxOlA7W+OcOLL+aOb0kg=@@@@AAAAAAAAAAAAAAAAAAAAAFwqzilxVnj9bfiLbh4t4oOXM1tBAGG3I17otC7nwXZbFmFdFZJZ61K973gBWT86aA==@@@@AAAAAAAAAAAAAAAAAAAAAClhEC5wPNAk4ukprbs9b3DlhbnNR8p72R1A6zFdQ0H/SUGOAi54Xzbr8BX2GgN7vw==@@@@AAAAAAAAAAAAAAAAAAAAAC2cZcmcRbKAWIRaE5JsdYo34XEDm+URbP8Km+RHKrLd@@@@AAAAAAAAAAAAAAAAAAAAAAlgsxaaS1IFrm/eREw+6a7zASEUJWdPQBdcPeD4b4Sx@@@@AAAAAAAAAAAAAAAAAAAAAFRoquLXVjiE5A7LBu4L2BVYywKHEMYrEyuczFF47WXJSWDe0PhmxwM4yRueexm8zri9rj9KK73mqzEXElh0CqE=@@@@AAAAAAAAAAAAAAAAAAAAAAC7yiCVnFN2sv9m0OJxAkstGRrYdghSJdoD7R0Bi3ct@@@@AAAAAAAAAAAAAAAAAAAAAOredRPZS1x6+SY3v07ylmE=@@@@AAAAAAAAAAAAAAAAAAAAAC6uOeRSPjkZ2UkmRWXj+FMei8/sHI6ozx6ZFCckX1foZOjve6bwprJ5xOhbZsWLMw==@@@@AAAAAAAAAAAAAAAAAAAAAKpEFWlWA4ZK87Ue+qnHF32FEMAYrdmijM1t4WmiUGSz@@Option to disable compatibility checks@@AAAAAAAAAAAAAAAAAAAAAPj1mtTACg5QrDlRsKUNU52WbkYMSg0HMUg7owoPXsS6@@@@AAAAAAAAAAAAAAAAAAAAAAEMb80KNARQxCpsJY0NVAICcryamELO/7pu7XZKe3LC85TeiGPtWbh2demkAAA4bQ==@@E
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BstbzBICdJp0GCDsFZMbDAS@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7i8Txv+xGyie0tfG4u8vyGFPy11ZhlnBDwDKYyzA7OFAfr5NC9DoUDk2I4kcHTxOc@@@@AAAAAAAAAAAAAAAAAAAAAHYJ48K1mt8xeeLKJM5UyX2n7yiqUO0V6cm/pvqda6AD96ry97X29Z+toj/fufLc9Q==@@@@AAAAAAAAAAAAAAAAAAAAAJ5Jp1LRcLNfCQy5rrcw6ruL9jRsZqfTWlfaZNUpoPAK4PK1OhJmPYVlIdR6T5085FIzVf0o6QAVvByOuM6hB0gyi+ENzroW+9X0/dCna9ld@@\[\[([^|]+)\|([^|]+)\]\]link][%Y.%m.%d-%H:%M:%S# DisplayLink Compatibility Check ver. started on Attempt to access an uninitialzed boost::match_results<> class.
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BuQ5scgoS9XwI9B3rplRRhR@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAAxaNO3uCRyPawQECZInOUA=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BuQ5scgoS9XwI9B3rplRRhR@@@@AAAAAAAAAAAAAAAAAAAAAMTFkf7JPXggPhHVn0bwtIhEqtPMrZ3nBsS6na5kFjON@@@@AAAAAAAAAAAAAAAAAAAAAEkTAdBMkJ9r81Qs6Gcx3FE=@@@@AAAAAAAAAAAAAAAAAAAAAKQ/6SNjkniSO5sgJxtW9AK8HMlgOkwMKOsUhBUK2CAR@@@@AAAAAAAAAAAAAAAAAAAAAOlAjDXGjz0XOkYzR6jkX6W9PYgsHXnq03GI4eFaYVHy9731XvR4kfSKDWaEuGB3YgdnqeVWPv/0mDCcikBLvhE=@@@@AAAAAAAAAAAAAAAAAAAAANo1NIW5BeyN8GEP4y6qzsKTP8AKl4XVhcgLdhZvmi/Rk/Paqx57oU1mGsrbGS4p3yRwPUuWUcuNLC+owvmluwU=@@@@AAAAAAAAAAAAAAAAAAAAAPhtBg7+TjSITf20hS7KFLI=@@waitForCommandAttempt to read empty fifo in Fifo::getFirst()@@AAAAAAAAAAAAAAAAAAAAAOOWIWlICSEKB2HV8lFtDmY=@@@@AAAAAAAAAAAAAAAAAAAAABLGEK2IdFvaVmUc77m+okc=@@@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyGOHxA/cbagkx8/2+FNYTCVrCXPTzVVIl4TOxq8OIfUyA==@@@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyHel5blfNaFe44JJByT4CtpUQ/M8687vfyM8eUt6sRstQ==@@@@AAAAAAAAAAAAAAAAAAAAANBxX1CpvEyGoNV3AFmL5UiTD5Cx/tDE8GyOOq5zb+Pp@@`W
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6Bu0/XiTvxej2F3BzkBp2PRC@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: SoftwareIsNotRunningInsideParallelsVirtualMachine
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol79zud105n+f8rkaSGH0kWBPTufQU28sW1ZeJsOriuyXF/VBn+qwvwRn9kUKWCQ2by@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAADuDzpQ2+m4dL31nnBtrgbg=@@@@AAAAAAAAAAAAAAAAAAAAAJy+h1G0kZ86uexbRZBlpLc=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7NPOPrgKLC8b7UjWzM80E98VTy+htvcxDuEsjTG71bqo=@@@@AAAAAAAAAAAAAAAAAAAAAPEZ6Fc9P+8syiAkIYAmECJQIHpmoF3G6CbuovvpGg6c@@@@AAAAAAAAAAAAAAAAAAAAALcbaKk+5qcXEzfIBYfy3PX5NUkLAEDQkDJf/A1nNtO70OdhjpvJTUQ1jG3YrpDj6w==@@
Source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: QualitySettingsDL3EncoderDisplayLinkHotDeskService@@AAAAAAAAAAAAAAAAAAAAAN55xUfYkK6pI3Rl8beTqBU=@@@@AAAAAAAAAAAAAAAAAAAAAHQc1zFeyuQ9QLqz5OsFglc=@@@@AAAAAAAAAAAAAAAAAAAAAGK+B+OF3/sUFx+KIFT5j9Y=@@@@AAAAAAAAAAAAAAAAAAAAABi97xOWShrPX0ZbYE0Ggd4=@@@@AAAAAAAAAAAAAAAAAAAAAKbniD7+hHIMXDW9+eD1TsE=@@@@AAAAAAAAAAAAAAAAAAAAADH4HhP0DqLD0yv9nusTIww=@@@@AAAAAAAAAAAAAAAAAAAAAM+MWSAUvw40JvrtyIAGTCg=@@@@AAAAAAAAAAAAAAAAAAAAAEDxi3NiAUx3AcpeCA/fWTgBOBZg2DOKSBUyP2lEaeBH@@@@AAAAAAAAAAAAAAAAAAAAAA6rLwRMbmCzN5c12ITMmpplnjKf/ByMyrPWTQGuxw2OxnO/PqDQ0UKpI5NHlG7YLw==@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeViexWcfE+ARFscvWCYvf9Z@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeVJRu00+V7YH6HF37724rR/qb9nLnaCMeUikIncgjXfhgHrDtyoOXByev0K/adZMV0=@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeVfRNo27APPXwtyWwYISi/0@@@@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXI4U9fxLVrIngnhBYSmwdtZSQemuRwTngPG80H9sRm83Q==@@@@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXK3Ed/JSoZ9jAtyEV2WTArl5IWT0g+3kcTAQWCk6If91Jsm3udWuhgNMdTFBwnq1uo=@@@@AAAAAAAAAAAAAAAAAAAAAK57lqFR2QzEdIPUrMOq2mnyPBTaC7c+w8VRSz7nPm3rkrvlWXTySxMDqEJkyvVjQA==@@EnableGammaRampPnpSettingsPersistentDisplaysSettingsNivoSettings
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpBinary or memory string: @@AAAAAAAAAAAAAAAAAAAAAKPqQPtb+aMxIp2gSNNCBOFl0SdUARAGfihEY6f2Qdmuqwf/Cgbf7YvwRDiSZ/4HCA==@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@@@AAAAAAAAAAAAAAAAAAAAAJFKBZ25a8SA3u8S3DMgxdH3KVHiTUuz+tKvF71HVRSKCKPot5XGNZNYOzN/c6wq+g==@@@@AAAAAAAAAAAAAAAAAAAAAI8RTe+drdTc5Ub5XQsDQIJ6GmowHd5xLig/54aFrHQzweN6oekMsi8xATaBPPISEw==@@@@AAAAAAAAAAAAAAAAAAAAABGDrVapLCWg9ldAtH1lq2fa6rnwfZEVBWJTjCOTAn7e53q5VIsEul7UkfcJF1mbMQ==@@@@AAAAAAAAAAAAAAAAAAAAANCmbM+PlSTAN8d9pWwnCNfgFYcKWBi5JCpFYaHVmwSIsKogoSKp8LgnLcJ8vE5CaQ==@@@@AAAAAAAAAAAAAAAAAAAAAIZOigoYZChaXBECyLGNWBcrDsnf1lr7D3NdkaIJDFIHa5BhapHlEL/+ZUMGmJNz/g==@@@@AAAAAAAAAAAAAAAAAAAAALZy2/xdzSM8kYf5lu0Zh+Un1D7sKs+QG0MgbgY0V7sg@@@@AAAAAAAAAAAAAAAAAAAAAF1E3dbyAcyjyY9C73HCgUz8pBXsLPEIF81RxfRRsQqV@@@@AAAAAAAAAAAAAAAAAAAAABCNRPSS67p9ExzzotQQDG9JKkc69PMdoj4QyS+zpAhE@@@@AAAAAAAAAAAAAAAAAAAAAD0j0bDu/lS33rTTb2OtBRemBc3zmjreZipsDbHkgYa2INJPu1oorUVeMGjelfSqMw==@@@@AAAAAAAAAAAAAAAAAAAAAHWSxUQDy+4KmZaI5sPEuDkcyWirJRHM/b/E+Mr/RgTnqyn3FVzDgwZZtQiY2yEGBg==@@dxgkrnl@@AAAAAAAAAAAAAAAAAAAAAHyZlQ63AlCZwkmQXFehpc4=@@@@AAAAAAAAAAAAAAAAAAAAAPmY6+i6nm8Ou1zsdpXf0FA=@@@@AAAAAAAAAAAAAAAAAAAAAPOX0xGsPzfflTkLxbWWglg=@@@@AAAAAAAAAAAAAAAAAAAAAEUFTjPsnaGYIYX3F96P7fE=@@@@AAAAAAAAAAAAAAAAAAAAAAaYsfJ7G6MjhlOICtIqYi8K9aOt/BJ+rN6rTxEg65AJ@@@@AAAAAAAAAAAAAAAAAAAAAHq67FWq3Z1COkL1ffhDgq8kDF6sJoubZeH49A9CJ4iJ@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fAM3YlHEPIe2/X+itnTmj4SIl+y3k0LsExtUth5TN+4w=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DF/40wns2SIdsTdKKJ9UO0E=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DPmXvGvb6eYaBhEwizVpEZcDWIlYVKV0rTFzosamobQ5@@unknown@@AAAAAAAAAAAAAAAAAAAAAAr2NAS6qBB9NrT8MZ0MRr9cLQyl/QFbjimar8XC0ALD@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BstbzBICdJp0GCDsFZMbDAS@@@@AAAAAAAAAAAAAAAAAAAAAAS/crofChVJwquEFhlQt1ZOvcxpyEBHESXynDFPmQcU@@@@AAAAAAAAAAAAAAAAAAAAADateW5vUVLORn4r/BAtHl6xSSnGcb5Ftg1GFzp6Ah7H@@@@AAAAAAAAAAAAAAAAAAAAAFzlTx0tAmt+RxBPC5HdN7U=@@@@AAAAAAAAAAAAAAAAAAAAAFbfcJYCpgC8OYD2ei5ebhQ=@@abcabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq#}"4
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00460A1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00460A1C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003F68D0 LoadLibraryW,GetProcAddress,FreeLibrary,16_2_003F68D0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00457EAE GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,16_2_00457EAE
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_003A0287 __set_se_translator,SetUnhandledExceptionFilter,16_2_003A0287
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00460A1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00460A1C
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackgroundGray.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackground.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlImageButton.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\publicSoftwareBanner.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackgroundGray.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackground.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlImageButton.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\publicSoftwareBanner.bmp VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,16_2_004740B6
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: EnumSystemLocalesW,16_2_0047415F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: EnumSystemLocalesW,16_2_004741AA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: EnumSystemLocalesW,16_2_00474245
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,16_2_004742D2
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,16_2_004702A4
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,16_2_00474522
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,16_2_0047464B
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetLocaleInfoW,16_2_00474752
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,16_2_0047481F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0045AB63 cpuid 16_2_0045AB63
Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_00423C28 __EH_prolog3,CreateNamedPipeW,CreateFileW,16_2_00423C28
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exeCode function: 16_2_0047030E GetSystemTimeAsFileTime,16_2_0047030E
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exeCode function: 4_2_00403F64 __EH_prolog,GetVersionExA,4_2_00403F64

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media		12
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		1
Replication Through Removable Media		1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Native API		1
DLL Side-Loading		2
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)1
DLL Side-Loading		2
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets2
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading		Cached Domain Credentials37
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 612091 Sample: Setup.exe Startdate: 20/04/2022 Architecture: WINDOWS Score: 6 6 Setup.exe 1 23 2->6         started        9 msiexec.exe 2->9         started        file3 22 C:\Users\user\AppData\...\additional.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\...\dlusbaudio_x64.sys, PE32+ 6->24 dropped 26 C:\Users\user\AppData\...\dlusbaudio.sys, PE32 6->26 dropped 28 6 other files (none is malicious) 6->28 dropped 11 DLC3A4.exe 110 6->11         started        14 additional.exe 79 6->14         started        16 msiexec.exe 1 8 9->16         started        18 msiexec.exe 2 9->18         started        process4 file5 30 C:\Users\user\AppData\Local\...\decoder.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\Temp\...\1033.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\shi1E77.tmp, PE32+ 11->34 dropped 44 21 other files (none is malicious) 11->44 dropped 36 C:\Users\user\...\DisplayLinkUsbIo_x64.sys, PE32+ 14->36 dropped 38 C:\Users\user\...\DisplayLinkUsbIo.sys, PE32 14->38 dropped 40 C:\Users\user\...\DisplayLinkUsbCo64.dll, PE32+ 14->40 dropped 46 17 other files (none is malicious) 14->46 dropped 20 conhost.exe 14->20         started        42 C:\Users\user\AppData\Local\...\cl_6709.exe, PE32+ 16->42 dropped process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup.exe0%VirustotalBrowse
Setup.exe0%MetadefenderBrowse
Setup.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dll3%ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sys0%ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sys0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.typography.netD0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.typography.netDDLC3A4.exe, 00000010.00000002.686271597.000000000B742000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.displaylink.com/support/compcheckredirect.phpDLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpfalse
    		high
    https://www.thawte.com/cpsDLC3A4.exe, 00000010.00000002.678461490.0000000003C48000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.displaylink.com/DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.597504194.0000000004E29000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.drfalse
        		high
        https://www.thawte.com/cps0/DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drfalse
          		high
          https://www.displaylink.com/downloads/windows.Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpfalse
            		high
            https://www.thawte.com/repository0WDLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drfalse
              		high
              https://www.displaylink.com/downloads/windowsSetup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpfalse
                		high
                http://www.displaylink.com/mDLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.displaylink.com/downloads/windows.xSetup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://www.advancedinstaller.comDLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.drfalse
                      		high
                      http://www.google.comDLC3A4.exefalse
                        		high
                        http://www.winimage.com/zLibDllDLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmpfalse
                          		high
                          http://www.yahoo.comDLC3A4.exefalse
                            		high
                            http://www.displaylink.com/DlPublicSoftwareBannerpublicSoftwareBanner.bmpAI_REQUIRED_WINDOWS_INSTALLDLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:612091
                              Start date and time: 20/04/202215:02:272022-04-20 15:02:27 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 43s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:Setup.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:23
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:CLEAN
                              Classification:clean6.winEXE@11/123@0/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:
                              • Successful, ratio: 100% (good quality ratio 86.3%)
                              • Quality average: 74.1%
                              • Quality standard deviation: 36.2%
                              HCA Information:
                              • Successful, ratio: 68%
                              • Number of executed functions: 186
                              • Number of non-executed functions: 185
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Adjust boot time
                              • Enable AMSI

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dllSpeedVPN.exeGet hashmaliciousBrowse

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\AIE570.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1251, Title: Installation Database, Subject: DisplayLink Graphics, Author: DisplayLink Corp., Keywords: Installer, MSI, Database, Comments: Installs DisplayLink Graphics., Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 15.1 build 1ac8a36b05, Security: 0, Template: x64;2057, Last Saved By: x64;1049, Revision Number: {312AEE13-2735-4088-B726-C3CA64D81215}10.2.6709.0;{3B719D3D-BF94-4CEF-80B9-2C1E4AEDE0AC}10.2.6709.0;{0AECE230-D5D2-4880-B3ED-F23905ED66A9}, Number of Pages: 200, Number of Characters: 63
                                Category:dropped
                                Size (bytes):11059712
                                Entropy (8bit):6.312531141034297
                                Encrypted:false
                                SSDEEP:98304:jBYdAUiyotueafWwy+aC27fafuzfPu8Jsd1wfgvzZQVDLDTqg2qPl:QiyQbKuLCMamfPuSIWzDTq0N
                                MD5:1F943593CE82AE5015B1AA7254202DA8
                                SHA1:C59C4C2781DD11CE69459703FDBE794F3E3B3C82
                                SHA-256:5F8F40150ED161AEDE0C05591816661F5A569E69D74DBB089D8991A43161C929
                                SHA-512:243A941D03DA2ABAEF36B935D5A409A9741733988A2FAC39E5AF5C26F0C9ED5F50096D2BC554A638CFF9D74E4D7D8B04925969FC77DC30922BEB47847F06B9E5
                                Malicious:false
                                Reputation:low
                                Preview:......................>.......................................................{...............E.......:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...............9...:...;...<...E...F...G...H...I...J...G...H...I...J...K...L...........................c...d...e...f...g...h...i...j...k...l...m...................................................................................................................................................................................................................................>...............?............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...@...2...3...4...5...6...7...8...9...:...;...<...=.......K...A...C...B...H...D...E...F...G...J...I...]...L...s...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...a...^..._...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...L9..t...u...v...w...x...y...z...

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):371360
                                Entropy (8bit):6.68622089601704
                                Encrypted:false
                                SSDEEP:6144:HSa5HhE9T0zNENm2eK7mnoUSgpAY8ODcDcm7cIsAjcPze3+kLTl505xxgAO3WTBV:HSwHhEGzic7e3D/7QxgRWTUuRIlnOJz
                                MD5:D577449D0123146B10AC47ED30292683
                                SHA1:5F0C786773156044029FA13CF1E8ED7D5036B7DB
                                SHA-256:B7448C7A742619555FFACB998C36F9CEAE17E7A6BB3348A02F6C433B901365E6
                                SHA-512:AFA99C4F43BC7FE8BBE1FBD02016D275E8AEAF905E2779DCB0AA0033FDF280BBB426F08946A60A8DA5BD79A35E221E638499F0355308D95EC036B43CD3EA1B67
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\m.F..............9.......;.......:......j.......j..9....j..&...Yk.......t[.............Yk......Yk......Yk7......._.....Yk......Rich....................PE..L.....U[...........!......................................................................@.........................pH..D....I...................................2......p...........................`...@............................................text............................... ..`.rdata...x.......z..................@..@.data...H....`.......F..............@....rsrc................V..............@..@.reloc...2.......4...\..............@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\New

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
                                Category:dropped
                                Size (bytes):318
                                Entropy (8bit):2.034441580055181
                                Encrypted:false
                                SSDEEP:3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nZllBe+llBe+llBe+llBe+llBe+lll:k9ij1BjjjjjTtXGuwtOZBl
                                MD5:C23CBF002D82192481B61ED7EC0890F4
                                SHA1:DD373901C73760CA36907FF04691F5504FF00ABE
                                SHA-256:4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
                                SHA-512:5CC5AD0AE9F8808DEA013881E1661824BE94FB89736C3CB31221E85BE1F3A408D6E5951ACCD40EE34B3BAF76D8E9DD8820D61A26345C00CDDC0A884375EE1185
                                Malicious:false
                                Preview:..............(.......(....... ...........................................................................................................................................................................................................................................................................}..................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):418976
                                Entropy (8bit):6.664247191007649
                                Encrypted:false
                                SSDEEP:6144:wNbyiRFi7BpCGB8gdENm2eK7mnoUSgpAY8ODcDcm7cIs34Cx0Wlx/33F85vWBk/i:qbx+WHGptlx/Wkq4mo4XVO5
                                MD5:E619F450ADAEE3D6638A8632C0A97C2D
                                SHA1:20CEB30A8B29F39A075806CA545083B86F097E9E
                                SHA-256:C4C766DB32D317C8B748F798D2B62CAE9E85788EDCBF7915D55CDD31F61C3F64
                                SHA-512:2B30CB2783598E1DB6A493E48256FBD2D7F01ED616DE456BF86C8D1DB140C11EA1580789AC3CD71839E7F6A531B991FA33302A1967275C61EC60AC6FF05C8517
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 4%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tn...=...=...=Fo.=...=Fo.=...=Fo.=...=..<...=..<...=..<...=...=...=...=]..=...<...=...<...=...=...=..=...=...<...=Rich...=................PE..L....U[...........!......................................................................@.................................8...x....@...............J.......P..<=..p...p..............................@............................................text...H........................... ..`.rdata..JX.......Z..................@..@.data....%..........................@....rsrc........@......................@..@.reloc..<=...P...>..................@..B........................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):390816
                                Entropy (8bit):6.56762007556992
                                Encrypted:false
                                SSDEEP:6144:uvoAMQlYVsYxMrPFzq7k7/Si13YiucVvAO+u6DRU9A1Fk:uvjlYaVrWK3Yxc8FRkAI
                                MD5:23879268CA004A18964791AAD5441038
                                SHA1:779672ADC8B28B58F761E18B91A209104342A24A
                                SHA-256:A2EC308DA594B832262AC45DECD462842FC4929D20FC2C158405605AD53B9A1A
                                SHA-512:80B6FE319C955544944DD4BC4D64417C5A3E0A7EE6F37FD168E41EE350F29192FAADED5452B77273A89B75F4D14BCD7D75ACA542B0EFD40F59201192837D8338
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 3%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).*.H.y.H.y.H.yz..y.H.yz..y[H.yz..y.H.y...x.H.y...x.H.y...x.H.y.0oy.H.y.0hy.H.y.0.y.H.y.H.y.I.y./.x.H.y./.x.H.y./.y.H.y.H{y.H.y./.x.H.yRich.H.y........PE..L....U[...........!................Qz....................................... .......X....@.............................<...............h........................>..."..8...............................@...............\...|...@....................text............................... ..`.rdata..............................@..@.data...\$..........................@....rsrc...h...........................@..@.reloc...>.......@..................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Up

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
                                Category:dropped
                                Size (bytes):318
                                Entropy (8bit):2.0369361465218003
                                Encrypted:false
                                SSDEEP:3:PFErXllvlNl/AXll/lFl/Ft/HtAiotuZt/nreBB+eKemhlRhmeemfB+ll5evZ/Xy:k9ij1KBBhK9jwmfBuiKaq5n
                                MD5:83730AC00391FB0F02F56FE2E4207A10
                                SHA1:139FED8F0216132450E66BDA0FBBDC2A5BD333AF
                                SHA-256:573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
                                SHA-512:E3DBE1956BB743FD68319517D1D993DDA316C12BBBBBBD6F582ECDD60C4FDE24CC4814C7AB36ED571F720349931EAC10B03E9C911BA0F4309B10604B2C56C6A9
                                Malicious:false
                                Preview:..............(.......(....... ...............................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Antivirus:
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 4%
                                Joe Sandbox View:
                                • Filename: SpeedVPN.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\banner

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 500 x 59 x 8
                                Category:dropped
                                Size (bytes):2372
                                Entropy (8bit):2.6114732592489567
                                Encrypted:false
                                SSDEEP:24:Rgf4BBBBP////F7I8+iN1svE0bRw1FBdJ2DMaij/T///HkBBB+:RgQBBBBb18VeyDUcBBB+
                                MD5:DAF14D3480C7AA73A53415FF483B10A1
                                SHA1:DB240A22410AC7536F5C833CA98322CCA4180C3D
                                SHA-256:0D2715E6689EA0CCCC6CDFAD328DAB66F61DF466FBBAF043CEF2D05F9AD420C4
                                SHA-512:7741A04025317179EAF14F7843F313F0E8922FD219C1D45DB91E65E58229A1C948FB12120806507162D064B03DD4A45A8380210545A8A61910E622F0B3C736C7
                                Malicious:false
                                Preview:BMD.......J...(.......;............................................................................................1...........................................................1...........................................................1..............................................................-..............1..............................................................-..............1..............................................................-..............1..............................................................-..............1..............................................................-................................................................................................................................................................................................................1...................................................................................................1................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\cmdlinkarrow

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                Category:dropped
                                Size (bytes):2862
                                Entropy (8bit):3.160430651939096
                                Encrypted:false
                                SSDEEP:48:QFFZ+f+zd+kHeNTM9/+Xz++++++++YWWS0i6I:QFFEw4Xc+D++++++++ypi9
                                MD5:983358CE03817F1CA404BEFBE1E4D96A
                                SHA1:75CE6CE80606BBB052DD35351ED95435892BAF8D
                                SHA-256:7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
                                SHA-512:BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
                                Malicious:false
                                Preview:..............(...6...........h...^......... .h.......(....... .........................................................................................................................................................wv....."""""o.."""""o..www""......"/.....""......"/......r.........................?...........................................?......(....... ..................................................."..... .". .6.-.9.;.<.;.D.3.,...4...9...O.,.Q.$.M.2.S.:.\.1.U.$._.1.F.G.I.A.`.@.w.q...|...q...{.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\completi

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                Category:dropped
                                Size (bytes):2998
                                Entropy (8bit):4.359062242965858
                                Encrypted:false
                                SSDEEP:48:fHJQSoGaffiary58nP0pB/ewjcYzrd67jQHazxAySvbyQfil:PJFL4dOQGJ6nQ6dSvGQo
                                MD5:45B0E074F96A859ADAE198187AB9FA11
                                SHA1:AB89AD71FC239D10C71476E42CDB66B080D75BED
                                SHA-256:050282E679AC80F6A357FFF92F1E7A95D30A06B35247E25CBFD2DD8CEEE1A412
                                SHA-512:5B0A2ABAED2E285E8F0D25148C03A05F090FF8FB69D9A178DA21B779427ED138AB16876163500D266123B036C23F3AC56DCDE8D4D103B37102B4FC46A2B04520
                                Malicious:false
                                Preview:...... ..........&... ..............(... ...@.....................................................................................................................................w................{..................p..........x.{.wp............{.w..........xxx...................w.........w~...xx.........~......www......z..xx...w..............w..........p...........................w......p.........wwwwwx...............x.........DDDDDOx..........vfl.Ox..........wff.Ox...........vflOx...........wffOx............vfOx.........~..wfOx.........w...vOx.........w~..wOx.........DDDDDOx...............x.......................................................?.........................................................................................................................(... ...@..................................................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\custicon

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                Category:dropped
                                Size (bytes):2998
                                Entropy (8bit):4.298568796986908
                                Encrypted:false
                                SSDEEP:48:fH9LkioGaffiary58nP0pB/ewjcYzrd67jQHazAQnny1ykbjy0fiV:P9LFL4NOQGJ6nQ6sP1ykbu0I
                                MD5:3EAEBDADE778394F06B29659C9C01ED7
                                SHA1:3E2A80761C8A44E509C4E06D275BFB25E704DDB0
                                SHA-256:719E644C31D0CC6B891F6A1253655DFBA39A3B78E06D24817BE1D8492B172B48
                                SHA-512:14628B5C737045B9916AF5F3ECC9343EF6349C9988F45D1E93846CD79FD38A20F9E7922EC2E6A846CCF14F02AAC84E518279548E8BC9B29AAA3EE553D7A74F59
                                Malicious:false
                                Preview:...... ..........&... ..............(... ...@.....................................................................................................................................w................{..................p..........x.{.wp............{.w..........xxx...................w.........w~...xx.........~......www......z..xx...w..............w..........p...........................w......p.........wwwwwx...............x.........DDDDDOx..........vfl.Ox..........wff.Ox...........vflOx...........wffOx............vfOx.........~..wfOx.........w...vOx.........w~..wOx.........DDDDDOx...............x.......................................................?.........................................................................................................................(... ...@..................................................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialog

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 500 x 316 x 8
                                Category:dropped
                                Size (bytes):36904
                                Entropy (8bit):1.6592122603583341
                                Encrypted:false
                                SSDEEP:96:ZFgstvLTJ/lJzh7nVnnWpinnJ7FNng6H6ityl6Tk:3gstjTJddWpi7vndHDLTk
                                MD5:ABF1076064505DEE794FA7AED67252B8
                                SHA1:358D4E501BB3007FEECE82A4039CC1050F23FAB4
                                SHA-256:FB0D133F05DE6AA6A7A3491AE532191A60C438B35D9FF7BFEC9E63131F6F0C73
                                SHA-512:9A4680A8D186C1D7550B5E03CBDD095B0C88B2E0249A3AF75FA0253D2C9A6F0AA1DD570ECF1A273683A14E6C7B5FB11678BE3DA439A3BF23EAB790372E96E321
                                Malicious:false
                                Preview:BM(.......J...(.......<..................................................N..U........................................................................................R...S..P..................................................................................R...V..M................................................................................R...[..H..........................................................................R...^..E........................................................................R...a..B....................................................................R...f..=................................................................R...i..:............................................................R...l..7..........................................................R...o..4......................................................R...r..1....................................................R...u...................................................R.......................g..+......

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackground.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 10 x 10 x 24
                                Category:dropped
                                Size (bytes):374
                                Entropy (8bit):1.0090244268172435
                                Encrypted:false
                                SSDEEP:6:2lfkLLARaLARaLARaLARaLARaLARaLARaLARaLARaLl:qAVVVVVVVVR
                                MD5:3200BCB62A21A451EF63623CCE0C2B29
                                SHA1:02AC159F40618D9FE96FB5B1F8E7675805F1CCD8
                                SHA-256:0E63FCA0804774EA90B96C096EA9678DEB3DD0B864EFD3B57659B447FE890C05
                                SHA-512:68589D3672412C99C54984A25A7B4DC16789361ECD03F9644C2E1C00BA5F2B68A73B67A002EF3A5AC71BCC00945DFBB1F56C319B98CACCF10EF0E8B8F1F163F0
                                Malicious:false
                                Preview:BMv.......6...(...................@...................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackgroundGray.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 10 x 10 x 24
                                Category:dropped
                                Size (bytes):374
                                Entropy (8bit):1.7456253632245882
                                Encrypted:false
                                SSDEEP:6:2lfkOp2222222dIp2222222dIp2222222dIp2222222dIp2222222dIp2222222f:qEFFFFFFFFFl
                                MD5:2068072848BB0F9AEE0C0C53755A86E0
                                SHA1:0741B94EFD729AB0E71C4B5613D9856D9425B93F
                                SHA-256:0DD79BDE0B2D581E1BCC10F40A5D09BF2A833FFF25A05CC92150AEB4B11F42B7
                                SHA-512:A210BF3DDCD3A795091EA1AE01C461F249AB1642E46F16D7BA094F5F106B900BA2037CECE6CF4E8159F34A8F6B6CE1094FDFF781AEC1C05ADE8E89420DC7957C
                                Malicious:false
                                Preview:BMv.......6...(...................@...................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlImageButton.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 1176 x 46 x 24
                                Category:dropped
                                Size (bytes):162342
                                Entropy (8bit):1.9726207922214154
                                Encrypted:false
                                SSDEEP:3:AlllLhDlsl9/lGjlv1111111111111111111111111111111111111111111111N:SylfGjH
                                MD5:7D2A780A05F478EF4044C7AAB4EEBD42
                                SHA1:BAB3342FD98115ABDD035E63982DC4DFD98DFD82
                                SHA-256:DED57492AB39F46D51C9009BC65B8B4E3554DC27285BAAB60E0B9FC079505FE1
                                SHA-512:9D548B3307F3D6439B178F9CA81014FF2044611AB67AAE189AA6E01229914D949A427BEE7EB4A778DE6217955E8566EB38D54EAF298A2851E22A1BFFB603F92A
                                Malicious:false
                                Preview:BM&z......6...(....................y...................z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..z..

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlProgress.png

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PNG image data, 121 x 16, 8-bit/color RGBA, non-interlaced
                                Category:dropped
                                Size (bytes):243
                                Entropy (8bit):6.214905302136987
                                Encrypted:false
                                SSDEEP:6:6v/lhPK4nMRFjhm+jnDsplRFC5ez7tExuDiHRj8IuhDp:6v/7i4nMIlzaxjRQNht
                                MD5:76027E9C26C1097039E21726D822A12F
                                SHA1:D5B4135A211E02BD52EC7F640CD796F97F62F077
                                SHA-256:7DA30EFB432B8D156BC06E0834F0E4A9FFA90A858A91F6D62E4AED6E497ACDD6
                                SHA-512:FDACF15B470406C177BD234F70EA7EFCB8CD61A230F6D40766E6E4BDD11D8F6A66A797560CDE6CD2745F0C3C4D20E6AC93356F2FC744620C309EFA5C03C34383
                                Malicious:false
                                Preview:.PNG........IHDR...y.........2.......gAMA......a.....sRGB.........pHYs..........+......tEXtSoftware.Adobe ImageReadyq.e<...cIDATXG..... .@..^N.........I....I...6.....w.z...|./r_.j.\#..W......F.02.....`d.#.......(.<5..q..4#.c.$....IEND.B`.

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\exclamic

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 1 icon, 32x32, 16 colors
                                Category:dropped
                                Size (bytes):766
                                Entropy (8bit):3.3484862648999827
                                Encrypted:false
                                SSDEEP:12:IX9VJL3hr4hZ7BUfBnsRhR0lsihSitWNmwAn8S:ItnVrsjUJsRhGlYitWNmqS
                                MD5:3DBA38E7A6085876E79F162F9985618C
                                SHA1:F89B4B20EB5379BA139BBED4FCB4246C7707A8A8
                                SHA-256:593F94EF1405422B3E453F4422B22C990D84303668D60344C6FD257318E92428
                                SHA-512:E8F1EAC1A9009C06DDD1CF99F876819B57B4D2798D02F93465487DD2FFFE3A4239F171FFB02D98DCA358BC47420205A2CC0877ABC02C6B21269C3D07EC78A836
                                Malicious:false
                                Preview:...... ..............(... ...@...............................................................................................331............332333333333333.33$DDDDDDDDDDD@1.2DDDDDDDDDDDDD..2DDDDDD@DDDDDDC.2DDDDDD34DDDDDC.2DDDDD@30DDDDD..3$DDDDD34DDDDD1.3$DDDDD@DDDDD@1332DDDDDDDDDDDC.332DDDDDCDDDDD..333$DDDD..DDDD1.333$DDDD#$DDD@133332DDDD34DDDC.33332DDD@30DDD..33333$DDB32DDD1.33333$DDC33DD@13333332DDC33DDC.3333332DDC33DD..3333333$DC33DD1.3333333$DC33D@1333333332D@30DC.333333332DDDDD..333333333$DDDD1.333333333$DDD@133333333332DDDC.33333333332DDD..33333333333$DD1.33333333333$D@13333333333332D..3333333333333"#33333333333333333333333...................................................................?...?........................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\info

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
                                Category:dropped
                                Size (bytes):1078
                                Entropy (8bit):2.8642269548572474
                                Encrypted:false
                                SSDEEP:12:hEipI3VFpSyZ9I7imddddGDxxOxzma3ZmRgRtqVtipMLXwHqfM:hEigFpTz1xA6aJmRgwi6LgHcM
                                MD5:554FF4C199562515D758C9ABFF5C2943
                                SHA1:9E3BAB3A975E638EAD9E03731AE82FA1DBCD178C
                                SHA-256:9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
                                SHA-512:E302EDF3DAB3A0E9EEB5AFA34E4910EE177099C017B42F86847CF972143C87E8C40BC47689A3C8845051EAB98258A392CCAF331F414C271A1B6B751F503CE221
                                Malicious:false
                                Preview:...... ..........&...........(.......(... ...@.........................................................................................................p..............wp...............p...............p...............p...............p..........ww...ww........wp....www..............wwp..............ww...............wp..............ww...............wp..............wp...............w...............wx..............w...............w...............w...............w...............w...............px..............p............................................................................................p......w.......w........wx....w...........wwwp.....................................?...............................................................................?................(....... .............................................................................................................................p.......w..x.....p.......p.......w.................................................w

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\insticon

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                Category:dropped
                                Size (bytes):2998
                                Entropy (8bit):4.4065352120502395
                                Encrypted:false
                                SSDEEP:48:xS9gal8+Lry58nP0pB/ewjcYzrd67YQvaH8UyuZVyX:E9Zl8UOQGJ60Qyc7uZMX
                                MD5:66C842AF0B4FC1C918F531D2E1087B82
                                SHA1:CEB74A196559DB607824FDDC51D1243E1DEE491C
                                SHA-256:48278165490487EE414BE65E20501B19A65EDAF1B6F473EB7D8C55023175EC88
                                SHA-512:F7DE9BA9107DBB6C71B4F585EA54B571F469CF2815A3AB0DB2A408BA3ED794A5F0C21A987CBF5AE93197B7E5B6BFE3E78A75C2B56B5BA836C236B31563A7C560
                                Malicious:false
                                Preview:...... ..........&... ..............(... ...@.......................................................................................................................{...............w..........p..x....w........x...w..w.......p..xx..w~........x.....~........p..xx....p.......x.w............p...z..xxp.......x................z....x........xx......ww.....ww..w....w.....ww...wp...w.....ww..............ww..............ww.........p.....w.wwwwwwwx......w........x.........DDDDDOx..........vfl.Ox..........wff.Ox...........vflOx...........wffOx............vfOx.........~..wfOx.........w...vOx.........w~..wOx.........DDDDDOx...............x..........................p... .........?...?...?...?...?...?....................................................................................(... ...@..................................................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):12960
                                Entropy (8bit):6.4556873449184895
                                Encrypted:false
                                SSDEEP:192:rTZlFHe2aR7qFnVIa3qMwH0JOqNG8Fp28Wh8nhV:rdferRet3T5JNNzFwhhin
                                MD5:88CCDD0A39258E3301B6F67B9F450487
                                SHA1:6CF049B7731AF3B204FFA6B84CF2C35AC631F8E5
                                SHA-256:F5971E11699024E5BBCF05FEE4C32ECFED394A34010E49A1737ACEE05A6611D5
                                SHA-512:A5A1AA8BB28B34ED0B1CA558625ED0925006EB171B39C82B4A0D648DFEB428D45C2B3320EE476BF4C0FE1B1B94BB17E9A9C784EE80ACCBE9CA95D0302A3B26CA
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 3%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Tm.?...l...l...l.t l...l...l*..lQk.m...lQk.m...lQkLl...l..$l...lQk.m...lRich...l................PE..L....U[...........!................T........ ...............................`.......p....@.........................0".......#.......@..h....................P..T....!..8............................................ ..`............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...h....@......................@..@.reloc..T....P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\publicSoftwareBanner.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 2000 x 180 x 24
                                Category:dropped
                                Size (bytes):1080054
                                Entropy (8bit):0.8657325879428006
                                Encrypted:false
                                SSDEEP:1536:T0f5LKeE7qGlxEjdGyBc43KpMvAZFrk6yHPrt0IKE/RWpBMIt:CsyfKySLL
                                MD5:FCC599B9CC44A38DBC6F1635461AB647
                                SHA1:D488EF3795A29B3F0998B06C949276DB92D5BF3B
                                SHA-256:83C9326DE5A0B3F34524D57985C9624741B387B6417FCCFC1EC8FA51645004B4
                                SHA-512:B6D643B6469C130722CE2FF37002F6F02B51B61FEB08FD057579FBAFB951DC2EE2EE69C2D6854029E51A41715CD08967B5D9D018067EAB3657221C5A14BAC15E
                                Malicious:false
                                Preview:BM.z......6...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 115 x 115 x 24
                                Category:dropped
                                Size (bytes):40074
                                Entropy (8bit):1.434815195894921
                                Encrypted:false
                                SSDEEP:48:Tlib4A4t8lJAD9QDcVjC/JN3wvY9nF+F+gc6ZNTnewiIpA8AhM8RrHUfOuTQe8Hz:NN5hPjCn0akQgccNTnewUXyXzTGOE
                                MD5:673F64A2575B5CD12A940117B1840EFA
                                SHA1:8E4AC98E120CD96C675FA6E14D1CE47E7FE93CD8
                                SHA-256:3596760E94D6A751DC03BF528DFF5E2852E17B38BBC95CFBA6699BC8D2F557CA
                                SHA-512:F6EC6F075FEC9E6B4E93B42301E8DB075685E97B8514E2664BA5FE862CFFC77B70FC5A2C69E2DF3341496F0E975E8B5509A0F5AA5B4A7766AD01A18864117AC9
                                Malicious:false
                                Preview:BM........6...(...s...s...........T.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PNG image data, 115 x 115, 8-bit/color RGBA, non-interlaced
                                Category:dropped
                                Size (bytes):2521
                                Entropy (8bit):7.864107382063005
                                Encrypted:false
                                SSDEEP:48:nfpydxbYFcZcgsL1uDJYWRx7ODYC5cJCTTgS3TjCUcSgoOSwIi78+El8+Es:fIdR0gsL8KWR5ITTg8T2UcS5z48+Et
                                MD5:DE200D796FDBF0B5B731C7600BFAEC45
                                SHA1:0108D89035F5D31D00920FBC19D5E6CE719927B4
                                SHA-256:E57FFE806D2B90411309128AAED5FE991ABAFA01225FA20BF43F04CC05D9579E
                                SHA-512:D6454615DF6D53B9ACA025B7AD127797F6E1D4458EAC3EFC8D039BB3E106DD173123980548F87D318B0E9E9B1499E00A30E95E8316992BB6E25DDC82C63BA764
                                Malicious:false
                                Preview:.PNG........IHDR...s...s......C=.....sBIT....|.d.....sRGB.........gAMA......a.....pHYs...t...t..f.x....tEXtSoftware.www.inkscape.org..<....9IDATx^.yL....?s,,..........U..c...)JI|4..r.(J..Q.Tn..j+.j........q.JNd...J..)ubS7.....9b.c`Yl`Yn..M.*I.vg.......V;.-..~..k..?. ,A..',...$.B.L.......Yh.N@.g.n...!?..f`jn.&f.a|z.f...b.W@.-..Q.....I.P.J`/;...P..q...;a!.ot.......Qh`._...acN"l.w...*....l.....4...x.........&&..,.....jo..5?..9.....C...].<7..,p..&..k...h3c..m...'.p....9.k.2.b`.:......v.k.B*......$~.~...I.=..(N._.^...y.9....98z..N\..Y..^.YM}zK6..'....2....b...q.t..*3.)M...._ u.V.Pa.L.^.z.....<.ZT....U.!+...Cd.i..g...i.cMV9mp....T...c.U...<..I|..~...<.-.^|.P.q2..dz.g.`].|.~..D.......e.J0nl..L.7>z.....yNd.!+..k*......Y....6[......88}....&....*.B.....=..J......m..<G....W.(....n.fx.....X8sp..5THw...8.8.L"..ol..Z....^h..}w.......!E......h...}...dN.q...j.f.~.6.......V..;!D.I./...>.i.u.p......._.8T......x.P.K....x..........)B-8....w.R,.[z..KcI.`.>...J.X..+.p.u...

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioError.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PNG image data, 115 x 115, 8-bit/color RGBA, non-interlaced
                                Category:dropped
                                Size (bytes):3233
                                Entropy (8bit):7.878303376957383
                                Encrypted:false
                                SSDEEP:96:pN5ALE04ITU2NsDVxkk51sUe26Gt2rQH2G+5PJ:j5AlhsLl262rM9u
                                MD5:0EF26DD960994F218886FCFB97433CD9
                                SHA1:B4A5B7A5CBA921C350CD0F3377CA05244C2A3578
                                SHA-256:4EA2725625BCEEB0C716F7A3B1E38974D93830C762268A66CF032981ED3F43EF
                                SHA-512:DD891A904449A08240DBB68B13E03E8CEFC899EBD325ABB111AA280157A16E4BAE298574158D53FA3688E141209FD93B8B1132BACF769D3105DA721B0D7A434E
                                Malicious:false
                                Preview:.PNG........IHDR...s...s......C=.....sBIT....|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....IDATx^..pT.....M6fs..........tF....8... b..P..T........E9.....D.H.:.W.......p%!.d.6...........w....d...d......{......A..^-..Kf.a..",.A.).@-...)*.oa!x.WOa.4WTB...-...r.&@cS./...-2.l........I...d~zBx...-&..wM.)d6]...'.}.$......../.................saX..s..W^...8..R.j..G.D...1S'3..~...C.l*....D..QT_.....'...I. .S.E..!dz.~...o@.....b.E.EHX.#t<$,...^=)j,t.y..g..ko@../.+..l6..9.:....../....2[..j.*........"$4....9.....V&s....A.W......&4).....b.Lf.f.E.A3.x{Q...p.o_R$...9...}...M...h".n.'P....z.fl....!z.X.h..2[o.....[.{...OA.....6.&....\.>..N...E....e.V.wL....".../M..../Q..$,.+.....T.^...NC...y.Hc.E(.9..N}M.uQ.d.C..S....z.X .0J..."....:(&..Spq..l...n...u_.D..G..QD&>./{l<..\.....!..>..8..E.e.-..{a44..S....W.v...uM..r.j.......D....U.......H..%.bq.x.~C9......2g).C.LW.n..p;.,.R...\.{)....3....=.6p.B2.u.~.b...L.}..-....bQ...

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 115 x 115 x 24
                                Category:dropped
                                Size (bytes):40074
                                Entropy (8bit):1.2683920260243833
                                Encrypted:false
                                SSDEEP:48:uhi3lCjH137NsBxDEL7pvCcNLT2CRKKBm4AErWDSfM712JeEMQjiYtS2VVf8Z+n0:uSO1hsfYxqSPxfAXFI0l/Vr
                                MD5:43824AB2C94B0A12EF747DA1DB2B0489
                                SHA1:231E497C235DCD86E04AB586A88627A05A37920F
                                SHA-256:5E73558FBA12F062107E9AB9CB70D2C138FC4635738C13978DAAA73D2424BF1B
                                SHA-512:0BEC55B7264939E37BCC4B36E718A4296A44B290ED2D3A934EDDE4AC503DCAF0F327ED9F77C2C1413504CA4455FE2B7CA04252644F06D4CD1335234926A6F934
                                Malicious:false
                                Preview:BM........6...(...s...s...........T.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:GIF image data, version 89a, 115 x 115
                                Category:dropped
                                Size (bytes):76317
                                Entropy (8bit):7.625936445519031
                                Encrypted:false
                                SSDEEP:1536:lBtNPdtzsecZThJlVXg9Ok6DG48e19hVJSemIk81/RRGB82jOmi:lBVtziZvwQBhOema1vGy2jOt
                                MD5:DA786DA31E7231C7DDABABF3F87B0E2E
                                SHA1:A013F2BFF699F3D4CC263F5611DB36115B664ABC
                                SHA-256:1029BEFF65A5EC7B3CFB11882ED6F5E9C9DE585EC04F9329039AEA6E56F3C9FD
                                SHA-512:830E7FAF8A5B09FCA2794306706CBEBA98B77236DA3FE468DF48D3CCFA38448D73C68DCB636E93964B4D0DCD00256AEFF7605A0B72089A8F8566B80B5775AA5A
                                Malicious:false
                                Preview:GIF89as.s....R..k...........q.3..q..b...|...C...y.#..).........x........{......y...t....K........9....I........B...v..i....Z...|.3...m.=........y.....r..}.}...l.......".......Y......................~.....~.-...b....]...|.....t.....e.......;..h...x.....v........v..q......a.........t..............y.......................m."...\.u.....y........x.!.........u.......p....(.. }.....n.....j.P..+...r............B...........m.(...}....Z..U...g...........{...`...i.........q..z..............p.....n....g..p........._.....y..z....i.U........I...w.5..............n.~...........O.......W.........{..e......................................................................................................................................t..t..c........i."|....g........!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="ht

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\removico

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                Category:dropped
                                Size (bytes):2998
                                Entropy (8bit):4.922835628524122
                                Encrypted:false
                                SSDEEP:48:lx5VMqHDL/nm+ry58nP0pB/ewjcYzrd673bOyGZPmLRPRKnIn8m1:/5VM6DLvm+OQGJ63HYwRem1
                                MD5:20D25E871A244B94574C47726DE745D6
                                SHA1:1FB26622978ECD2D00B107D83C1AD61366452214
                                SHA-256:88DD7EE9FA22ECDBDC6B3D47DB83BC3D72360AEB43588E6A9A008B224389CB1C
                                SHA-512:AEE04C9BE3C65676ABF2C8E20E9F6A954539C23E9BD4971539D3A86B45C7C85A5E62BAEF0C465345909C602C5B70CD86B7112B3F24ED9DA69EC27D81D59A7F71
                                Malicious:false
                                Preview:...... ..........&... ..............(... ...@.......................................................................................................................p.........................w......ww............w.f.w......w.....vvf.w...........nffl.w....w......w|.w...........g.w.w....w.......g.|w...........g.w|w....w.....g...|w............wwww....w....g..tDDw.........~..w..w....w....~w.w|.w...........ww..w....w.......ll.w..........~ff.tw....w......vlgtw.....wwwwwwwwwtw....w.....wwwwww.....xD\....wwww.....Gwww....w.w.....e..p;....w......v_....{{..p.....we....g..........v\!0~v{.7.p.........o.g.p8p........{4o.?..............o.8..........0.3F........................?...........................................................................................................?(... ...@..................................................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\repairic

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                Category:dropped
                                Size (bytes):2998
                                Entropy (8bit):4.667661526304198
                                Encrypted:false
                                SSDEEP:48:P81Vf/JWPhry58nP0pB/ewjcYzrd67jQPawP4y9ttO46uylABWPE:wxWPhOQGJ6nQSujtx6plyWPE
                                MD5:D234CA0358B21BDCFC5E3F9B2E7C7A22
                                SHA1:95356780EA21C43A129FA560365FE5B7A216CC8E
                                SHA-256:99D490C2BDEF5115F306A595964663540370141F65A25C5052352155F2603F68
                                SHA-512:AE47D796C758E53FC7AA183CD8754EE382ED19A6B2F1834167E896F3A31260260F9B02E20D5403557B78A1C36FFF1423B8A742B20970C20F169F9D3AEA48C4EE
                                Malicious:false
                                Preview:...... ..........&... ..............(... ...@.....................................................................................................................w................{..................p..........x.{.wp........(...{.w.........(xxx............(......w........(w~...xx........(~......www....(.z..xx...w.... .........w.... .....p........ ............. ....w......p... .....wwwwwx....p..........x...".....DDDDDOx..........vfl.Ox..........wff.Ox...........vflOx...........wffOx...wx.......vfOx....w....~..wfOx.........w...vOx.........w~..wOx.........DDDDDOx.....w.........x.....w.............................................................?.................................................................................................0...........................(... ...@..................................................................................k...H...%............z...b...Js..2P.............k...Hs..%W...U...I...=...1...%s...P.............kk..HH..%%....................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tabback

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PC bitmap, Windows 3.x format, 1 x 200 x 24
                                Category:dropped
                                Size (bytes):854
                                Entropy (8bit):3.802531598764924
                                Encrypted:false
                                SSDEEP:24:kUGGGGGGGGjg/QUVdLbCKKKKKKWqqqqqqr:kGUVdnCKKKKKKWqqqqqqr
                                MD5:4C3DDA35E23D44E273D82F7F4C38470A
                                SHA1:B62BC59F3EED29D3509C7908DA72041BD9495178
                                SHA-256:E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
                                SHA-512:AB27A59ECCDCAAB420B6E498F43FDFE857645E5DA8E88D3CFD0E12FE96B3BB8A5285515688C7EEC838BBE6C2A40EA7742A9763CF5438D740756905515D9B0CC5
                                Malicious:false
                                Preview:BMV.......6...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):179360
                                Entropy (8bit):6.66273052333922
                                Encrypted:false
                                SSDEEP:3072:C6g9WJSimJWLHKfo9m/sxfA+mPWAg0Fub/8drAAAAAAArK/9R:B2imTfootuAODUAAAAAAArUT
                                MD5:47F84947E6374F8707129C36833212D5
                                SHA1:A317BCC7368756101519E28F8036104A6022766F
                                SHA-256:B79DD5190E2C885F12CF54DCF0BB0AFC72CEA4FFCB21376685F028D235F9771E
                                SHA-512:48788FE16986E30C03D465BD5C088B02CFBCD0851DA7AE7BB27F08BFA6E1C2FA6FA7FA1F946B803E36D12F9BD568E146E7911F185CA187B816F39C38D4230888
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 4%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................fJI....fJK.^..fJJ..........................+.......P...............G....../..........Rich...........PE..L....U[...........!......................................................................@.....................................<...................................0e..p............................e..@............................................text...?........................... ..`.rdata..............................@..@.data................t..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):54324
                                Entropy (8bit):5.060081960611842
                                Encrypted:false
                                SSDEEP:192:S0m9zyTuJC8MEiLCHRoURbi79B0019m+/fbEa5Aq3j2812sFDEoLRy+mEfw0HMO6:0iw0eoPjrnsFRH04RGVhl/d2m7a
                                MD5:A303F468BCCCB3027002972A9360BAE1
                                SHA1:A248F96991FD851A2D2B77BAC8183621F609D046
                                SHA-256:067147B39764139697994A653654409DFC0FEFEEC1FDED7B78B634122AB48A96
                                SHA-512:AFF7F0F332DE56A0DDA3B08D94F1FB46F69BBFA7D135A3B653FC3EFCCBF668041092FFB281756338220759452A629EF5C8B16C724832F1D50EE067D63F4C10B1
                                Malicious:false
                                Preview:0..0..*.H.........!0......1.0...`.H.e......0.....+.....7......0...0...+.....7......$U2W.B.?9S.k..211220144326Z0...+.....7.....0...0....X.....Di.T9nm..z....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0....eD.j..&.48TI./ZS.V..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0.... |.ZM.vj.......c.@.h...su.m`..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... |.ZM.vj.......c.@.h...su.m`..0.... ...(!.9=....(._..A.y..U..}.8.].x1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):49264
                                Entropy (8bit):5.63834744380481
                                Encrypted:false
                                SSDEEP:384:qiWBdTktSfb1E+HDXSby46qXlCmzQi95ZGULNKkE9xkn2n8ndn1n9eEE6haemssA:gbNbSAqJBBR
                                MD5:8FBE14953AAA9D99F4CCE7CF8240EF3D
                                SHA1:6544FF6AA79C261F34385449902F5A53CD56DBFE
                                SHA-256:7C965A4DE6766AE31395F906AA1863EB9C40C4A16888A3C5807375166D601915
                                SHA-512:4D200D8D581DC63C395E206963853ED771A0472EDC77D05CAE169D228D9E79CF0CE0D3E38C72A762D09A4BEC4487D752EE3EBC1B1385401AF723C88C1CF7478B
                                Malicious:false
                                Preview:;..; USB CDC NCM Driver setup information file..; Copyright (c) 2009 - 2021 DisplayLink (UK) Ltd...;..; This file supports:..; Windows 10 x64 Windows 11 x64....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..PnpLockdown = 1..; 11/24/2021,12/07/2021,3.64.0.20958 For Windows 10 RS1 and later..DriverVer = 12/20/2021,10.2.6683.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat..Class=net..ClassGUID={4d36e972-e325-11ce-bfc1-08002be10318}........;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; 10.0 - Windows 10 and later..%S_Mfg%=_Models, ntamd64....;******************************************************************************..; Models Section..;-------------------

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):142512
                                Entropy (8bit):6.529689914382159
                                Encrypted:false
                                SSDEEP:3072:Ap88ONMs5ZB+OV+SzAN7/RoF/RstnSiS2112:Q8DMMB+OURNNogSfa2
                                MD5:9E58B65E1B63FF136FCA209AED36B729
                                SHA1:3794975870B6DD81A8112BCD17452AF7DE6A4E15
                                SHA-256:602D1B0D45831F803D5E045B0C4D38E6264C6F4817BA536CA6BE4A97B8A2A9B9
                                SHA-512:85A90C998563BC0090A91CB69EC0D14BD62146E2906AA83AF704393678FCD24252AA9232D96524B3906B9CC7CFFEF4510361E057888E74B45752369F83BE49B8
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*..)X...*..)X...*...]o..*..)X...*...*..*..)X...*..)X...*..#^...*..#^)..*..#^...*..Rich.*..........PE..d...Z9.a.........."..........X......Pm.........@.............................`....... ....`A................................................00..P....@...................@...P......0...T...............................8............................................text............................... ..h.rdata..H(.......*..................@..H.data...............................@....pdata..............................@..HPAGE....u.... ...................... ..`INIT....\....0...................... ..b.rsrc........@......................@..B.reloc.......P......................@..B................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):55971
                                Entropy (8bit):5.214854959109016
                                Encrypted:false
                                SSDEEP:192:4R4J24JCHMEiLCHRoURbi79B0019m+/fbEa5Aq3j2812sFDEoLRy+mEfw0HMOVd0:40Hw0eoPl/k6h3Tp4ATKAR9zLflI
                                MD5:A17A1D49D0CCB1C31FCEAD1AB5C29E4C
                                SHA1:80B006F52518B81CA34779ED1630B5859B7CD28F
                                SHA-256:0A6A6B8360688D2B2ACCCEF396B7DFCE5DD4892F09039FD973B40489F2475EE6
                                SHA-512:494FB18A9E6D34C404B68FEFB21C69D69D889B1BA59185EBDA7DC17B3B1F382F132A1D46268FA21BB9D4913BA39AF39C4B01116F058DC8324F39AB26F2CEE399
                                Malicious:false
                                Preview:0....*.H.........0.....1.0...`.H.e......0.....+.....7......0...0...+.....7.....Y....NI......Jc..211220152529Z0...+.....7.....0...0.... ..b!...+...*L..c.w".....Au..v1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..b!...+...*L..c.w".....Au..v0.........u.L.UJj.Q.+Z.01..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0........y......Huri.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0.... .......i.xo......B3........y.UH1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):48291
                                Entropy (8bit):5.662944047616262
                                Encrypted:false
                                SSDEEP:384:q5f1tY7js1E+HDXSby46qXlCmzQi95ZGULNKkE9xkn2n8ndn1n9eEE6haemsstFV:szksSAqJBBI
                                MD5:C9226A47200F6427774BE186F9722656
                                SHA1:B8E9C18F79041200FE978948757269838396F494
                                SHA-256:DDDFDC8AD7FAF4EF6906786F8C808012F314423387F8881DC62E14AA79D75548
                                SHA-512:8CE61EEAE8C8C0AA29EA6CD3823FA2A36B11D14341706083C94A1F14D157BAC79B360F7071B5A5E6A36DB57B214E4336C729A97BB6B2C886845D9F851F397A6C
                                Malicious:false
                                Preview:;..; USB CDC NCM Driver setup information file..; Copyright (c) 2009 - 2021 DisplayLink (UK) Ltd...;..; This file supports:..; Windows 10......;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..PnpLockdown = 1..; 11/24/2021,12/07/2021,3.64.0.20958 For Windows 10 RS1 and later..DriverVer = 12/20/2021,10.2.6683.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat..Class=net..ClassGUID={4d36e972-e325-11ce-bfc1-08002be10318}........;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; 10.0 - Windows 10 and later..%S_Mfg%=_Models, ntx86....;******************************************************************************..; Models Section..;------------------------------------------

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):118096
                                Entropy (8bit):6.773752255554001
                                Encrypted:false
                                SSDEEP:3072:KlYWMTLzWIzSchTEzIV1I0a9jWonrxcz2xf5cVZrOUh:KhMTLCe5Q8Hza9jWcrxUVT
                                MD5:23FF5CDEC7E56D72355679ED39AC760D
                                SHA1:386AD969F2FF63DDF3F77F8FEA23FB9CCE76E9A1
                                SHA-256:CDF766E4416823CB6C99B7F1FB8B9138AA7D430A9A73D6D73CB8D2E357559211
                                SHA-512:42651B8E6E4C2C053D442A9389BA7173199747818ABB79FDE90A2D5C9FCB7D3E57EBB8BCC4F0E459E0B361E9B02332731657174409AEC4888B5F798C5A440B20
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j............J.......J.......e.......J.......J...............J.......@.......@.......@.......Rich....................PE..L...O9.a.................V...4......P-.......`....@.................................><....@A................................ ...d.......................PG...........q..T...........................`q...............`..\............................text....H.......J.................. ..h.rdata..p....`.......N..............@..H.data................d..............@...PAGE.................f.............. ..`INIT....v............h.............. ..b.rsrc................r..............@..B.reloc...............x..............@..B................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):17413496
                                Entropy (8bit):5.528506150344374
                                Encrypted:false
                                SSDEEP:98304:TZoGd3lN1+eTQPf1himxPPrHWPgZXk60wwgtX73Z8y2THJF4Xz0ojM8Pt3rm2eSs:pdLbTQ3d37WIe6tXl8yQLBojM8PxkW5s
                                MD5:F501A103478D855B0088A41117A4D4EC
                                SHA1:AB6747BDDDA6E6F67DC13307D5DF88D6C28B8C14
                                SHA-256:363BA5694D1E3DB4F27D8E4D0A53BB7095C93C22C9F6C8F6BEE637AC236F4BBA
                                SHA-512:BB0578955AF5FABFC6CB47A1E31EBF50C90628B8856BBD27BB61F718E17A2332F5B07B61863A5590B7B3D1DAE735E0C381172D3AE281417A7E559198D04662AD
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........{..........D4.....D4..T...D4................................................S..........................Rich...........................PE..L...b.U[.................V..................p....@.................................C.....@.....................................(....@..H....................`..lQ......p................... ...........@............p..........`....................text....T.......V.................. ..`.rdata...M...p...N...Z..............@..@.data....p.......$..................@....rsrc...H....@......................@..@.reloc..lQ...`...R..................@..B........................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.tmp

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):17413496
                                Entropy (8bit):5.528506150344374
                                Encrypted:false
                                SSDEEP:98304:TZoGd3lN1+eTQPf1himxPPrHWPgZXk60wwgtX73Z8y2THJF4Xz0ojM8Pt3rm2eSs:pdLbTQ3d37WIe6tXl8yQLBojM8PxkW5s
                                MD5:F501A103478D855B0088A41117A4D4EC
                                SHA1:AB6747BDDDA6E6F67DC13307D5DF88D6C28B8C14
                                SHA-256:363BA5694D1E3DB4F27D8E4D0A53BB7095C93C22C9F6C8F6BEE637AC236F4BBA
                                SHA-512:BB0578955AF5FABFC6CB47A1E31EBF50C90628B8856BBD27BB61F718E17A2332F5B07B61863A5590B7B3D1DAE735E0C381172D3AE281417A7E559198D04662AD
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........{..........D4.....D4..T...D4................................................S..........................Rich...........................PE..L...b.U[.................V..................p....@.................................C.....@.....................................(....@..H....................`..lQ......p................... ...........@............p..........`....................text....T.......V.................. ..`.rdata...M...p...N...Z..............@..@.data....p.......$..................@....rsrc...H....@......................@..@.reloc..lQ...`...R..................@..B........................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:Microsoft Cabinet archive data, 2366 bytes, 3 files
                                Category:dropped
                                Size (bytes):10342
                                Entropy (8bit):7.597236471941108
                                Encrypted:false
                                SSDEEP:192:/T9IF5jRfoDPKNO2pAVmcb8J6PS7HvDWpHdZHRe7x0ZRsaxS:CF5Rfo+ikcgcPOvDGdhOyY
                                MD5:DCCDF3EFEBB7228209305F79F0845471
                                SHA1:226418FA4E0DCAF9CD5E9B2692BF9ADDE558B345
                                SHA-256:6698C83BCD7A449DCB31C6A0AC9DE8F5E49BD66351AC48AFFB158E59FD0B3C81
                                SHA-512:5160924F7E3AAF02BE8500A43D3FC44E3D86F67FBFB2AE7B6C7B1E682EF86B29371F733064E0352C78DE58A04A1D23267DE6C70F26EC9F143C151EB066A5E400
                                Malicious:false
                                Preview:MSCF....>.......D...............I...........>...(.............................6Tzq .AddProduct.reg..J........6Tzq .ImportSettings.reg......P....6Tzq .RemoveProduct.reg...3/.. ^CK.mo...........]i..=d......6.VM..j..Qp...`.4[]...6....klo.NQe..s.`....0..]&].....Ir...T..i..H2....w...._?./'...=9.}p........%..4...U.....f.t.z.........&q.z?..'[....w].....G....#.2.CW.]...........5.8}Kv..>...c}..-..N'...FJ.W...(.@..CC...:]N.......~.g.....z..).PU.z..(C^.._V.R..:................,.84.......~}..ZH...Y....oU.....(gTH.%..F.J.R..~-Y.`...y.H7..Cr-..d..P.}0...F.'z.C..U..2u...Q.=>U...s+.J.A.C.N7..bU..qG.........f.~V..SJz.]P.Z^..t.h.).Z..]..j-S....Xz...O...|e..].V..mv.o...g.....I....U.`.+."...+!.o".{.G.......A..b...o.BU..oK..!....>.;.aB.p......w..n.wY.$q.... ..&..a.v..0..+G&q...[].g.}l..9:j..^%...Qy._....-f.`."l%..i.^...|... ...7;`.aGuW*..../<.X......)x~.mc...w`'.........C....=M6..T..[x..k.{Q.........a.G...>.$s.GA.n..)L....ze..5s.kY..?M..X.5...^..g ..G../..q..@[{^

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56089
                                Entropy (8bit):5.144135786553492
                                Encrypted:false
                                SSDEEP:192:vN5uXj72tJCjxMEiLCHRoURbi79B0019m+/fbEa5Aq3j2812sFDEoLRy+mEfw0HU:vteAw0eoPjrnsFRyMTN4tgR9zahVM5
                                MD5:5CA13A2659A7C744C67EE74B65668440
                                SHA1:51C4AD245BC0DA86CB5A19B9E836FCF41DB425C9
                                SHA-256:065613F46C7A7C32DD78ACD7B9533C6294AE274B0056E060DA7A546915E269B3
                                SHA-512:A0D634EA8F7B843150B3D436AD772373245BD936F8C9B6BC5F0D5DCB93CD83BDFE7BCB119C9B00ACBCB795D236FE42F3E72BC427ECA25A3BA46A058EBC38913D
                                Malicious:false
                                Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7.......FnRm.A..>/W.....211220205436Z0...+.....7.....0...0....R5.C.6.E.A.F.9.E.0.F.4.4.1.9.5.5.0.3.D.F.7.F.7.A.7.3.C.6.4.9.8.3.C.9.3.F.E.D.1.5...1..70<..+.....7...1.0,...F.i.l.e........d.l.c.d.c.n.c.m...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........\n...D.U...zs.I..?..0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R9.F.5.A.B.E.A.4.E.3.D.0.A.9.B.D.6.B.1.7.3.3.0.C.F.B.2.3.3.5.C.0.F.2.0.6.5.B.9.E...1..C0@..+.....7...1200...F.i.l.e........d.l.c.d.c.n.c.m.6.2...s.y.s...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........Z.....k.3..#5...[.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.D.7.4.E.E.8.A.1.6.2.6.B.B.F.9.D.5.3.E.2.5

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):84949
                                Entropy (8bit):5.573924006527727
                                Encrypted:false
                                SSDEEP:384:qcDsVGkJCJYQkyAJ4rXmJYone7g7Kpp0mudYqfEIN9pKXUJE6UO+lJa+kukukonR:NDD6DUAJemJY17JH
                                MD5:C6F7180011DB92BF9BA4AD7556302043
                                SHA1:5C6EAF9E0F44195503DF7F7A73C64983C93FED15
                                SHA-256:7291CC13E73CE5D6FDD6EC8F679227BBBE84E343C3BD25C845655E2BF5B86571
                                SHA-512:F02AD2DFF429DCCD0584BBE2F3565C5E4AF614C181C9E751984EC3C4E9D906D2EE5C28E68748B8303C2D102F9EAC5438015FFE2AF61EC1CF1073DA1693A38863
                                Malicious:false
                                Preview:;..; USB CDC NCM Driver setup information file..; Copyright (c) 2009 - 2021 DisplayLink (UK) Ltd...;..; This file supports:..; Windows 7 Windows 7 x64..; Windows 8 Windows 8 x64..; Windows 8.1 Windows 8.1 x64..;....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..; 24/01/2019,2.34.27.0..DriverVer = 12/20/2021,10.2.6683.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat..Class=net..ClassGUID={4d36e972-e325-11ce-bfc1-08002be10318}........;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; 6.1 - Windows 7 and later..%S_Mfg%=_Models, ntx86.6.1, ntamd64.6.1....;******************************************************************************..;

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):67896
                                Entropy (8bit):6.7598844516825825
                                Encrypted:false
                                SSDEEP:1536:UrP0EHgsIYwCcSAMoTmQuh/s+1ZNYLltcrAvQgVg90s2n:UrsQgsIYwCcSAMoKQKsgjYZ4C7g9G
                                MD5:AC5C50E5C5D2E09D863B07D35EAF1B38
                                SHA1:5DDD46D8D2BBDE974AD26AE5E75F91E013FD6ADF
                                SHA-256:99B1FAE6FB34845C2602B1F523DB7F79A20E010753C8E84191721A38122407D5
                                SHA-512:0D33AFB32445BCB680F5B41031482E3AE19BAD372BB0CEF5C1921743399E7FC66567CDBA412FD79ECBD812C55EDEADB31E7CE5324B860E72623AB7C0CE0A16CB
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v@.N...N...N...+q(.O...Go..M...Go..L...N./.7...+q/.G...+q-.J...+q*.H....~'.|....~.O....~,.O...RichN...........PE..L....^I\.....................$......@.............@.................................".....@A................................<...x.......................8?.......... ...8...........................X...@...............|............................text...X........................... ..h.rdata..`...........................@..H.data...............................@...PAGE................................ ..`INIT....8........................... ..b.rsrc...............................@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):82800
                                Entropy (8bit):6.527921530734939
                                Encrypted:false
                                SSDEEP:1536:C999X4dLmMTjlbuKvPrBJQ3yNLY8hIpONqV7IBSymHnbjQdg95s2MFz:Cl4xmMTjBuKHrCu5hI+nm7jAg9m
                                MD5:4111392FF099D798B233D35494EF197C
                                SHA1:B94A5C281EBBFE500A3C6424ECA8A99EE8B62D31
                                SHA-256:F3B7758D35D49DB5CD9B6E951D2BBB8D648B419E506ECA3C2CA76EF597620506
                                SHA-512:C166B0C1CEEC4A985599C0F388D525B61089D78DB3E9060F4C21715EA022D39C75C36774203A161D4679B1D74618535633409537DB07A15BA288882E9AE5AAF2
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t .O.N.O.N.O.N.*sH.N.N.Fm.L.N.Fm.M.N.O.O.?.N.*sO.F.N.*sJ.I.N.*sM.K.N..|G.}.N..|..N.N..|L.N.N.RichO.N.........PE..d....^I\.........."..........<.................@.............................P.......C....`A................................................d ..x....0.. ...............pC...@..P...p...8............................................................................text...X........................... ..h.rdata..............................@..H.data...P...........................@....pdata..............................@..HPAGE....h........................... ..`INIT......... ...................... ..b.rsrc........0......................@..B.reloc..P....@......................@..B................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.cat

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):54324
                                Entropy (8bit):5.060081960611842
                                Encrypted:false
                                SSDEEP:192:S0m9zyTuJC8MEiLCHRoURbi79B0019m+/fbEa5Aq3j2812sFDEoLRy+mEfw0HMO6:0iw0eoPjrnsFRH04RGVhl/d2m7a
                                MD5:A303F468BCCCB3027002972A9360BAE1
                                SHA1:A248F96991FD851A2D2B77BAC8183621F609D046
                                SHA-256:067147B39764139697994A653654409DFC0FEFEEC1FDED7B78B634122AB48A96
                                SHA-512:AFF7F0F332DE56A0DDA3B08D94F1FB46F69BBFA7D135A3B653FC3EFCCBF668041092FFB281756338220759452A629EF5C8B16C724832F1D50EE067D63F4C10B1
                                Malicious:false
                                Preview:0..0..*.H.........!0......1.0...`.H.e......0.....+.....7......0...0...+.....7......$U2W.B.?9S.k..211220144326Z0...+.....7.....0...0....X.....Di.T9nm..z....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0....eD.j..&.48TI./ZS.V..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0.... |.ZM.vj.......c.@.h...su.m`..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... |.ZM.vj.......c.@.h...su.m`..0.... ...(!.9=....(._..A.y..U..}.8.].x1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.inf

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):49264
                                Entropy (8bit):5.63834744380481
                                Encrypted:false
                                SSDEEP:384:qiWBdTktSfb1E+HDXSby46qXlCmzQi95ZGULNKkE9xkn2n8ndn1n9eEE6haemssA:gbNbSAqJBBR
                                MD5:8FBE14953AAA9D99F4CCE7CF8240EF3D
                                SHA1:6544FF6AA79C261F34385449902F5A53CD56DBFE
                                SHA-256:7C965A4DE6766AE31395F906AA1863EB9C40C4A16888A3C5807375166D601915
                                SHA-512:4D200D8D581DC63C395E206963853ED771A0472EDC77D05CAE169D228D9E79CF0CE0D3E38C72A762D09A4BEC4487D752EE3EBC1B1385401AF723C88C1CF7478B
                                Malicious:false
                                Preview:;..; USB CDC NCM Driver setup information file..; Copyright (c) 2009 - 2021 DisplayLink (UK) Ltd...;..; This file supports:..; Windows 10 x64 Windows 11 x64....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..PnpLockdown = 1..; 11/24/2021,12/07/2021,3.64.0.20958 For Windows 10 RS1 and later..DriverVer = 12/20/2021,10.2.6683.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat..Class=net..ClassGUID={4d36e972-e325-11ce-bfc1-08002be10318}........;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; 10.0 - Windows 10 and later..%S_Mfg%=_Models, ntamd64....;******************************************************************************..; Models Section..;-------------------

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):142512
                                Entropy (8bit):6.529689914382159
                                Encrypted:false
                                SSDEEP:3072:Ap88ONMs5ZB+OV+SzAN7/RoF/RstnSiS2112:Q8DMMB+OURNNogSfa2
                                MD5:9E58B65E1B63FF136FCA209AED36B729
                                SHA1:3794975870B6DD81A8112BCD17452AF7DE6A4E15
                                SHA-256:602D1B0D45831F803D5E045B0C4D38E6264C6F4817BA536CA6BE4A97B8A2A9B9
                                SHA-512:85A90C998563BC0090A91CB69EC0D14BD62146E2906AA83AF704393678FCD24252AA9232D96524B3906B9CC7CFFEF4510361E057888E74B45752369F83BE49B8
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*..)X...*..)X...*...]o..*..)X...*...*..*..)X...*..)X...*..#^...*..#^)..*..#^...*..Rich.*..........PE..d...Z9.a.........."..........X......Pm.........@.............................`....... ....`A................................................00..P....@...................@...P......0...T...............................8............................................text............................... ..h.rdata..H(.......*..................@..H.data...............................@....pdata..............................@..HPAGE....u.... ...................... ..`INIT....\....0...................... ..b.rsrc........@......................@..B.reloc.......P......................@..B................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):281790
                                Entropy (8bit):4.405563846529568
                                Encrypted:false
                                SSDEEP:1536:/JVR/lqHZioRO7MK6gOuGG+OmGQOpHFaG6+iGyJNRv1XpX1qHf3n/X//H/eA6IOv:an
                                MD5:6CA78854CF5DD459078BA113A5C19889
                                SHA1:8F6BE222E7AAB3D3AFD30F79EE3130268AF12CFC
                                SHA-256:1910D1359EE6A232B9A20FABB0767FA22A6ED2AE0C68A71855092CFF93DC9575
                                SHA-512:17B25E2F9E861CA93699CFED95D020112027CC0ACCF7E52F473BBFDC4A91E2772B8BB9706F8A2C0F9FE3973AD30041AEECD8500559DD354215A3D52B90AB08CF
                                Malicious:false
                                Preview:0..L...*.H.........L.0..L....1.0...`.H.e......0..+z..+.....7.....+j0..+e0...+.....7.....E.....C.N...5...220113023555Z0...+.....7.....0..<0.... .RN...U ..&.....&3.2.m..>..&.W71..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........d.l.i.d.u.s.b...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .RN...U ..&.....&3.2.m..>..&.W70..". ..@'....t...j9?.o.~v>.j.%H.3.I.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..@'....t...j9?.o.~v>.j.%H.3.I.0\..+.....7...1N0L...F.i.l.e.......:f.i.r.e.f.l.y.-.m.o.n.i.t.o.r.-.r.e.l.e.a.s.e...s.p.k.g...0.... 3..9.s...s..!....R.,J.......#..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........e.l.l.a.-.d.o.c.k.-.r.e.l.e.a.s.e...s.p.k.g...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 3..9.s...s..!....R.,J.......#..0.... 6.+.Q...`$%2V.O..,

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):9039784
                                Entropy (8bit):6.790261982437218
                                Encrypted:false
                                SSDEEP:98304:okFDXuDj0Rdd3ZnwpkxXo1W9yYU+65kh120K5KwAqyxfEsyiurG3QKs7asMBMao:okFDq0RT3ZwqxY49yYU+65kh12F
                                MD5:0F9558E52592336CC55F57A19A699288
                                SHA1:4948D64CD2B36B087343B6F2ACD0BB010D925803
                                SHA-256:9CAFB4DE282C2690612139B47CBC0EE85878CE129C26986D7FE05C870138C224
                                SHA-512:E4E07296961643062192E438DCEF2FB8D73A974E1093D41D226AAAF41C989642585EAB2286D5B11A8CB267D8BC464B45D9D96582EAAEF8538D66565FDDA94BDB
                                Malicious:false
                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......@aus... ... ... _h.!... _h.!... .m.!... .m.!... _h.!... .n.!... .n.!... .m.!... _h.!... _h.!... .x. ... ... l.. _h.!... .n.!6.. .n.!... .n. ... .n.!... Rich... ................PE..d...n..a.........." ......O...A......09..............................................U....`A.........................................4u.P...@5u.................lW......!..........P.i.T.....................i.(....g...............O......3u.@....................text...|.O.......O................. ..`.rdata....%...O...%...O.............@..@.data........`u......Hu.............@....pdata..lW.......X.................@..@.didat..@............F..............@..._RDATA..............H..............@..@.rsrc................J..............@..@.reloc...............N..............@..B................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):494965
                                Entropy (8bit):5.1490366489007116
                                Encrypted:false
                                SSDEEP:768:cJ4TtB/87BW/yKVEik+Vy4upYRobXlDWvbcTaQX8Uii3IoKzcunaTYD9rv0Ino7b:Fb6BxKy26HpUbLQMEiJJtvjogQjjPD
                                MD5:E6A47A25C29BDE9B35F10FD7A69C2436
                                SHA1:A0F76547D89084F4C9631D9B185A25ABC31D6D23
                                SHA-256:14524ED082B9155520B9D726CA1EE3EF0A26330232E66D86D03E9C0C26AE5737
                                SHA-512:A4156190320A81FDD8A69C3250C2BD6616FA77926AF9D9D01D720070237EEB65D15B10E2B6B6F5E4060FBA6AEC2D1AAD232F757171EA9A3F4D57FFEFEAA14D69
                                Malicious:false
                                Preview:;.. ; Installation inf for DisplayLink USB Display Adapters... ; Copyright (c) 2016 - 2022 DisplayLink (UK) Ltd... ;....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=dlidusb.cat..DriverVer = 01/10/2022,10.2.6709.0......[Manufacturer]..%ManufacturerName%=Standard, NTamd64, NTamd64.10.0...16209, NTamd64.10.0...17134....[Standard.NTamd64]..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0010..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0011..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0012..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0013..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0014..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0015..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0016..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0017..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0018..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0019..%DeviceName%=dlid

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):9039784
                                Entropy (8bit):6.7895293125406315
                                Encrypted:false
                                SSDEEP:98304:BkY22UQ/B5YM8kq4iPZXE1A9yYU+65kh12UDTuwgGtoR7hsZUHQSJmUYuJ2MBM/:BkY2UB5T8kZwZ0e9yYU+65kh12vK
                                MD5:94383CBA2D0106698AD7F9DE33D5481F
                                SHA1:6BB573F181227D7D1118E8AC80AC1F7F8013C981
                                SHA-256:C8B5C23AAC78EFAC9563BB6772BA7465D377183ED67F413E085261356CA92B53
                                SHA-512:762D4C7422A0C41C703055238D1B1EDABF612C1A622EF52D4B09105EE5F67AC418D408FB9F846C7D4E622DCAEC6364F764316D2FBDF71602DF0AC742D73F6B96
                                Malicious:false
                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......@aus... ... ... _h.!... _h.!... .m.!... .m.!... _h.!... .n.!... .n.!... .m.!... _h.!... _h.!... .x. ... ... l.. _h.!... .n.!6.. .n.!... .n. ... .n.!... Rich... ................PE..d.....a.........." ......O...A......09..................................................`A.........................................4u.P....5u.................lW......!............i.T...................h.i.(....g...............O.....X3u.@....................text...|.O.......O................. ..`.rdata..V.%...O...%...O.............@..@.data........`u......Hu.............@....pdata..lW.......X.................@..@.didat..@............F..............@..._RDATA..............H..............@..@.rsrc................J..............@..@.reloc...............N..............@..B................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):9041320
                                Entropy (8bit):6.790593565673882
                                Encrypted:false
                                SSDEEP:98304:P+T2M/bhEUxNK/J29QIXMx0IIdqoM9yYU+65kh12MR2cbkfhmWBoKG14t0yE5hVp:mK5MNKo9QYk089yYU+65kh12MF
                                MD5:AFFB47E02D4EA5C3A9C4260822BAB14A
                                SHA1:20C78369D70BD41994C61E2D6CE0E1B2837D5F8F
                                SHA-256:AAC436DF591D7F813FCB7C49AB4649529C5268F38BE44F7FEF85DC3BF7377680
                                SHA-512:2BCC533FBD52D41BD07AFE0EBFE97E1A7FD8BB1E2A5C33F52224FEA27BA3DFBBDCA73784026699976E48CA851B06184AE71EA806803B2EAE4B1F4A0B52507094
                                Malicious:false
                                Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......@aus... ... ... _h.!... _h.!... .m.!... .m.!... _h.!... .n.!... .n.!... .m.!... _h.!... _h.!... .x. ... ... l.. _h.!... .n.!6.. .n.!... .n. ... .n.!... Rich... ................PE..d......a.........." ......O...A......79.............................................Z.....`A.........................................Du.P...@Eu.................lW......!... ......P.j.T.....................j.(.....g...............O......Cu.@....................text...L.O.......O................. ..`.rdata....%...O...%...O.............@..@.data...x....pu......Nu.............@....pdata..lW.......X.................@..@.didat..@...........L..............@..._RDATA...............N..............@..@.rsrc................P..............@..@.reloc....... .......T..............@..B................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.cat

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56778
                                Entropy (8bit):5.223715380209655
                                Encrypted:false
                                SSDEEP:192:/a7wxRg2/taontFwL8qXcZbv2NpJCzg/4bEl5nqQjZ8q2rFEEPLOyBmE4wzHLOKk:BJtFCRXZp+lrK9M3rPFRHR1ltxzu
                                MD5:DE78B1D44CE14FA1C5D45225323B56FD
                                SHA1:BDA52AB7F8525007544D25B15574063A91BD68FF
                                SHA-256:186C32442A423474D45AD050BCAE56F38D514BC3B0C36A1AD47895B2D8F9B378
                                SHA-512:3CB6F37C3F9D957ACF01E0164B8ED87B5D6C129EB9DFFC83F9BA87844F61D01FA1BA91BDC23DDE8B50DE5EC1A589A972259DE27B271059C655AA4AF896E28E89
                                Malicious:false
                                Preview:0.....*.H.........0.....1.0...`.H.e......0.....+.....7......0...0...+.....7.....F...8UG...>.J"..211007225007Z0...+.....7.....0..I0....R3.A.C.4.7.A.7.A.1.3.6.6.F.5.C.0.C.D.B.8.C.4.8.3.1.7.2.6.4.9.E.0.B.F.9.5.3.C.0.3...1..G0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........:.zz.f.....&I.<.0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.E.9.A.6.6.3.6.6.F.B.E.9.2.1.B.8.9.D.A.D.D.3.5.4.2.4.5.8.E.A.9.1.C.2.6.0.C.0.8...1...04..+.....7...1&0$...D.R.M.L.e.v.e.l........1.3.0.0...0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0..y..+.....7...1..i0..e0..>..+.....7...0.....

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.inf

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):126813
                                Entropy (8bit):5.287768025455325
                                Encrypted:false
                                SSDEEP:384:MBVJQ7BVJQnrx5A3drx5AfATM/NSeKzWqqp79y8Ao1yzU8OxipYde:MJwJ8/2/cATeSeKzWqq99y818Oxiade
                                MD5:4E408C8AAD29D03EA6CF3451C563472B
                                SHA1:3AC47A7A1366F5C0CDB8C483172649E0BF953C03
                                SHA-256:37F8141F17A88184F5DF26A68BA569E0DD3B008525512AC53458F81EFCB87139
                                SHA-512:AB8F7CE350104D88924B0BDEE54FE0B4A04879C195FCACFFA908B2EC87E72A215214061C1DF0D895CB7C0BE9286AB376ADE1512237D3CABE39688574E1F30CA8
                                Malicious:false
                                Preview:;..; DisplayLink USB Audio Adapter Driver..; Copyright (c) 2011 - 2021 DisplayLink (UK) Ltd...;....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..; 07/11/2019,1.55.0.0..DriverVer = 10/07/2021,10.2.6554.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat....Class=MEDIA..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}....[SignatureAttributes]..dlusbaudio.sys=SignatureAttributes.DRM..dlusbaudio_x64.sys=SignatureAttributes.DRM....[SignatureAttributes.DRM]..DRMLevel=1300......;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; Windows from build 16288 will use inbox audio driver..%S_Mfg%=_Models, ntx86.10.0...16288, ntamd64.10.0...16288, ntx86, ntamd64......;*****************

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):176368
                                Entropy (8bit):6.633174130570561
                                Encrypted:false
                                SSDEEP:3072:2MRFxRfYLrOJfp9jfpR80ieWh19JBWdGFAgo5Vg9/rY:vTwLrMb5WP93q/g+mY
                                MD5:F5D75845F9719B78DC808473D5C27102
                                SHA1:5CA17DF42D2C6B075E7C391E96AFD221DC3534E0
                                SHA-256:AB4FD1C41A408DE8615B3B0D198410980573E3C97DD912079376E3CA969EB7C8
                                SHA-512:A687C3C01E0D3D9D656A0FD9CAEE0BAE830E0B630C08037387EEE1520E64FB288D55315FE4E4E050B294BA91DE8F2BE4D605A0942A3F70C3622EB5D7CEB2CBDE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7..7..7..7..7..7..7..7..7..7..7Rich..7........PE..L....+'].....................6......>P....... ..............................................................................PP..x....`...............P...`...p.......!............................................... ...............................text...\........................... ..h.rdata..H.... ......................@..H.data...@....@.......&..............@...INIT.........P.......(.............. ..b.rsrc........`.......4..............@..B.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio_x64.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):237808
                                Entropy (8bit):6.4733574762486885
                                Encrypted:false
                                SSDEEP:3072:equVkUSvUtN9pY5JmUI4+hbtYekXFoX/W/IV29B1ZKaDx7VUx3zRT9QZog9NSF:e6UdtN9RkXFoX3V6BCadctmmHF
                                MD5:11C6DA2B3CC3A247D7115B3E53CD35CC
                                SHA1:9F473F33761DCD5BD312EA5A774BE3B019621FF9
                                SHA-256:034FE8201FD72B39D5F35B59AF8F301813222FB9159DD8F9DB638F82E84333F2
                                SHA-512:B914F89C314F79E4807CE61CDFA5CF82B570E28B2499E194622A67FCB680F5E914089C680233E7C72255AB69D73D07DFA78DAFA39EDB85D62EF75CEC10598A31
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.S.4.=Q4.=Q4.=Q=.Q5.=Q4.<Q_.=Q=.Q?.=Q=.Q7.=Q=.Q0.=Q=.Q].=Q=.Q5.=Q=.Q5.=QRich4.=Q........PE..d....+'].........."..........|......d`...............................................<.......................................................`..x....p..`....0...&...@...`...... ...P...................................................H............................text............................... ..h.rdata...B.......D..................@..H.data...`.... ......................@....pdata...&...0...(..................@..HINIT....Z....`.......&.............. ..b.rsrc........p.......4..............@..B.reloc...............:..............@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\ella-dock-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):888048
                                Entropy (8bit):7.999763743901625
                                Encrypted:true
                                SSDEEP:24576:SswcBlSP/G5BnbvFvWuwfdMhXIkjpIVVsM1Ok40YQLQz:iG5PvdrZIAIVKZk4FQLQz
                                MD5:E4A41DA40DE01AEDD59D2A49CE3ABB30
                                SHA1:C79E216B90893E455ABB2FE11CBFDEE3C5F979AD
                                SHA-256:33B7E13905739FCD02730BC82196AD831352BF2C4ACFECD78496F8FEC7239EB8
                                SHA-512:A1135EF8FE03868BEFA58F92A65483D7587614A23C394158764B962D82536D31A832B375138266F7DEAFCE8B2A3766A662E5E2D9C184EE73E8FC461DFF17D829
                                Malicious:false
                                Preview:ELLA....._\...._..h....`.6...I.L^W........'d...@.( ..O..N.(..pf....u..t...${?s%l..........N).9....=.....ev....Hf..:c.2..*,..`A.RV.....Q.P.{...'[M..%........@...^..j.[.S..3..v..G..T...C.......o.gr&......`2......F...".P........IHw.f...q.. & AC\.X..M.C.{fL...w.?.4.Oh...e.0..t..Z.OX..2.3........Ab....}R.$.......2...#.hG. D.(._/.G..P*.2).Y{.P[..S.......Q.C..-.<....... ....u|..2S.`......`.O.....k.Wudc.m.4....*...~..k!.].O...`...)...<!>.C(.p....S....d....a......c.......`F..|U.U]..Y.*.|. e..C.(..A5..{..........%..b.|.5..t>...k.....HW.~Q.....{i{m...+.!.2+...I.^.2~.{?.[.,...p......L'.sji.'j.dB7#..(s.L:g.\..jR..V...7...f..y.5.U.`) .......J...Gn.&T.....&..B..cL...h.._ 8..P...?Qh^ZW.(..../.....w....Hb...1X....lG....n..{XO..g..}.\H....k....U.9........j.#?...n.N..r..<......~.....`H..m=W..^L.X7..<..J.......t....lV?M.g[.bO..$....x.c...:..R..8..._..9p.-. ...I..Eq!....#.......s.x..z.......L.=......8.?s..0.....n.6.59..`J.$....(]..yP.....-....t....n....R..u

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\firefly-monitor-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):349216
                                Entropy (8bit):7.9994424256959515
                                Encrypted:true
                                SSDEEP:6144:as2gKc1+Yvf3rqOidtLuNQh7bYnb3e1aTckqdk23np2gU4zT7Uq2o9tv9PeNE:P1+6/+tuN8b00ndT3nNTr9P
                                MD5:C9E694592E01FC16D65F6AE3A07B6661
                                SHA1:A7C62D57FB9DAFE11E295EEA3B63BD72E8778291
                                SHA-256:15CF40279890D5E374C5A0BE9B6A393FCA6F077E763EB76A0A25480033DC4914
                                SHA-512:5F72854783AA787C6C3ED4C4CAFF1C7DC740FC724FE56A5CA787F85B0051350505E453B00CFF0C1B713E8CC4660678C7AAD952E275FA5171702324A6DFAD5D01
                                Malicious:false
                                Preview:ELLA T..0,.....,...9.E.C...Y.$...m..,.V*>.....AH.?}&...Z.l.+?2..F.mD...]...({.!..x.i.....a.+.......Q...w......Y\..W...n,.......vU....M.....V..P<....v.......{.....\Z...{.W.>!S..>J.V.......i.+..........b.~........S9&.J.3..:......u.94........+.28).!..q2N.~...g...3....&&....}q.doD.2.q.XdlL.........e.;..xn.J.d. .hM...O}...|.~B.v..\,N.......p.Dr...b....V...._\z....L.$yY....Ipw.......!R.R.dO.n.$.6.[....WZ.f....;....,..-.^.U.........s..'o`."24..-.Ks@....0...V.&.(..O.1@9...}l.#..R.(Q.....C......n%H.E.4]Y.....%a<.ZT..pn.\.bC.....X...<...:.......2T ...nt.'w..`......1."..K.....2.tk72.&....G\W.O.8..d&.=.u.M..ac.0.[..d.`G.A..:#..t......9.e...".......6..OK....W..4.C...U.q...cm.....<.6...E..Wh.K....?G.....x.O6......BF[...^.`.N......J|l.].w.A..7V.a...:..rs.;y.q..sa)...L.uyIT....F..sl..*..e.....c.F.d...k};.nz.TI|...T......V...6..VO..m......\....z.A....@/.....J.5..pr*......|..}_.5e.v..Q#uPh..8..7...9A.Us".n..l..7..R..q.....Q.......X..GI.,.P.Z.i.

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\ridge-dock-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):752336
                                Entropy (8bit):7.999722476182654
                                Encrypted:true
                                SSDEEP:12288:23bAFm05XMdVw6yV6X8BoIkks/LdWnJOCP5U8CJPdb8IxR6AMl26aFDAO/ZFX:bT5X0Vw6yQAoIADdKJO+5U8CJPdwIX66
                                MD5:82F4457C9F4A5B37B0218593CBF51767
                                SHA1:E270FA14455AB2C6D6E53E24DA2E0380AE0B3488
                                SHA-256:A263784D70A94712DB3DA50DFBE762FEDAF0CCFB8BA54F128467F1B6B98F8C85
                                SHA-512:60AB06BDD7CB050CE421A7ED66204BFB43B18726ACD9AAA659FDA47F2CAFD7D773058F05A28CC328267F31B4D549B336A71BDBAEFEBBA99985A52A6EFAC156CD
                                Malicious:false
                                Preview:ELLA.z...0<...x0.2........v....u.f..0....dB.L..Z.A...$FN..9.... .s...........a.....i9.I..C...5.p._Z...3F.D}...@z'.D..i..P..F...x...!...q...zk.J.*.../'....0..tp.iy+....|L...Gb.1p../.S...:.I...+kaj.~...4..8!c.#..E.(.g!...8{.....7.k..h.....k5.R....Tv........0..C.a.K...|.Y!O..o..IY...Xa....v.or..!=.@.0.h`r.P.Cc....)Y...N.......AY..|..r.L.j....?.7j.w..qd...#>Z..W..A@..>...\.K..f4.7V..nd(9.....l.)*...U......1/5$......." ..`.v../.P..F..j............p~...5..(..>..h...5|Z..JP....'!..,.f..*..%..\D.C.....P..........b.e?R....D.......>E...:....h.Y..@1.Er...E........f...J..@....l1Z...}4Y...S......4t..G49..\#&..@...1t.YTc.-?.*4....w..0P.]I."....P....G.S.......@\.X"...6.....PI.p.z.bht....d%.........~b...;3'..$....drU.-..w.|.q&.......S'...aX......L..o+s.g........7...IK..j..w3A..9-..5$.}Qe}..Z.....Ln9z..cv...[.E9.X.8}.]....l.E..74..?_.r.t.V....DH....p/2.Y.Z.G.u]...rK.|..f.c*.D.{.........m...0..'....5L..6...i.....OH.W..C/d$gI{..RW...[........

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.cat

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):55971
                                Entropy (8bit):5.214854959109016
                                Encrypted:false
                                SSDEEP:192:4R4J24JCHMEiLCHRoURbi79B0019m+/fbEa5Aq3j2812sFDEoLRy+mEfw0HMOVd0:40Hw0eoPl/k6h3Tp4ATKAR9zLflI
                                MD5:A17A1D49D0CCB1C31FCEAD1AB5C29E4C
                                SHA1:80B006F52518B81CA34779ED1630B5859B7CD28F
                                SHA-256:0A6A6B8360688D2B2ACCCEF396B7DFCE5DD4892F09039FD973B40489F2475EE6
                                SHA-512:494FB18A9E6D34C404B68FEFB21C69D69D889B1BA59185EBDA7DC17B3B1F382F132A1D46268FA21BB9D4913BA39AF39C4B01116F058DC8324F39AB26F2CEE399
                                Malicious:false
                                Preview:0....*.H.........0.....1.0...`.H.e......0.....+.....7......0...0...+.....7.....Y....NI......Jc..211220152529Z0...+.....7.....0...0.... ..b!...+...*L..c.w".....Au..v1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..b!...+...*L..c.w".....Au..v0.........u.L.UJj.Q.+Z.01..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...s.y.s...0........y......Huri.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0.... .......i.xo......B3........y.UH1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$d.l.-.u.s.b.n.e.t.-.n.c.m...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.inf

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):48291
                                Entropy (8bit):5.662944047616262
                                Encrypted:false
                                SSDEEP:384:q5f1tY7js1E+HDXSby46qXlCmzQi95ZGULNKkE9xkn2n8ndn1n9eEE6haemsstFV:szksSAqJBBI
                                MD5:C9226A47200F6427774BE186F9722656
                                SHA1:B8E9C18F79041200FE978948757269838396F494
                                SHA-256:DDDFDC8AD7FAF4EF6906786F8C808012F314423387F8881DC62E14AA79D75548
                                SHA-512:8CE61EEAE8C8C0AA29EA6CD3823FA2A36B11D14341706083C94A1F14D157BAC79B360F7071B5A5E6A36DB57B214E4336C729A97BB6B2C886845D9F851F397A6C
                                Malicious:false
                                Preview:;..; USB CDC NCM Driver setup information file..; Copyright (c) 2009 - 2021 DisplayLink (UK) Ltd...;..; This file supports:..; Windows 10......;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..PnpLockdown = 1..; 11/24/2021,12/07/2021,3.64.0.20958 For Windows 10 RS1 and later..DriverVer = 12/20/2021,10.2.6683.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat..Class=net..ClassGUID={4d36e972-e325-11ce-bfc1-08002be10318}........;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; 10.0 - Windows 10 and later..%S_Mfg%=_Models, ntx86....;******************************************************************************..; Models Section..;------------------------------------------

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):118096
                                Entropy (8bit):6.773752255554001
                                Encrypted:false
                                SSDEEP:3072:KlYWMTLzWIzSchTEzIV1I0a9jWonrxcz2xf5cVZrOUh:KhMTLCe5Q8Hza9jWcrxUVT
                                MD5:23FF5CDEC7E56D72355679ED39AC760D
                                SHA1:386AD969F2FF63DDF3F77F8FEA23FB9CCE76E9A1
                                SHA-256:CDF766E4416823CB6C99B7F1FB8B9138AA7D430A9A73D6D73CB8D2E357559211
                                SHA-512:42651B8E6E4C2C053D442A9389BA7173199747818ABB79FDE90A2D5C9FCB7D3E57EBB8BCC4F0E459E0B361E9B02332731657174409AEC4888B5F798C5A440B20
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j............J.......J.......e.......J.......J...............J.......@.......@.......@.......Rich....................PE..L...O9.a.................V...4......P-.......`....@.................................><....@A................................ ...d.......................PG...........q..T...........................`q...............`..\............................text....H.......J.................. ..h.rdata..p....`.......N..............@..H.data................d..............@...PAGE.................f.............. ..`INIT....v............h.............. ..b.rsrc................r..............@..B.reloc...............x..............@..B................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):281703
                                Entropy (8bit):4.405763742551111
                                Encrypted:false
                                SSDEEP:1536:TJVR/lqHZioRO7MK6gOuGG+OmGQOpHFaG6+iGyJNRv1XpX1qHf3n/X//H/eA6IOf:uX
                                MD5:850D1EF72788D63523FC65CDFFDA26D4
                                SHA1:30986921845778E2772DC6F0A365DDBDF0082A3D
                                SHA-256:B1DF21CB7BD0F1DD362DFACC4F912B3EC9241704CF320DF1A3B428E9A300C3B6
                                SHA-512:67872576A142D9B129DE2C5FC0A604E45FF8245600F31E7472AA561FCD33A46B6FF14417AE55DE82765CF0C130AE72DE55E6927BAAFBB8E9D9AD42E9ADDF72F7
                                Malicious:false
                                Preview:0..Lb..*.H.........LR0..LM...1.0...`.H.e......0..+#..+.....7.....+.0..+.0...+.....7......%.{...L.u........220113023601Z0...+.....7.....0..<0..". ..@'....t...j9?.o.~v>.j.%H.3.I.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..@'....t...j9?.o.~v>.j.%H.3.I.0\..+.....7...1N0L...F.i.l.e.......:f.i.r.e.f.l.y.-.m.o.n.i.t.o.r.-.r.e.l.e.a.s.e...s.p.k.g...0....-v[.4zP..;....m.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........d.l.i.d.u.s.b...d.l.l...0.... 3..9.s...s..!....R.,J.......#..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0P..+.....7...1B0@...F.i.l.e........e.l.l.a.-.d.o.c.k.-.r.e.l.e.a.s.e...s.p.k.g...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 3..9.s...s..!....R.,J.......#..0....>U..H..j....'.....S.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):8728488
                                Entropy (8bit):6.789866250449058
                                Encrypted:false
                                SSDEEP:196608:B5fmhxPDAE1jkIxyd8lRT9yYU+H5QhNnch:B5Ih1dG8HT9yY5H5QhNn4
                                MD5:160889CEF00A6A40F715D8A1E73B7CA6
                                SHA1:DE0FD1EA9EE63F2374FB670D0D59DEF26401050E
                                SHA-256:05752DC4581FBFD1A175D1A62893F143478769A8AB4E4F03E860B20F3204DF3D
                                SHA-512:6242937B9736176F4A1BBA4F5B28AE401F7BA79DB341255C01ED36DE4D84450D85EA7FBA9562AE8D12CA557418A0A8219F6398BE77310D03FF00566894DC7351
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......d.c= ..n ..n ..n{..o..n{..o;..n...o1..n...o:..n{..o...n...o5..n...o...n...o...n{..o,..n{..o#..n).n=..n ..n...n{..o!..n...o...n...o!..n...n!..n...o!..nRich ..n........................PE..L...W..a...........!......M.."?......?7...... M.....................................q>....@A........................0.p.T.....p.........................!.......... .e.T...................t.e......,d.............. M.......p.@....................text...4.M.......M................. ..`.rdata..Z.#.. M...#...M.............@..@.data....r...@p..V....p.............@....didat.. ............r..............@....rsrc...............t..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):494953
                                Entropy (8bit):5.149168035426433
                                Encrypted:false
                                SSDEEP:768:4J4TtB/87BW/yKVEik+Vy4upaRobXlDWvbcTaQX8Uii3IoKz2unaTYD9rv0Ino7b:Rb6BxKy26NpUbLQMEifJtvjogQjjPD
                                MD5:B37190F9FA92EBDBD680178A693C0A06
                                SHA1:A8A2725370E9BFE8A533253174F0EEF8F528A592
                                SHA-256:CF4BCC196B1EDF19E72F7A3C999975B230E86D02A75D17103E648812C047C7BC
                                SHA-512:90F32A8755D6FB9168675B14E6E1AE232294B4AD455E5942A44AD1293FF85B640E8914602A680BB766E247D0AB1F53987A47FAA254831CC04DFAABCBC003961D
                                Malicious:false
                                Preview:;.. ; Installation inf for DisplayLink USB Display Adapters... ; Copyright (c) 2016 - 2022 DisplayLink (UK) Ltd... ;....[Version]..Signature="$Windows NT$"..Class=Display..ClassGuid={4d36e968-e325-11ce-bfc1-08002be10318}..ClassVer=2.0..Provider=%ManufacturerName%..CatalogFile=dlidusb.cat..DriverVer = 01/10/2022,10.2.6709.0......[Manufacturer]..%ManufacturerName%=Standard, NTx86, NTx86.10.0...16209, NTx86.10.0...17134....[Standard.NTx86]..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0010..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0011..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0012..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0013..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0014..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0015..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0016..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0017..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0018..%DeviceName%=dlidusb_Install, USB\VID_17e9&PID_0019..%DeviceName%=dlidusb_Inst

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb2.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):8728488
                                Entropy (8bit):6.7898927933749
                                Encrypted:false
                                SSDEEP:196608:5hYTMJZcksttxIYl3WVrK9yYU+H5QhNn7:5h3KL9ZW9K9yY5H5QhNn
                                MD5:E3EB444C135A84EC90030D89CD9E9FB9
                                SHA1:D5275EF2841D9E2D606239E40BAFE742988FA3A7
                                SHA-256:2E844AE704B6F4352AB5C0DEC08C9F14AAC175DCAB7F294F82734A0D2B890FAD
                                SHA-512:B55958BE64C868F4E1538A259768D0588EA117867D65F01384F34C37020AAC2F3950CE6C14175561DA9622564C0ADBD308EC32B6B1085F5E3FBAF9951F16B443
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......d.c= ..n ..n ..n{..o..n{..o;..n...o1..n...o:..n{..o...n...o5..n...o...n...o...n{..o,..n{..o#..n).n=..n ..n...n{..o!..n...o...n...o!..n...n!..n...o!..nRich ..n........................PE..L......a...........!......M.."?......?7...... M...........................................@A........................ .p.T...t.p.........................!............e.T...................d.e......,d.............. M.......p.@....................text...4.M.......M................. ..`.rdata..J.#.. M...#...M.............@..@.data....r...@p..V....p.............@....didat.. ............r..............@....rsrc...............t..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb3.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):8730536
                                Entropy (8bit):6.788607110728472
                                Encrypted:false
                                SSDEEP:196608:PP/w714e+AiN74MzzWwapACf9yYU+u5QhNns:PPvvuM2Npnf9yY5u5QhNns
                                MD5:70B24DF75B0B19BB33BBB943FC1EE355
                                SHA1:2291FF89862632E817C7C33C321245176A9F1945
                                SHA-256:93F70FB41D3E91C385AEFDB78C2D2DE621A45E6783E97F6AC698C03255AEA6B1
                                SHA-512:F58811A8C8D60D21D5A28DF0C15735A880BB81A0680D8355476950706F2B3666ABEB56A023F72215B56520114F39AEE5F3006DB60C424236C3B62D42FE55A6DE
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......d.c= ..n ..n ..n{..o..n{..o;..n...o1..n...o:..n{..o...n...o5..n...o...n...o...n{..o,..n{..o#..n).n=..n ..n...n{..o!..n...o...n...o!..n...n!..n...o!..nRich ..n........................PE..L...z..a...........!......M..$?......F7...... M.........................................@A........................P.p.T.....p.........................!......\...@.e.T.....................e......,d.............. M.....<.p.@....................text.....M.......M................. ..`.rdata..z.#.. M...#...M.............@..@.data....s...@p..V..."p.............@....didat.. ............x..............@....rsrc...............z..............@..@.reloc..\............~..............@..B........................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.cat

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56778
                                Entropy (8bit):5.223715380209655
                                Encrypted:false
                                SSDEEP:192:/a7wxRg2/taontFwL8qXcZbv2NpJCzg/4bEl5nqQjZ8q2rFEEPLOyBmE4wzHLOKk:BJtFCRXZp+lrK9M3rPFRHR1ltxzu
                                MD5:DE78B1D44CE14FA1C5D45225323B56FD
                                SHA1:BDA52AB7F8525007544D25B15574063A91BD68FF
                                SHA-256:186C32442A423474D45AD050BCAE56F38D514BC3B0C36A1AD47895B2D8F9B378
                                SHA-512:3CB6F37C3F9D957ACF01E0164B8ED87B5D6C129EB9DFFC83F9BA87844F61D01FA1BA91BDC23DDE8B50DE5EC1A589A972259DE27B271059C655AA4AF896E28E89
                                Malicious:false
                                Preview:0.....*.H.........0.....1.0...`.H.e......0.....+.....7......0...0...+.....7.....F...8UG...>.J"..211007225007Z0...+.....7.....0..I0....R3.A.C.4.7.A.7.A.1.3.6.6.F.5.C.0.C.D.B.8.C.4.8.3.1.7.2.6.4.9.E.0.B.F.9.5.3.C.0.3...1..G0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........:.zz.f.....&I.<.0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.E.9.A.6.6.3.6.6.F.B.E.9.2.1.B.8.9.D.A.D.D.3.5.4.2.4.5.8.E.A.9.1.C.2.6.0.C.0.8...1...04..+.....7...1&0$...D.R.M.L.e.v.e.l........1.3.0.0...0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0..y..+.....7...1..i0..e0..>..+.....7...0.....

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.inf

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):126813
                                Entropy (8bit):5.287768025455325
                                Encrypted:false
                                SSDEEP:384:MBVJQ7BVJQnrx5A3drx5AfATM/NSeKzWqqp79y8Ao1yzU8OxipYde:MJwJ8/2/cATeSeKzWqq99y818Oxiade
                                MD5:4E408C8AAD29D03EA6CF3451C563472B
                                SHA1:3AC47A7A1366F5C0CDB8C483172649E0BF953C03
                                SHA-256:37F8141F17A88184F5DF26A68BA569E0DD3B008525512AC53458F81EFCB87139
                                SHA-512:AB8F7CE350104D88924B0BDEE54FE0B4A04879C195FCACFFA908B2EC87E72A215214061C1DF0D895CB7C0BE9286AB376ADE1512237D3CABE39688574E1F30CA8
                                Malicious:false
                                Preview:;..; DisplayLink USB Audio Adapter Driver..; Copyright (c) 2011 - 2021 DisplayLink (UK) Ltd...;....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..; 07/11/2019,1.55.0.0..DriverVer = 10/07/2021,10.2.6554.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat....Class=MEDIA..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}....[SignatureAttributes]..dlusbaudio.sys=SignatureAttributes.DRM..dlusbaudio_x64.sys=SignatureAttributes.DRM....[SignatureAttributes.DRM]..DRMLevel=1300......;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; Windows from build 16288 will use inbox audio driver..%S_Mfg%=_Models, ntx86.10.0...16288, ntamd64.10.0...16288, ntx86, ntamd64......;*****************

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):176368
                                Entropy (8bit):6.633174130570561
                                Encrypted:false
                                SSDEEP:3072:2MRFxRfYLrOJfp9jfpR80ieWh19JBWdGFAgo5Vg9/rY:vTwLrMb5WP93q/g+mY
                                MD5:F5D75845F9719B78DC808473D5C27102
                                SHA1:5CA17DF42D2C6B075E7C391E96AFD221DC3534E0
                                SHA-256:AB4FD1C41A408DE8615B3B0D198410980573E3C97DD912079376E3CA969EB7C8
                                SHA-512:A687C3C01E0D3D9D656A0FD9CAEE0BAE830E0B630C08037387EEE1520E64FB288D55315FE4E4E050B294BA91DE8F2BE4D605A0942A3F70C3622EB5D7CEB2CBDE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7..7..7..7..7..7..7..7..7..7..7Rich..7........PE..L....+'].....................6......>P....... ..............................................................................PP..x....`...............P...`...p.......!............................................... ...............................text...\........................... ..h.rdata..H.... ......................@..H.data...@....@.......&..............@...INIT.........P.......(.............. ..b.rsrc........`.......4..............@..B.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio_x64.sys

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):237808
                                Entropy (8bit):6.4733574762486885
                                Encrypted:false
                                SSDEEP:3072:equVkUSvUtN9pY5JmUI4+hbtYekXFoX/W/IV29B1ZKaDx7VUx3zRT9QZog9NSF:e6UdtN9RkXFoX3V6BCadctmmHF
                                MD5:11C6DA2B3CC3A247D7115B3E53CD35CC
                                SHA1:9F473F33761DCD5BD312EA5A774BE3B019621FF9
                                SHA-256:034FE8201FD72B39D5F35B59AF8F301813222FB9159DD8F9DB638F82E84333F2
                                SHA-512:B914F89C314F79E4807CE61CDFA5CF82B570E28B2499E194622A67FCB680F5E914089C680233E7C72255AB69D73D07DFA78DAFA39EDB85D62EF75CEC10598A31
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.S.4.=Q4.=Q4.=Q=.Q5.=Q4.<Q_.=Q=.Q?.=Q=.Q7.=Q=.Q0.=Q=.Q].=Q=.Q5.=Q=.Q5.=QRich4.=Q........PE..d....+'].........."..........|......d`...............................................<.......................................................`..x....p..`....0...&...@...`...... ...P...................................................H............................text............................... ..h.rdata...B.......D..................@..H.data...`.... ......................@....pdata...&...0...(..................@..HINIT....Z....`.......&.............. ..b.rsrc........p.......4..............@..B.reloc...............:..............@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\ella-dock-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):888048
                                Entropy (8bit):7.999763743901625
                                Encrypted:true
                                SSDEEP:24576:SswcBlSP/G5BnbvFvWuwfdMhXIkjpIVVsM1Ok40YQLQz:iG5PvdrZIAIVKZk4FQLQz
                                MD5:E4A41DA40DE01AEDD59D2A49CE3ABB30
                                SHA1:C79E216B90893E455ABB2FE11CBFDEE3C5F979AD
                                SHA-256:33B7E13905739FCD02730BC82196AD831352BF2C4ACFECD78496F8FEC7239EB8
                                SHA-512:A1135EF8FE03868BEFA58F92A65483D7587614A23C394158764B962D82536D31A832B375138266F7DEAFCE8B2A3766A662E5E2D9C184EE73E8FC461DFF17D829
                                Malicious:false
                                Preview:ELLA....._\...._..h....`.6...I.L^W........'d...@.( ..O..N.(..pf....u..t...${?s%l..........N).9....=.....ev....Hf..:c.2..*,..`A.RV.....Q.P.{...'[M..%........@...^..j.[.S..3..v..G..T...C.......o.gr&......`2......F...".P........IHw.f...q.. & AC\.X..M.C.{fL...w.?.4.Oh...e.0..t..Z.OX..2.3........Ab....}R.$.......2...#.hG. D.(._/.G..P*.2).Y{.P[..S.......Q.C..-.<....... ....u|..2S.`......`.O.....k.Wudc.m.4....*...~..k!.].O...`...)...<!>.C(.p....S....d....a......c.......`F..|U.U]..Y.*.|. e..C.(..A5..{..........%..b.|.5..t>...k.....HW.~Q.....{i{m...+.!.2+...I.^.2~.{?.[.,...p......L'.sji.'j.dB7#..(s.L:g.\..jR..V...7...f..y.5.U.`) .......J...Gn.&T.....&..B..cL...h.._ 8..P...?Qh^ZW.(..../.....w....Hb...1X....lG....n..{XO..g..}.\H....k....U.9........j.#?...n.N..r..<......~.....`H..m=W..^L.X7..<..J.......t....lV?M.g[.bO..$....x.c...:..R..8..._..9p.-. ...I..Eq!....#.......s.x..z.......L.=......8.?s..0.....n.6.59..`J.$....(]..yP.....-....t....n....R..u

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\firefly-monitor-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):349216
                                Entropy (8bit):7.9994424256959515
                                Encrypted:true
                                SSDEEP:6144:as2gKc1+Yvf3rqOidtLuNQh7bYnb3e1aTckqdk23np2gU4zT7Uq2o9tv9PeNE:P1+6/+tuN8b00ndT3nNTr9P
                                MD5:C9E694592E01FC16D65F6AE3A07B6661
                                SHA1:A7C62D57FB9DAFE11E295EEA3B63BD72E8778291
                                SHA-256:15CF40279890D5E374C5A0BE9B6A393FCA6F077E763EB76A0A25480033DC4914
                                SHA-512:5F72854783AA787C6C3ED4C4CAFF1C7DC740FC724FE56A5CA787F85B0051350505E453B00CFF0C1B713E8CC4660678C7AAD952E275FA5171702324A6DFAD5D01
                                Malicious:false
                                Preview:ELLA T..0,.....,...9.E.C...Y.$...m..,.V*>.....AH.?}&...Z.l.+?2..F.mD...]...({.!..x.i.....a.+.......Q...w......Y\..W...n,.......vU....M.....V..P<....v.......{.....\Z...{.W.>!S..>J.V.......i.+..........b.~........S9&.J.3..:......u.94........+.28).!..q2N.~...g...3....&&....}q.doD.2.q.XdlL.........e.;..xn.J.d. .hM...O}...|.~B.v..\,N.......p.Dr...b....V...._\z....L.$yY....Ipw.......!R.R.dO.n.$.6.[....WZ.f....;....,..-.^.U.........s..'o`."24..-.Ks@....0...V.&.(..O.1@9...}l.#..R.(Q.....C......n%H.E.4]Y.....%a<.ZT..pn.\.bC.....X...<...:.......2T ...nt.'w..`......1."..K.....2.tk72.&....G\W.O.8..d&.=.u.M..ac.0.[..d.`G.A..:#..t......9.e...".......6..OK....W..4.C...U.q...cm.....<.6...E..Wh.K....?G.....x.O6......BF[...^.`.N......J|l.].w.A..7V.a...:..rs.;y.q..sa)...L.uyIT....F..sl..*..e.....c.F.d...k};.nz.TI|...T......V...6..VO..m......\....z.A....@/.....J.5..pr*......|..}_.5e.v..Q#uPh..8..7...9A.Us".n..l..7..R..q.....Q.......X..GI.,.P.Z.i.

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\ridge-dock-release.spkg

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):752336
                                Entropy (8bit):7.999722476182654
                                Encrypted:true
                                SSDEEP:12288:23bAFm05XMdVw6yV6X8BoIkks/LdWnJOCP5U8CJPdb8IxR6AMl26aFDAO/ZFX:bT5X0Vw6yQAoIADdKJO+5U8CJPdwIX66
                                MD5:82F4457C9F4A5B37B0218593CBF51767
                                SHA1:E270FA14455AB2C6D6E53E24DA2E0380AE0B3488
                                SHA-256:A263784D70A94712DB3DA50DFBE762FEDAF0CCFB8BA54F128467F1B6B98F8C85
                                SHA-512:60AB06BDD7CB050CE421A7ED66204BFB43B18726ACD9AAA659FDA47F2CAFD7D773058F05A28CC328267F31B4D549B336A71BDBAEFEBBA99985A52A6EFAC156CD
                                Malicious:false
                                Preview:ELLA.z...0<...x0.2........v....u.f..0....dB.L..Z.A...$FN..9.... .s...........a.....i9.I..C...5.p._Z...3F.D}...@z'.D..i..P..F...x...!...q...zk.J.*.../'....0..tp.iy+....|L...Gb.1p../.S...:.I...+kaj.~...4..8!c.#..E.(.g!...8{.....7.k..h.....k5.R....Tv........0..C.a.K...|.Y!O..o..IY...Xa....v.or..!=.@.0.h`r.P.Cc....)Y...N.......AY..|..r.L.j....?.7j.w..qd...#>Z..W..A@..>...\.K..f4.7V..nd(9.....l.)*...U......1/5$......." ..`.v../.P..F..j............p~...5..(..>..h...5|Z..JP....'!..,.f..*..%..\D.C.....P..........b.e?R....D.......>E...:....h.Y..@1.Er...E........f...J..@....l1Z...}4Y...S......4t..G49..\#&..@...1t.YTc.-?.*4....w..0P.]I."....P....G.S.......@\.X"...6.....PI.p.z.bht....d%.........~b...;3'..$....drU.-..w.|.q&.......S'...aX......L..o+s.g........7...IK..j..w3A..9-..5$.}Qe}..Z.....Ln9z..cv...[.E9.X.8}.]....l.E..74..?_.r.t.V....DH....p/2.Y.Z.G.u]...rK.|..f.c*.D.{.........m...0..'....5L..6...i.....OH.W..C/d$gI{..RW...[........

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56778
                                Entropy (8bit):5.223715380209655
                                Encrypted:false
                                SSDEEP:192:/a7wxRg2/taontFwL8qXcZbv2NpJCzg/4bEl5nqQjZ8q2rFEEPLOyBmE4wzHLOKk:BJtFCRXZp+lrK9M3rPFRHR1ltxzu
                                MD5:DE78B1D44CE14FA1C5D45225323B56FD
                                SHA1:BDA52AB7F8525007544D25B15574063A91BD68FF
                                SHA-256:186C32442A423474D45AD050BCAE56F38D514BC3B0C36A1AD47895B2D8F9B378
                                SHA-512:3CB6F37C3F9D957ACF01E0164B8ED87B5D6C129EB9DFFC83F9BA87844F61D01FA1BA91BDC23DDE8B50DE5EC1A589A972259DE27B271059C655AA4AF896E28E89
                                Malicious:false
                                Preview:0.....*.H.........0.....1.0...`.H.e......0.....+.....7......0...0...+.....7.....F...8UG...>.J"..211007225007Z0...+.....7.....0..I0....R3.A.C.4.7.A.7.A.1.3.6.6.F.5.C.0.C.D.B.8.C.4.8.3.1.7.2.6.4.9.E.0.B.F.9.5.3.C.0.3...1..G0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........:.zz.f.....&I.<.0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.E.9.A.6.6.3.6.6.F.B.E.9.2.1.B.8.9.D.A.D.D.3.5.4.2.4.5.8.E.A.9.1.C.2.6.0.C.0.8...1...04..+.....7...1&0$...D.R.M.L.e.v.e.l........1.3.0.0...0@..+.....7...1200...F.i.l.e........d.l.u.s.b.a.u.d.i.o...s.y.s...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0..y..+.....7...1..i0..e0..>..+.....7...0.....

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):126813
                                Entropy (8bit):5.287768025455325
                                Encrypted:false
                                SSDEEP:384:MBVJQ7BVJQnrx5A3drx5AfATM/NSeKzWqqp79y8Ao1yzU8OxipYde:MJwJ8/2/cATeSeKzWqq99y818Oxiade
                                MD5:4E408C8AAD29D03EA6CF3451C563472B
                                SHA1:3AC47A7A1366F5C0CDB8C483172649E0BF953C03
                                SHA-256:37F8141F17A88184F5DF26A68BA569E0DD3B008525512AC53458F81EFCB87139
                                SHA-512:AB8F7CE350104D88924B0BDEE54FE0B4A04879C195FCACFFA908B2EC87E72A215214061C1DF0D895CB7C0BE9286AB376ADE1512237D3CABE39688574E1F30CA8
                                Malicious:false
                                Preview:;..; DisplayLink USB Audio Adapter Driver..; Copyright (c) 2011 - 2021 DisplayLink (UK) Ltd...;....;******************************************************************************..; Version Section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..; 07/11/2019,1.55.0.0..DriverVer = 10/07/2021,10.2.6554.0..Provider=%S_Provider%..CatalogFile=%S_DriverName%.cat....Class=MEDIA..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}....[SignatureAttributes]..dlusbaudio.sys=SignatureAttributes.DRM..dlusbaudio_x64.sys=SignatureAttributes.DRM....[SignatureAttributes.DRM]..DRMLevel=1300......;******************************************************************************..; Manufacturer..;------------------------------------------------------------------------------..[Manufacturer]..; Windows from build 16288 will use inbox audio driver..%S_Mfg%=_Models, ntx86.10.0...16288, ntamd64.10.0...16288, ntx86, ntamd64......;*****************

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):176368
                                Entropy (8bit):6.633174130570561
                                Encrypted:false
                                SSDEEP:3072:2MRFxRfYLrOJfp9jfpR80ieWh19JBWdGFAgo5Vg9/rY:vTwLrMb5WP93q/g+mY
                                MD5:F5D75845F9719B78DC808473D5C27102
                                SHA1:5CA17DF42D2C6B075E7C391E96AFD221DC3534E0
                                SHA-256:AB4FD1C41A408DE8615B3B0D198410980573E3C97DD912079376E3CA969EB7C8
                                SHA-512:A687C3C01E0D3D9D656A0FD9CAEE0BAE830E0B630C08037387EEE1520E64FB288D55315FE4E4E050B294BA91DE8F2BE4D605A0942A3F70C3622EB5D7CEB2CBDE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7..7..7..7..7..7..7..7..7..7..7Rich..7........PE..L....+'].....................6......>P....... ..............................................................................PP..x....`...............P...`...p.......!............................................... ...............................text...\........................... ..h.rdata..H.... ......................@..H.data...@....@.......&..............@...INIT.........P.......(.............. ..b.rsrc........`.......4..............@..B.reloc.......p.......:..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):237808
                                Entropy (8bit):6.4733574762486885
                                Encrypted:false
                                SSDEEP:3072:equVkUSvUtN9pY5JmUI4+hbtYekXFoX/W/IV29B1ZKaDx7VUx3zRT9QZog9NSF:e6UdtN9RkXFoX3V6BCadctmmHF
                                MD5:11C6DA2B3CC3A247D7115B3E53CD35CC
                                SHA1:9F473F33761DCD5BD312EA5A774BE3B019621FF9
                                SHA-256:034FE8201FD72B39D5F35B59AF8F301813222FB9159DD8F9DB638F82E84333F2
                                SHA-512:B914F89C314F79E4807CE61CDFA5CF82B570E28B2499E194622A67FCB680F5E914089C680233E7C72255AB69D73D07DFA78DAFA39EDB85D62EF75CEC10598A31
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.S.4.=Q4.=Q4.=Q=.Q5.=Q4.<Q_.=Q=.Q?.=Q=.Q7.=Q=.Q0.=Q=.Q].=Q=.Q5.=Q=.Q5.=QRich4.=Q........PE..d....+'].........."..........|......d`...............................................<.......................................................`..x....p..`....0...&...@...`...... ...P...................................................H............................text............................... ..h.rdata...B.......D..................@..H.data...`.... ......................@....pdata...&...0...(..................@..HINIT....Z....`.......&.............. ..b.rsrc........p.......4..............@..B.reloc...............:..............@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST32\DpInst.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):922176
                                Entropy (8bit):5.6988225484803525
                                Encrypted:false
                                SSDEEP:6144:9ZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIH:9ZxSpwmxvL/f3vCN1PMaLi6rAyIQjm
                                MD5:E6213CEC602F332BF8E868B7B8BF2BB1
                                SHA1:593775390B8A474A0BDB8A49B5D26B50B6E3CACE
                                SHA-256:4478F6FCFD2FC9BE012668592BFBF6838A115D983F9D30171669B20CAFE529B9
                                SHA-512:24F96CD7A5043547997167F46C32381CA86932FE7D3A9CF32EDD72E7A0CC0FA165152246DA913C56D124D1F821E00F09872AA0E3DFF23B655E83D9676E14482F
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......)y....@...... ..............................,....p..lY..............@.......XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST64\DpInst.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):1047632
                                Entropy (8bit):5.609497799841998
                                Encrypted:false
                                SSDEEP:6144:ZsSOzpPId26dQcEaUrPvwgwkRVagRoDHTj8K1sqI6VLp4XOigSbduP/1HHm/hHAW:zIId79EaUTvwieMozMEcOigSpuPMaLiD
                                MD5:AA0A91227631A09CD075D315646FB7A9
                                SHA1:C0B86C4D6F1E05B842573081BCC7754FCBCAF5BB
                                SHA-256:C20A5D3F5BE543A8E73CD25F9DBF14AA0FC4BA1FDC249EE4FF91D159D174D0EA
                                SHA-512:685AE6A514128EEFE8FEE6CB9E456EA584B91358090DFFB41205AB2A2F37E91B4007E6745CCB1E29BC42D191CDB651337C7CA3CF29EF31E8D1AEEA56AF34C2C4
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m......P............................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DPInst.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1266
                                Entropy (8bit):4.788676021239895
                                Encrypted:false
                                SSDEEP:24:sQmWrLE9mfPfidACTiZW/gl6W/+L85HPZaIJPFfwLoPRZDjQOLIRaQLWfCIeLDR7:sMrLe/CC+t61L8xPZaIJPV1NmhIqmvu1
                                MD5:CC950004F5BEE0C5242D7F6471165E75
                                SHA1:9C8641708400A0233C1C787C40147D6A7B7C2A14
                                SHA-256:6CDE65F3E7493CAD425BCB5109524CAC2621E83BFE14D526885589047BB65720
                                SHA-512:9A0C1AAA6182CEFD4B8644C9466F236F2ACC14A4E4EAA6F38D81A765D7538D27AE2C677FA024F9FC3D197051BB5DF5584BF694E329E9AF55B9ECBB636F273E93
                                Malicious:false
                                Preview:<?xml version="1.0" ?>.. <dpinst>.... The following search and subDirectory elements direct.. DPInst to search all subdirectories (in the root.. directory that contains DPInst.exe) to locate driver.. packages. -->.. <search>.. <subDirectory>.</subDirectory>.. </search>.... The following language element localizes its child elements.. for the English (Standard) language. The child elements.. customize the text that appears on the DPInst wizard pages. -->.. <language code="0x0409">.. <dpinstTitle>DisplayLink Installer</dpinstTitle>.. <welcomeTitle>Welcome to the DisplayLink Installer!</welcomeTitle>.. <welcomeIntro>This wizard will walk you through installing or updating the driver for your DisplayLink device.</welcomeIntro>.. <installHeaderTitle>Installing the software for your DisplayLink device...</installHeaderTitle>.. <finishTitle>Congratulations! You have finished installing your DisplayLink device.</finishTitle>..

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):22408528
                                Entropy (8bit):6.285253649965881
                                Encrypted:false
                                SSDEEP:196608:EdL5aBxbrfMGeLngRXtm3BySXK0w50BD3NGwDlM3sqQ8ndyXmX39FI:EdL4BxbYNnyQs05DA2e8qQeyW9FI
                                MD5:F30C4672C69CC5A4204A5C0638997FB5
                                SHA1:1810BFB086C75398B3D7E90366999410D5B7AD4A
                                SHA-256:6E50A6ADFB782161F38E80AB39E8C84FA278F49B8C35B0B5812327ED6762B165
                                SHA-512:AA0379EE30D70701BE019B871FA09B2E8837FBF290B05D6369F0047C0EE468792D09E8762DA6D571FB57EDA3D818B007138B40CACB5CC9EB4545E3D8F950079A
                                Malicious:false
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........{..........D4.....D4..T...D4................................................S..........................Rich...........................PE..L...b.U[.................V..................p....@.................................TqV...@.....................................(....@..X.............U.PV...`..lQ......p................... ...........@............p..........`....................text....T.......V.................. ..`.rdata...M...p...N...Z..............@..@.data....p.......$..................@....rsrc...X....@......................@..@.reloc..lQ...`...R..................@..B........................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore64.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):22741944
                                Entropy (8bit):6.321401257406254
                                Encrypted:false
                                SSDEEP:196608:UdLc1lFY5W7E1cLyrKoeIaPf7o2lfe7CAO6NJQ/4Bvx/Cwc:UdL+YW7iRrbnaPf7bUX7LI4XCwc
                                MD5:BA7A6D3223756E7BB08E4117ECCA6DEB
                                SHA1:A36065FACC38A19C2CE39D3B9DE66CD99EDBFCBD
                                SHA-256:D73A933626F6466FC064F3A4F1098D79A8311A5EA587D2127350AEF8F742E15B
                                SHA-512:076AAEA8D48A0C59569B15A67A6F0A7A72BC3CCFCFF7B58B9426DE15D602F6C8EBE2AE1F985C8355A996B71C58C6ECC3FFA5E53C3BCFB4A1358EDF908A21BA2C
                                Malicious:false
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........{..........D4.....D4..T...D4................................................S..........................Rich...........................PE..L...b.U[.................V..................p....@..................................G[...@.....................................(....@..X...........0.Z..Z...`..lQ......p................... ...........@............p..........`....................text....T.......V.................. ..`.rdata...M...p...N...Z..............@..@.data....p.......$..................@....rsrc...X....@......................@..@.reloc..lQ...`...R..................@..B........................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsb.inf

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:Windows setup INFormation, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):392296
                                Entropy (8bit):5.12957699585389
                                Encrypted:false
                                SSDEEP:768:Rl5mary78hyOmoBV0ku0Vngi9e/0T1UNCHeGremoBV0ku0Vngi9e/0T1UNCHeGro:RZwOpV1llesSOZKpV1llesSOZk
                                MD5:7B8466EC604005617A8BDF175743696C
                                SHA1:12EBBEB7C53DC5F59D5C255DDE5ECDC01B550668
                                SHA-256:7E81F31A789AB01AE1F1DA9F16745A3A7DE1E741BE3579F06E4BBC2300CEA72C
                                SHA-512:98BA9CCD52E1904BEAE1FC429EA23BD5EB0B5EEFC5BFFBC27C805221EC773939BBB3A1A491B187852A86F735A335F873DB9812542D8FD2AA88BFEF5A191467F6
                                Malicious:false
                                Preview:;..; Installation inf for DisplayLink USB Display Adapters...; Copyright (c) 2013 - 2022 DisplayLink (UK) Ltd...;....;******************************************************************************..; Version section..;------------------------------------------------------------------------------..[Version]..Signature="$Windows NT$"..Provider=%S_Provider%..; 02/29/2016,2.91.0.0..DriverVer = 01/10/2022,10.2.6709.0..CatalogFile=DisplayLinkUsb.cat....Class=USB Display Adapters..ClassGUID={3376F4CE-FF8D-40a2-A80F-BB4359D1415C}....;******************************************************************************..; Class Install section (optional)..;------------------------------------------------------------------------------..[ClassInstall32]..AddReg=_AddReg_ClassInstall....[_AddReg_ClassInstall]..HKR,,,,"USB Display Adapters"..HKR,,Icon,,"-20"....;******************************************************************************..; Options..;------------------------------------------------------

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo2.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):1886104
                                Entropy (8bit):6.48531373661134
                                Encrypted:false
                                SSDEEP:49152:u4EJBLSQnA74J7nZtgl2NfylYaTsHBrflLF1L/s2UyqS0b:u4EjSQA746lYaTsdflL/sD
                                MD5:778D42246CE17A6390D39FBC69FAE206
                                SHA1:D014BDC3BE2434BF8388DF6875859B3AF1FC3E6D
                                SHA-256:C29562A6F15FA7BFD89DB967639D55CF9D3EEA82F7467FBA6EF8C995072846E7
                                SHA-512:8930F89FD5048DBF4FFF8FE9E9A4102A60A29F24D0580DF9ECDD2CA89A049212BC9194790DAC30B04B18C522967DA572EAD9BA310C67D05C2FE7A19FDA75E4E5
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........C.Pe-,Pe-,Pe-,...-Be-,..(-.e-,..(-\e-,..)-Ae-,...-Je-,..(-.e-,..)-Ze-,..$-We-,..)-He-,Uir,Qe-,UiM,Qe-,..,-qe-,Pe,,.d-,..(-.e-,..--Qe-,...,Qe-,Pe.,Se-,../-Qe-,RichPe-,................PE..L......a...........!.........l......q2.......0............................................@.........................0|..l....|..@........................!......@$...A..T....................B......(B..@............0...............................text............................... ..`.rdata...k...0...l..................@..@.data...D!.......B..................@....rsrc...............................@..@.reloc..@$.......&..................@..B................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo64.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):2061720
                                Entropy (8bit):6.3978210549124075
                                Encrypted:false
                                SSDEEP:24576:wt9V5yzwfHfkHhbHpv82gLujgvemcxqp0p2qZt/0zwd3L6CFdYhk:wt9V5yzw3ahrpk2gLemwqp0p2qPw1hk
                                MD5:A83EF52645E09774F557A55038ACE822
                                SHA1:59705E9F864D705AB50C061F820A79CAD75FD139
                                SHA-256:DDEE72C9F9993FFAFC2E77A6A6782BCF4D01742BAB33A2AB3B588BF8A96088A7
                                SHA-512:8096157D87F7668B15BFB9BE03E820B7AF8DDF0AF8AC6EF527538D997A07EEBCD42D12ADEB5278C1CE3D79491A4C8B24732495BFF0F89472446A9AC73186086C
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........DH_a*._a*._a*...).Ta*.../..a*.../.Sa*.....Pa*...).Va*.../..a*.....Ua*...#.Ma*.....Ja*.V...^a*.V...^a*...+.~a*._a+..`*.../..a*...*.^a*.....^a*._a..\a*...(.^a*.Rich_a*.................PE..d...C..a.........." .................0........................................ .....".....`.............................................l...|...@..............d....T...!...` .....@k..T....................l..(....k.................. ............................text..."........................... ..`.rdata..............................@..@.data....M...P...Z...6..............@....pdata..d...........................@..@_RDATA...............z..............@..@.rsrc................|..............@..@.reloc.......` .. ...4..............@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32 executable (native) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):49344
                                Entropy (8bit):6.8511781667838845
                                Encrypted:false
                                SSDEEP:1536:Cay3x8svrxBW+B+jPsxOCe3notPg2J/x:CN3x8svlBZB+IxOCe3nw
                                MD5:4E30CC314AC5E40FF839A8FF1BD37E24
                                SHA1:8C96CDF039ECF3C1DAADF251B23E352799D891FC
                                SHA-256:0B677BE83D8857EEDB4A1B0FB3256CB617DA79EB8816000EDC3EC1472EFD44AF
                                SHA-512:473CC0328FE9ECD984195AEC7D0F8B4C570AFFA7C3D481F2FBBAC37C6E08658FD45465FEA8F09809B988E046D3D29CF229D4B0DAFD89941A5B1396738EC8EBEF
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..8g.jkg.jkg.jkg.kk).jk@5.k`.jk@5.kf.jk@5.ks.jk@5.kf.jk@5.kf.jkRichg.jk........PE..L......W.................l..................................................................................................H...P........................@..........@...................................................@............................text...M`.......b.................. ..h.rdata...............f..............@..H.data................l..............@...INIT....6............n.............. ..b.rsrc................x..............@..B.reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo_x64.sys

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):58560
                                Entropy (8bit):6.594756192244668
                                Encrypted:false
                                SSDEEP:1536:7Z8PDGLQGvmuK3GyG0ekMziOCd1U6Ww2w/x:73LQLB3WHkkiOCdW6
                                MD5:894349CC299785796A831E7CCA341216
                                SHA1:3B22F41622E29E9F92BEFBA12814784AC3B3C2B3
                                SHA-256:A88DFAA656969139745225600093D0ED58051FAD9AB2057B045109C36F984AAD
                                SHA-512:16B126F56A7AED648BEA9E0ACB613BB6A66251FCFACAC72660D46969E1FFDCB34F32764E29F03364CBF03C8E36454F78749CCF695BD7B9FEF092A21E6EB5ED82
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m..................3x....3~....3n....3q....3.....3{....Rich....................PE..d......W..........".........................................................................................................................d...P...............t........@......8...P...................................................H............................text....x.......z.................. ..h.rdata...............~..............@..H.data...<...........................@....pdata..t...........................@..HINIT................................ ..b.rsrc...............................@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\displaylinkusb.cat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):281492
                                Entropy (8bit):4.390015144880257
                                Encrypted:false
                                SSDEEP:1536:RJVR/lqHZioRO7MK6gOuGG+OmGQOpHFaG6+iGyJNRv1XpX1qHf3n/X//H/eA6IOG:g+
                                MD5:AA2815E66E470C47B6F155BC0F76C6C6
                                SHA1:1D41D175722ACB305AA8855F24FCA20FDE68C1C1
                                SHA-256:4D1C8247766E38704C426FC8855FE2D9D28CCFEA94942D001A13940249114C68
                                SHA-512:267B42DE7245C06CAB342E9EDA7EFEDB708EFA0F3A48E5077F9068B225094802034C1C799E230B13AD63998509661B1FF45D935D4B5EAB75F343C1C0DEF81CD2
                                Malicious:false
                                Preview:0..K...*.H.........K.0..Kz...1.0...`.H.e......0..*\..+.....7.....*L0..*G0...+.....7............O.I.A.$o...220112092141Z0...+.....7.....0...0....R1.2.E.B.B.E.B.7.C.5.3.D.C.5.F.5.9.D.5.C.2.5.5.D.D.E.5.E.C.D.C.0.1.B.5.5.0.6.6.8...1..50>..+.....7...100....O.S.A.t.t.r........2.:.6...1.,.2.:.6...3...0E..+.....7...17050...+.....7.......0!0...+...........=...\%].^...U.h0H..+.....7...1:08...F.i.l.e.......&d.i.s.p.l.a.y.l.i.n.k.u.s.b...i.n.f...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R5.F.6.B.3.B.B.E.2.A.8.C.E.4.F.5.1.2.6.8.2.E.5.D.F.3.9.0.2.C.3.B.8.C.9.E.F.0.0.3...1..]0>..+.....7...100....O.S.A.t.t.r........2.:.6...1.,.2.:.6...3...0M..+.....7...1?0=0...+.....7...0...........0!0...+........_k;.*....h.].,;....0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0h..+.....7...1Z0X...F.i.l.e.......Fd.i.s.p.l.a.y.l.i.n.k.u.s.b.c.o.6.4._.1.0...2...6.7.0.9...0...d.l.l...0....R7.8.5.8.5.2.4

                                C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):41935376
                                Entropy (8bit):7.999912839503517
                                Encrypted:true
                                SSDEEP:786432:UOCrlTT9N6E90Zc7kCgsd8gSyLcNzRDRhAVAnl/mWwgJCUmIRcdlKe3I5umo:OUEkhCZGgCFVTAVAnlnPJPmIRcVmo
                                MD5:36A497196AD65CDBD3A4F50B1760DED1
                                SHA1:B0F94B6923C3D0B282BBF456DDD0C45DFE622A57
                                SHA-256:D9715E20B2CAB49E58AAD7D0936D1580B89EBE4D4A5D73F87E6D134522C58D80
                                SHA-512:1640640734842FD6E56393D96D7F7284190D708771FE6F6C983E25FB668138AA314A8D1747FB4D2425465AD09FE8BBBB78964A69B59C2226D8CF90594F50DE48
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I..8..k..k..kb.k..k..k..kb.k..kb.k..k...k..k..kq.k...k..k;..kF.k*..k..k;..k..k..k..kRich..k................PE..L...$.WG............................R.............@..........................p..................................................d....`..................................................................................|............................text...~........................... ..`.rdata..|L.......N..................@..@.data....U..........................@....rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI206C.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI23B9.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI257F.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI2707.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):3561528
                                Entropy (8bit):6.302779949355829
                                Encrypted:false
                                SSDEEP:49152:wjLwLzixux9E7/3PauxNOGDQJKtWPO+YuSt1nRC0Vb:wfuzfPu8Jsd1j
                                MD5:04276A8401400CE3566EE8E3D5396ED3
                                SHA1:0F74DC7C7AA0C1B314C4F4E1B2054312B4735961
                                SHA-256:CBF18E8C21ECFDDA03569FD51780383F972C69A4F8B88BB9BD8418F2CD425DE9
                                SHA-512:09099D321704551BD168D79A1EC57FF516CF6EDC185DB2377FF437E189DA08711F933844B2814325DE2EEAF211BF23B1DB9595F1A925FC05BF6A1F214CE50D9D
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........E`..+3..+3..+3.(2..+3..2p.+3`./2..+3`.(2..+3...2..+3)./2..+3)..2..+3.,2..+3./2..+3...3..+3...3..+3`..2".+3.*2..+3..*3..+3)."2..+3).+2..+3)..3..+3..3..+3).)2..+3Rich..+3........PE..d...w..a.........." ......#..................................................p7.......6...`...........................................,......#,.@....@/.......-..b...86.8 ...@7.T+....'.p................... .'.(....&...............#.......,.@....................text....#.......#................. ..`.rdata..*.....#.......#.............@..@.data....m...P,..v...<,.............@....pdata...b....-..d....,.............@..@_RDATA.......0/.....................@..@.rsrc........@/.....................@..@.reloc..T+...@7..,....6.............@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI28CD.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI2AF1.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI2C59.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI2DB2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):3561528
                                Entropy (8bit):6.302779949355829
                                Encrypted:false
                                SSDEEP:49152:wjLwLzixux9E7/3PauxNOGDQJKtWPO+YuSt1nRC0Vb:wfuzfPu8Jsd1j
                                MD5:04276A8401400CE3566EE8E3D5396ED3
                                SHA1:0F74DC7C7AA0C1B314C4F4E1B2054312B4735961
                                SHA-256:CBF18E8C21ECFDDA03569FD51780383F972C69A4F8B88BB9BD8418F2CD425DE9
                                SHA-512:09099D321704551BD168D79A1EC57FF516CF6EDC185DB2377FF437E189DA08711F933844B2814325DE2EEAF211BF23B1DB9595F1A925FC05BF6A1F214CE50D9D
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........E`..+3..+3..+3.(2..+3..2p.+3`./2..+3`.(2..+3...2..+3)./2..+3)..2..+3.,2..+3./2..+3...3..+3...3..+3`..2".+3.*2..+3..*3..+3)."2..+3).+2..+3)..3..+3..3..+3).)2..+3Rich..+3........PE..d...w..a.........." ......#..................................................p7.......6...`...........................................,......#,.@....@/.......-..b...86.8 ...@7.T+....'.p................... .'.(....&...............#.......,.@....................text....#.......#................. ..`.rdata..*.....#.......#.............@..@.data....m...P,..v...<,.............@....pdata...b....-..d....,.............@..@_RDATA.......0/.....................@..@.rsrc........@/.....................@..@.reloc..T+...@7..,....6.............@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI345A.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI38DF.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI414C.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):179360
                                Entropy (8bit):6.66273052333922
                                Encrypted:false
                                SSDEEP:3072:C6g9WJSimJWLHKfo9m/sxfA+mPWAg0Fub/8drAAAAAAArK/9R:B2imTfootuAODUAAAAAAArUT
                                MD5:47F84947E6374F8707129C36833212D5
                                SHA1:A317BCC7368756101519E28F8036104A6022766F
                                SHA-256:B79DD5190E2C885F12CF54DCF0BB0AFC72CEA4FFCB21376685F028D235F9771E
                                SHA-512:48788FE16986E30C03D465BD5C088B02CFBCD0851DA7AE7BB27F08BFA6E1C2FA6FA7FA1F946B803E36D12F9BD568E146E7911F185CA187B816F39C38D4230888
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................fJI....fJK.^..fJJ..........................+.......P...............G....../..........Rich...........PE..L....U[...........!......................................................................@.....................................<...................................0e..p............................e..@............................................text...?........................... ..`.rdata..............................@..@.data................t..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI4852.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):3561528
                                Entropy (8bit):6.302779949355829
                                Encrypted:false
                                SSDEEP:49152:wjLwLzixux9E7/3PauxNOGDQJKtWPO+YuSt1nRC0Vb:wfuzfPu8Jsd1j
                                MD5:04276A8401400CE3566EE8E3D5396ED3
                                SHA1:0F74DC7C7AA0C1B314C4F4E1B2054312B4735961
                                SHA-256:CBF18E8C21ECFDDA03569FD51780383F972C69A4F8B88BB9BD8418F2CD425DE9
                                SHA-512:09099D321704551BD168D79A1EC57FF516CF6EDC185DB2377FF437E189DA08711F933844B2814325DE2EEAF211BF23B1DB9595F1A925FC05BF6A1F214CE50D9D
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........E`..+3..+3..+3.(2..+3..2p.+3`./2..+3`.(2..+3...2..+3)./2..+3)..2..+3.,2..+3./2..+3...3..+3...3..+3`..2".+3.*2..+3..*3..+3)."2..+3).+2..+3)..3..+3..3..+3).)2..+3Rich..+3........PE..d...w..a.........." ......#..................................................p7.......6...`...........................................,......#,.@....@/.......-..b...86.8 ...@7.T+....'.p................... .'.(....&...............#.......,.@....................text....#.......#................. ..`.rdata..*.....#.......#.............@..@.data....m...P,..v...<,.............@....pdata...b....-..d....,.............@..@_RDATA.......0/.....................@..@.rsrc........@/.....................@..@.reloc..T+...@7..,....6.............@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI4A86.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):3561528
                                Entropy (8bit):6.302779949355829
                                Encrypted:false
                                SSDEEP:49152:wjLwLzixux9E7/3PauxNOGDQJKtWPO+YuSt1nRC0Vb:wfuzfPu8Jsd1j
                                MD5:04276A8401400CE3566EE8E3D5396ED3
                                SHA1:0F74DC7C7AA0C1B314C4F4E1B2054312B4735961
                                SHA-256:CBF18E8C21ECFDDA03569FD51780383F972C69A4F8B88BB9BD8418F2CD425DE9
                                SHA-512:09099D321704551BD168D79A1EC57FF516CF6EDC185DB2377FF437E189DA08711F933844B2814325DE2EEAF211BF23B1DB9595F1A925FC05BF6A1F214CE50D9D
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........E`..+3..+3..+3.(2..+3..2p.+3`./2..+3`.(2..+3...2..+3)./2..+3)..2..+3.,2..+3./2..+3...3..+3...3..+3`..2".+3.*2..+3..*3..+3)."2..+3).+2..+3)..3..+3..3..+3).)2..+3Rich..+3........PE..d...w..a.........." ......#..................................................p7.......6...`...........................................,......#,.@....@/.......-..b...86.8 ...@7.T+....'.p................... .'.(....&...............#.......,.@....................text....#.......#................. ..`.rdata..*.....#.......#.............@..@.data....m...P,..v...<,.............@....pdata...b....-..d....,.............@..@_RDATA.......0/.....................@..@.rsrc........@/.....................@..@.reloc..T+...@7..,....6.............@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI4D75.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\MSI98D7.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):265888
                                Entropy (8bit):6.57911361618338
                                Encrypted:false
                                SSDEEP:6144:PI9YEsyXz4ZnwQVx/QjrYAOX1RrEqFqQO:PvEsy0ZwQH4jkNjqv
                                MD5:6B2590DF5E5C28C0765161EA334108A5
                                SHA1:A7CA20E24B212B0BDB56DD9C692D3FCD946CA803
                                SHA-256:6DD214389728CA6D66E2A2DAF23A700060C0389447EABCBA8BE3157D2BDBFDB7
                                SHA-512:7D1126487395D9F44F0942D1CD465BAC0348841F76723B0C28C8B3D95F3B21EE7906533A5D2C37B185D734FF0416362EE37ECB6FC9A1329DB451CC32D0BC30EE
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z....b~..b~..b~......b~......b~......b~...}..b~...z.>b~...{.)b~......b~......b~..b..3c~._.w.Vb~._.~..b~._....b~..b...b~._.|..b~.Rich.b~.................PE..L..._.U[...........!.....X...........J.......p...............................0......h'....@.............................................0.......................t,......p........................... ...@............p...............................text...(V.......X.................. ..`.rdata...V...p...X...\..............@..@.data...............................@....rsrc...0...........................@..@.reloc..t,..........................@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\banner.html

                                Download File
                                Process:C:\Windows\SysWOW64\msiexec.exe
                                File Type:HTML document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):713
                                Entropy (8bit):4.795268611747226
                                Encrypted:false
                                SSDEEP:12:bHj9/RFzHFbqlYJjyT9LLmuMD3w0rXjBeZQYvwKG4JGH0dKDDRRGfNHMbb:bzhApPARrXjEqYvJ2UdKfRRGRM/
                                MD5:6442B834BE3353ED06D861117F4A5C23
                                SHA1:B7B9C1A131F267F0858B853A4BF9321028C559D2
                                SHA-256:3834B5A4B896AECF24D2E73E1C7232C0E623E9B3A1F2A17CBCE34922FA541CA7
                                SHA-512:7FC52A6737EC47AE8A5DD29B8FAA13CD01170EBD7BE8A0532EFB681C2ED9A4145DD979EE282FB8964AE731BE2C91575DBD98AA3EE6DE11249252AC9734F6777D
                                Malicious:false
                                Preview:<html>.. <style type="text/css">.. body {.. margin: 0px;.. border: 0px;.. }.. .. #banner {.. width: 100%;.. height: 100%;.. }.. </style>.. .. <body onLoad="initPage();">.. <img src="" id="banner">.. </body>.. .. <script TYPE="text/javascript">.. function initPage().. {.. replaceBanner();.. setTimeout(function(){ replaceBanner(); }, 1000);.. }.... function replaceBanner() {.. var brandingBanner = external.MsiGetProperty("DL_BRANDING_BANNER");.. if (brandingBanner != null && brandingBanner != "" && brandingBanner != "0") {.. document.getElementById("banner").src = brandingBanner;.. }.. }.. </script>..</html>

                                C:\Users\user\AppData\Local\Temp\cl_6709.exe

                                Download File
                                Process:C:\Windows\SysWOW64\msiexec.exe
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):1529912
                                Entropy (8bit):6.416384181489552
                                Encrypted:false
                                SSDEEP:24576:M2F1t6lko+b1dXXuyz3r/Y5YVYtTix2Zmj0OipG6YesZsG:/1t6Go+pdXXdz3rQ5YV2ixAmYJpG7
                                MD5:A28D0DA2C620E6AF46DC6E29FFC388A3
                                SHA1:E5FC4D005E93398CDD0AC092E47A9F6E687BDF41
                                SHA-256:6636420E3416F87C31EC452545A3C79138B6B4E051FB7759CA6FB5F72FD81150
                                SHA-512:09783D55BEAB5E56FEF9C101C7DCC1090116783A4483A9F8F9DB18BBE5BF1DA142DDB623A4235FD35CF5CE28492EECE066997557450D2A8C276711FD3A8577C9
                                Malicious:false
                                Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......}.j9..99..99..9b..82..9b..8...9...8?..9...8(..9...80..9...8...9...83..9...8:..9b..8,..90.w98..90.p98..9b..8...99..9p..9...8|..9...98..99.c98..9...88..9Rich9..9........................PE..d......a.........."............................@..........................................`.................................................D........P.......p.......8..8 ...`......@...T.......................(....................................................text.............................. ..`.rdata..FT.......V..................@..@.data...TB... ...D..................@....pdata.......p.......J..............@..@_RDATA.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\shi1E77.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):3440640
                                Entropy (8bit):6.332754172601424
                                Encrypted:false
                                SSDEEP:49152:iGfM3glOz6pNbH2qLG1cWJ2asQceg4LApnrkLgQ63lOT0q4Fn6rmLn:Lc3wFeyCulhqUn
                                MD5:59A74284EACB95118CEDD7505F55E38F
                                SHA1:ACDC28D6A1EF5C197DE614C46BA07AEAEB25B50B
                                SHA-256:7C8EA70CA8EFB47632665833A6900E8F2836945AA80828B30DA73FBF4FCAF4F5
                                SHA-512:E69A82ADC2D13B413C0689E9BF281704A5EF3350694690BA6F3FE20DA0F66396245B9756D52C37166013F971C79C124436600C373544321A44D71F75A16A2B6A
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..2..a..a..a..=aa.an..`..an..`..an..`..a..a..an..`..an..`..an..`l.an.Qa..an..`..aRich..a........................PE..d...5..r.........." .....n...H......P.........................................4.....g.4...`A........................................p.0.L&....0.......2......@1...............4......F'.T....................*..(....................q..8...Tc0......................text...o........................... ..`.wpp_sf.Y........................... ..`.rdata...Z.......\...r..............@..@.data....A....0.......0.............@....pdata.......@1.......0.............@..@.didat........2......V2.............@....rsrc.........2......b2.............@..@.reloc........4......b4.............@..B................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\systemCheck.html

                                Download File
                                Process:C:\Windows\SysWOW64\msiexec.exe
                                File Type:HTML document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2483
                                Entropy (8bit):4.467732460136009
                                Encrypted:false
                                SSDEEP:48:pJmsbZ6yOn3FBfXqfiwzIiOX69KAtXtx6tS8M:SsbZjO3FZXqfXzIbGWM
                                MD5:21778637A4157E9A24AA633A11FA0DD0
                                SHA1:D981CDF8CCB6D56C448E3EAE264BFBC610D20D3F
                                SHA-256:714FD6C38C9FD9C68BAE760906DCF7CF7FAD5408B0AFE83846E521B9FF64CCAB
                                SHA-512:1EFA034EC9A3B5682EE2E3031DBFF082757A7223B9646E3B95B794DB3663FBC8C82A2066AA8DC9FEDB536E680D30C5D1C882B376770021F9C821C8D8A78C2A32
                                Malicious:false
                                Preview:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" >..<html>.. <head>.. <meta http-equiv="Content-Type" content="text/html;UTF-8"> .. <title>System Checks</title>.. <style type="text/css">.. body {.. margin: 0px;.. border: 0px;.. font-family: Corbel;.. font-size: 9pt;.. background-color: #FFFFFF;.. }.... p#title {.. font-weight: bold;.. }.... li.errorLi {.. list-style: circle;.. margin-bottom:10px;.. color: red;.. }.... li.warningLi {.. list-style: circle;.. margin-bottom:10px;.. color: orange;.. }.... li p.. {.. color: black;.. }.. </style>.. <script TYPE="text/javascript">.. function ini

                                C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\1033.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):370688
                                Entropy (8bit):2.923207248973534
                                Encrypted:false
                                SSDEEP:768:IXxvoRRRRRRRRjZKGlOJQaddd0J/lY2ehp6SUJwHc75W6jnrg:sUlxehp6nw8U4rg
                                MD5:DFA96F38D5105B650B4A5312590D98F6
                                SHA1:6C11233B7AC2740909D73645FAB2C2088824A244
                                SHA-256:BCACE435C26ACA220E9F4F0BFD9A812CE679EFEF341D1D6FB4A59822F3BA5B61
                                SHA-512:B3EFEFA819BAFE200B27C058B78AF47B862FF203EFA59A9A55E5268A6F45D1B8C42558E2516B854634C6A112408A67820D21A8BB72D0DA1540B01E95062427AA
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......a...%..%..%..d...$..%...$..d...$..Rich%..........PE..L...3.U[...........!......................................................................@.......................................... ...............................................................................................................rdata..p...........................@..@.rsrc........ ......................@..@....3.U[........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\4D81215\DisplayLinkIDD.msi

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1251, Title: Installation Database, Subject: DisplayLink Graphics, Author: DisplayLink Corp., Keywords: Installer, MSI, Database, Comments: Installs DisplayLink Graphics., Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 15.1 build 1ac8a36b05, Security: 0, Template: x64;2057, Last Saved By: x64;1049, Revision Number: {312AEE13-2735-4088-B726-C3CA64D81215}10.2.6709.0;{3B719D3D-BF94-4CEF-80B9-2C1E4AEDE0AC}10.2.6709.0;{0AECE230-D5D2-4880-B3ED-F23905ED66A9}, Number of Pages: 200, Number of Characters: 63
                                Category:dropped
                                Size (bytes):11059712
                                Entropy (8bit):6.312294664571844
                                Encrypted:false
                                SSDEEP:
                                MD5:12529E3334449287500B2E462E525E28
                                SHA1:26F7EF14C19C8A0B63F6139ECAE1F2C443F8CA0E
                                SHA-256:8786664E76B6D3D039977BA0C52DAF5FFDAEDE0619A2B926B8A20A952F4C030D
                                SHA-512:05880DF25BD90AE07F0C0D8A961AEF9F3A6C2E4B4167D4584E2E61B3A5EBFA3E917E965991D0621D8360D106FE6AFC4ADD884F5E951DB6184EFFD0CAABF0E625
                                Malicious:false
                                Preview:......................>.......................................................{...............E.......:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...............9...:...;...<...E...F...G...H...I...J...G...H...I...J...K...L...........................c...d...e...f...g...h...i...j...k...l...m...................................................................................................................................................................................................................................>...............?............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...@...2...3...4...5...6...7...8...9...:...;...<...=.......K...A...C...B...H...D...E...F...G...J...I...]...L...s...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...a...^..._...`.......b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...L9..t...u...v...w...x...y...z...

                                C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\decoder.dll

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):153088
                                Entropy (8bit):6.550143660306436
                                Encrypted:false
                                SSDEEP:
                                MD5:0D219A13EA4DB9FC7A9DED2E646EF6DC
                                SHA1:04E2284DE279B27A5935AF7A33A12B0E92D3A181
                                SHA-256:08E5EFFA4E03563DF4B418E859E5A05B8EDEE1D037E4A0E8947663667F8D9C03
                                SHA-512:38A5A463A8F80945F32579B6EDEA1422B599AF2B2760BEBB7908E46C95FE01D864D458AE48D85953DE6005D26A249CACCD061C55D8935906FC267BFFADF46FD7
                                Malicious:false
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Db................~.......|.}.....}......e.......e.......e.......{.......{..............Ad..]...Ad......Adp.............Ad......Rich............PE..L....U[...........!......................................................................@......................... -.......-..<....... ...............................8...............................@...............d............................text...-........................... ..`.rdata...u.......v..................@..@.data...$W...@.......*..............@....rsrc... ............6..............@..@.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\holder0.aiph

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):17400854
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:
                                MD5:16CB84F98B9A21DBC47919339B55874E
                                SHA1:D46D6C5A14F60FFA3DB526F3E83CE3BB908525AE
                                SHA-256:7319E34403925D78A2B48470CDEF79DA8B51AFBE59456D7EC79DB45BEB889768
                                SHA-512:F7C27361E950C14FAED3EA3938DAB0EF6129B023E091E829DC46DDA7CF6B21A2BB1670D2415920E1937C5C54A65A6DB83E1D0F525975F6BDFFFB528D5A459211
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\~DFC74A98E467F75109.TMP

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):241664
                                Entropy (8bit):5.481384191763515
                                Encrypted:false
                                SSDEEP:
                                MD5:86060E7D2C8D35CC3E081BDA7884A134
                                SHA1:77760DB2314427B4CF89EAD9304E5C69AB05304C
                                SHA-256:57CF3D9417698236A917D1C944987BD8076147C6C12FA0B9AE122683E8E06530
                                SHA-512:7A4E7932BA628C599250DB5EE870C3A20A0E2779E0661A737C0DBCBBDDB018CB07F42FA8A02CEA29B77D3513B2ADC2BF1D096A65EB54278C74BB51B51B271B00
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Windows\INF\oem0.PNF

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5364
                                Entropy (8bit):3.1238070403290243
                                Encrypted:false
                                SSDEEP:
                                MD5:BFF3682F21C59F967E951032716CC0D0
                                SHA1:5A3DB81640DAC577F982C9A3DF36CE7E55E43627
                                SHA-256:811451F9A8E86C3D2DA7698DAEDCC5A6927713628123B5010C105B5ACA65349B
                                SHA-512:13771AF65622EA187042EA3A123315DB7C8876C9F5D37A9AFACC4EFFC804A6D8F8306284C1AAE392027F7CD9F4EA8750EF0FC9002FB4B740784BD4BD8228A106
                                Malicious:false
                                Preview:................H........L...,..............(...................................h.......................C.:.\.W.i.n.d.o.w.s..... ...................................................<.......(...................................................................................................................................`...................................................................................................................................................................................,...........................................................................................................................................................................................l.......................L...................................................................................................................................L...........................................................................................................................................................

                                C:\Windows\INF\oem1.PNF

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):5180
                                Entropy (8bit):3.066382811152814
                                Encrypted:false
                                SSDEEP:
                                MD5:8A03613BB0DA48CEFCEABF1080DAEA9B
                                SHA1:AB70FF9C8E77427D2C4B2331220AFB9A1E2B8FF8
                                SHA-256:6364F2C49CC1377154442DEB886CE0FBE0DBB9AC531B4CCFB0460927DD8BA4AF
                                SHA-512:96EE693AB44EFC1DB19FD941067C2EBB7CCECE7DF9ED6F92C41F33E25B47DEB637E5F08ABE9468FB5CB7848C2C5C6A1F6D5063B8CF789A9CEDE21BADDB23E53A
                                Malicious:false
                                Preview:................H...(....5...,......................p.......(.......(.......0...h...............8.......C.:.\.W.i.n.d.o.w.s.........................................................<.......(.......................................................................................................................................L...................................................................................................................................................................................................................................................................................................................................................................................................L...........................T.......................................................................................................................................d...............................................................$...........................................................

                                C:\Windows\INF\oem2.PNF

                                Download File
                                Process:C:\Users\user\Desktop\Setup.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):6284
                                Entropy (8bit):3.229401916447362
                                Encrypted:false
                                SSDEEP:
                                MD5:5263CFAC4DDFB9C99EDB3D88A18EC667
                                SHA1:4FB05127272EA6246E68C346D88D5D80B948B83C
                                SHA-256:2407E7E93C9EB8B5219CCB7BC9F2BF07FBB8C2234808EB92CC0FFA904793F07C
                                SHA-512:79B22562731F385EFD994718A09D8F7CA6760621E9D6C0D8809C439ADC3B07A30B702BF95C9EF2655C3ACEF07DE2BCF0B22944CD508B8E3B982A33E5A2437B8B
                                Malicious:false
                                Preview:................X.........H..a......................h.......p...D.......d... ...h.......................C.:.\.W.i.n.d.o.w.s.............................................................................................................................................................................................................H...........................................8.......................................H.......................................................................................................................................................................................................................................,.......................................................................................................................................................................................................................................................................................................h...............................................8...........

                                \Device\ConDrv

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2084
                                Entropy (8bit):5.271022603090197
                                Encrypted:false
                                SSDEEP:
                                MD5:85D14D8F05739A205A6B7C96F272D860
                                SHA1:9785DEBAEC6F344E877F9F8A7AA349F3E14B20F1
                                SHA-256:490040C156D3BFC1047C8574A7AF9EAD20D26BCB335356DDC04AE5B32B062C52
                                SHA-512:473C7648DBBAF1BDE78336D28DA17E9661D59C9657B5E370AC4D59E62737E85EBECE7577CAEBEB986553EC5A963152018A2D9F92C341907112291A7A17F0D12E
                                Malicious:false
                                Preview:..7-Zip SFX 4.57 Copyright (c) 1999-2007 Igor Pavlov 2007-12-06....Processing archive: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe....Extracting NIVO\DisplayLinkCore.dat..Extracting NIVO\DisplayLinkCore64.dat..Extracting DL-USBNET-NCM\x64\dl-usbnet-ncm.cat..Extracting DL-USBNET-NCM\x64\dl-usbnet-ncm.inf..Extracting DL-USBNET-NCM\x64\DPInst.xml..Extracting DL-USBNET-NCM\x86\dl-usbnet-ncm.cat..Extracting DL-USBNET-NCM\x86\dl-usbnet-ncm.inf..Extracting DL-USBNET-NCM\x86\DPInst.xml..Extracting DLCDCNCM\dlcdcncm.cat..Extracting DLCDCNCM\DPInst.xml..Extracting DLIDUSB\x64\DPInst.xml..Extracting DLIDUSB\x86\DPInst.xml..Extracting DLUSBAUDIO\dlusbaudio.cat..Extracting DLUSBAUDIO\DPInst.xml..Extracting NIVO\DPInst.xml..Extracting DLUSBAUDIO\dlusbaudio.inf..Extracting DLIDUSB\x64\dlidusb.cat..Extracting DLIDUSB\x64\firefly-monitor-release.spkg..Extracting DLIDUSB\x86\dlidusb.cat..Extracting DLIDUSB\x86\firefly-monitor-release.spkg..Extracting NIVO\DisplayLi

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.174300593530014
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Setup.exe
                                File size:79416048
                                MD5:37c6031e6d7ed0910fab1ab8d18f76f4
                                SHA1:37e4ea50f7668a52abe951fb540c7ced71c6500a
                                SHA256:1200ec02f814bcd7a6de8035ec139548a80b628601b90f4a13a5b35cf976a4e0
                                SHA512:1cb9942c0b23cbbb289aef240a0a87897f5541330b50131d8a87fcc776fc94071af30e65cee72cebbe8df4159dece3cb4ceaa0613290e71f8c0dce9c60258c2f
                                SSDEEP:1572864:uUEkhCZGgCFVTAVAnlnPJPmIRcVm+dcOJ70ds3LDz:uUtCwfnxsHP
                                TLSH:A8080159A29E4A37E1F36E34C9FD82DA042ABD50CF605A4FA309F50F17B1941C87D72A
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......T#T6.B:e.B:e.B:eK*9d.B:eK*?d.B:e.!?d.B:e./>d.B:e./9d.B:e.,>d.B:e.,?diB:e./?d.B:eK*>d.B:e.Nee.B:e.NZe.B:eK*;d.B:e.B;e.C:e.,3d.B:

                                File Icon

                                Icon Hash:417d632b2939415d

                                Static PE Info

                                General

                                Entrypoint:0x4e944f
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x61DCB48D [Mon Jan 10 22:34:53 2022 UTC]
                                TLS Callbacks:0x4e9c68, 0x4e9b7f
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:384b25d0ab5f94c6616ef62254c2934b

                                Authenticode Signature

                                Signature Valid:true
                                Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
                                Signature Validation Error:The operation completed successfully
                                Error Number:0
                                Not Before, Not After
                                • 5/2/2019 5:00:00 PM 7/13/2022 5:00:00 AM
                                Subject Chain
                                • CN=DISPLAYLINK (UK) LIMITED, O=DISPLAYLINK (UK) LIMITED, L=Cambridge, C=GB, SERIALNUMBER=04811048, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
                                Version:3
                                Thumbprint MD5:0D5B1D63A98B8AE79E2853114FC4A769
                                Thumbprint SHA-1:BC59F06175DD978FA261989FB1D673D284D8432C
                                Thumbprint SHA-256:C1400A1DD753F57534E5F9DFB3DA619B0D89A456BE1986387C69456411D7F633
                                Serial:0DCAE65FEAC8DAD35AD3F9729044F0C4

                                Entrypoint Preview

                                Instruction
                                call 00007F99189B70E9h
                                jmp 00007F99189B5E2Fh
                                call 00007F99189B5FD7h
                                push 00000000h
                                call 00007F99189B5BB7h
                                pop ecx
                                test al, al
                                je 00007F99189B5FC0h
                                push 004E9502h
                                call 00007F99189B5D35h
                                pop ecx
                                xor eax, eax
                                ret
                                push 00000007h
                                call 00007F99189B6E15h
                                int3
                                push esi
                                push edi
                                push 00000FA0h
                                push 005BAE78h
                                call dword ptr [0056722Ch]
                                push 00574F00h
                                call dword ptr [005673ACh]
                                mov esi, eax
                                test esi, esi
                                jne 00007F99189B5FC3h
                                push 0058485Ch
                                call dword ptr [005673ACh]
                                mov esi, eax
                                test esi, esi
                                je 00007F99189B5FF8h
                                push 005721E4h
                                push esi
                                call dword ptr [00567384h]
                                push 005721C8h
                                push esi
                                mov edi, eax
                                call dword ptr [00567384h]
                                test edi, edi
                                je 00007F99189B5FC4h
                                test eax, eax
                                je 00007F99189B5FC0h
                                mov dword ptr [005BAE90h], edi
                                mov dword ptr [005BAE94h], eax
                                pop edi
                                pop esi
                                ret
                                xor eax, eax
                                push eax
                                push eax
                                push 00000001h
                                push eax
                                call dword ptr [005671F8h]
                                mov dword ptr [005BAE74h], eax
                                test eax, eax
                                jne 00007F99189B5F99h
                                push 00000007h
                                call 00007F99189B6D93h
                                int3
                                push 005BAE78h
                                call dword ptr [00567228h]
                                mov eax, dword ptr [005BAE74h]
                                test eax, eax
                                je 00007F99189B5FB9h

                                Rich Headers

                                Programming Language:
                                • [C++] VS2003 (.NET) build 3077
                                • [ C ] VS2003 (.NET) build 3077

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1b2a980xa0.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c80000x49eea60.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4bbae000x1cf0.reloc
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x4bb70000x14410.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x189b700x70.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x189be00x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x182c900x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x1670000x4c0.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1b271c0x100.rdata
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x1654460x165600False0.434924525621data6.46032188249IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x1670000x4d7a00x4d800False0.393516885081data5.05136073643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x1b50000x12ae00x4a00False0.201541385135data4.44267625064IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x1c80000x49eea600x49eec00unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x4bb70000x144100x14600False0.559552338957data6.64662733117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                EXE0x1c90440x24ASCII text, with no line terminators
                                EXE0x1c90680x8ceLittle-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                EXE0x1c99380x27fe210PE32 executable (console) Intel 80386, for MS Windows
                                EXE0x29c7b480x1063220PE32 executable (GUI) Intel 80386, for MS Windows
                                EXE0x3a2ad680x109b578PE32 executable (GUI) Intel 80386, for MS Windows
                                EXE0x4ac62e00x2866Microsoft Cabinet archive data, 2366 bytes, 3 files
                                RT_BITMAP0x4ac8b480x1714cdata
                                RT_ICON0x4adfc940x32028data
                                RT_ICON0x4b11cbc0xc828data
                                RT_ICON0x4b1e4e40x70a8dBase IV DBT of \300.DBF, block length 27648, next free block index 40, next free block 4294967295, next used block 4294967295
                                RT_ICON0x4b2558c0x4ee8data
                                RT_ICON0x4b2a4740x4048data
                                RT_ICON0x4b2e4bc0x3228dBase IV DBT of \200.DBF, blocks size 0, block length 12288, next free block index 40, next free block 4076469490, next used block 4243782140
                                RT_ICON0x4b316e40x1ca8data
                                RT_ICON0x4b3338c0xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4294967295, next used block 4294967295
                                RT_ICON0x4b340340x748data
                                RT_ICON0x4b3477c0x368GLS_BINARY_LSB_FIRST
                                RT_ICON0x4b34ae40x32028data
                                RT_ICON0x4b66b0c0xc828data
                                RT_ICON0x4b733340x70a8dBase IV DBT of \300.DBF, block length 27648, next free block index 40, next free block 4294967295, next used block 4294967295
                                RT_ICON0x4b7a3dc0x4ee8data
                                RT_ICON0x4b7f2c40x4048data
                                RT_ICON0x4b8330c0x3228dBase IV DBT of \200.DBF, blocks size 0, block length 12288, next free block index 40, next free block 4076469490, next used block 4243782140
                                RT_ICON0x4b865340x1ca8data
                                RT_ICON0x4b881dc0xca8dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 4294967295, next used block 4294967295
                                RT_ICON0x4b88e840x748data
                                RT_ICON0x4b895cc0x368GLS_BINARY_LSB_FIRST
                                RT_DIALOG0x4b899340xb8data
                                RT_DIALOG0x4b899ec0x264data
                                RT_DIALOG0x4b89c500x2d4data
                                RT_DIALOG0x4b89f240x254data
                                RT_STRING0x4b8a1780x106data
                                RT_STRING0x4b8a2800x41edata
                                RT_STRING0x4b8a6a00x3bcdata
                                RT_STRING0x4b8aa5c0x43adata
                                RT_STRING0x4b8ae980x44cdata
                                RT_STRING0x4b8b2e40x43cdata
                                RT_STRING0x4b8b7200x50cdata
                                RT_STRING0x4b8bc2c0x4d0data
                                RT_STRING0x4b8c0fc0x456data
                                RT_STRING0x4b8c5540x3a0data
                                RT_STRING0x4b8c8f40x4badata
                                RT_STRING0x4b8cdb00x456data
                                RT_STRING0x4b8d2080x47adata
                                RT_STRING0x4b8d6840x2acdata
                                RT_STRING0x4b8d9300x2d0data
                                RT_STRING0x4b8dc000x468data
                                RT_STRING0x4b8e0680x4c2data
                                RT_STRING0x4b8e52c0x46adata
                                RT_STRING0x4b8e9980x476data
                                RT_STRING0x4b8ee100x49edata
                                RT_STRING0x4b8f2b00x418data
                                RT_STRING0x4b8f6c80x442data
                                RT_STRING0x4b8fb0c0x424data
                                RT_STRING0x4b8ff300x42cdata
                                RT_STRING0x4b9035c0x436data
                                RT_STRING0x4b907940x442dataNorwegianNorway
                                RT_STRING0x4b90bd80x1d2dataChineseChina
                                RT_STRING0x4b90dac0x20cdata
                                RT_STRING0x4b90fb80x35cdata
                                RT_STRING0x4b913140x322data
                                RT_STRING0x4b916380x3fadata
                                RT_STRING0x4b91a340x3a8data
                                RT_STRING0x4b91ddc0x3cedata
                                RT_STRING0x4b921ac0x3dedata
                                RT_STRING0x4b9258c0x428data
                                RT_STRING0x4b929b40x466data
                                RT_STRING0x4b92e1c0x362data
                                RT_STRING0x4b931800x3b2data
                                RT_STRING0x4b935340x3f4data
                                RT_STRING0x4b939280x424data
                                RT_STRING0x4b93d4c0x21edata
                                RT_STRING0x4b93f6c0x220data
                                RT_STRING0x4b9418c0x430data
                                RT_STRING0x4b945bc0x3a0data
                                RT_STRING0x4b9495c0x46adata
                                RT_STRING0x4b94dc80x3badata
                                RT_STRING0x4b951840x422data
                                RT_STRING0x4b955a80x3e8data
                                RT_STRING0x4b959900x3d4data
                                RT_STRING0x4b95d640x3b0data
                                RT_STRING0x4b961140x3b8data
                                RT_STRING0x4b964cc0x43cdata
                                RT_STRING0x4b969080x35cdataEnglishUnited States
                                RT_STRING0x4b96c640x3c8dataNorwegianNorway
                                RT_STRING0x4b9702c0x170dataChineseChina
                                RT_STRING0x4b9719c0x35cdataEnglishGreat Britain
                                RT_STRING0x4b974f80x176data
                                RT_STRING0x4b976700x111edata
                                RT_STRING0x4b987900xf66data
                                RT_STRING0x4b996f80x11dcdata
                                RT_STRING0x4b9a8d40x10c6data
                                RT_STRING0x4b9b99c0x1230data
                                RT_STRING0x4b9cbcc0x138adata
                                RT_STRING0x4b9df580x140adata
                                RT_STRING0x4b9f3640x128adata
                                RT_STRING0x4ba05f00x1130data
                                RT_STRING0x4ba17200x13fedata
                                RT_STRING0x4ba2b200x1148data
                                RT_STRING0x4ba3c680x1334data
                                RT_STRING0x4ba4f9c0xbe4data
                                RT_STRING0x4ba5b800xb50data
                                RT_STRING0x4ba66d00x12b4data
                                RT_STRING0x4ba79840x137cdata
                                RT_STRING0x4ba8d000x1294data
                                RT_STRING0x4ba9f940x116adata
                                RT_STRING0x4bab1000x11ccdata
                                RT_STRING0x4bac2cc0x111cdata
                                RT_STRING0x4bad3e80x1258data
                                RT_STRING0x4bae6400x10cedata
                                RT_STRING0x4baf7100x11aedata
                                RT_STRING0x4bb08c00x12dcdata
                                RT_STRING0x4bb1b9c0x111edataEnglishUnited States
                                RT_STRING0x4bb2cbc0x1180dataNorwegianNorway
                                RT_STRING0x4bb3e3c0x886dataChineseChina
                                RT_STRING0x4bb46c40x111edataEnglishGreat Britain
                                RT_STRING0x4bb57e40x8c4data
                                RT_RCDATA0x4bb60a80x11bdata
                                RT_GROUP_ICON0x4bb61c40x92data
                                RT_GROUP_ICON0x4bb62580x92data
                                RT_VERSION0x4bb62ec0x384data
                                RT_MANIFEST0x4bb66700x3f0XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllGetSystemInfo, CreateProcessA, CreateToolhelp32Snapshot, Process32First, Process32Next, InitializeCriticalSection, FindResourceExW, GetModuleHandleA, LocalFree, FormatMessageA, FormatMessageW, IsValidLocale, GetUserDefaultUILanguage, SetLastError, GetStdHandle, CreateDirectoryW, DeleteFileW, GetFileAttributesW, GetFullPathNameW, GetTempFileNameW, SetFileAttributesW, GetTempPathW, WaitForSingleObject, Sleep, GetCurrentProcessId, GetExitCodeProcess, CreateProcessW, OpenProcess, MoveFileW, GetTickCount, CloseHandle, RaiseException, CreateThread, GetCurrentThread, SetThreadPriority, ResumeThread, ExpandEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetCurrentProcess, GetSystemDirectoryW, GetSystemWindowsDirectoryW, GetSystemWow64DirectoryW, FreeLibrary, GetModuleFileNameW, GetModuleHandleExW, LoadLibraryExA, LocalAlloc, VerSetConditionMask, GetVersionExA, GetProductInfo, IsWow64Process, VerifyVersionInfoW, QueryPerformanceFrequency, CreateFileA, IsDebuggerPresent, GetCurrentThreadId, GetLocalTime, CreateFileW, GetTempPathA, GetModuleFileNameA, FindFirstFileA, FindNextFileA, OutputDebugStringA, DeviceIoControl, FileTimeToSystemTime, GetVersionExW, LoadLibraryExW, GetEnvironmentVariableW, CreateEventW, WaitForMultipleObjects, WriteFile, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, MultiByteToWideChar, WideCharToMultiByte, GetStringTypeW, WaitForSingleObjectEx, SwitchToThread, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, EncodePointer, DecodePointer, TryEnterCriticalSection, GetCPInfo, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, SetEvent, ResetEvent, GetStartupInfoW, InitializeSListHead, GetCurrentDirectoryW, RemoveDirectoryW, SetEndOfFile, SetFilePointerEx, CreateDirectoryExW, AreFileApisANSI, CreateTimerQueue, SignalObjectAndWait, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, GetThreadTimes, FreeLibraryAndExitThread, VirtualAlloc, VirtualProtect, VirtualFree, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, RtlUnwind, VirtualQuery, ExitProcess, HeapAlloc, HeapFree, GetFileType, GetFileSizeEx, GetTimeZoneInformation, FlushFileBuffers, GetConsoleCP, GetConsoleMode, GetDateFormatW, GetTimeFormatW, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, ReadConsoleW, HeapReAlloc, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW, lstrcmpW, lstrcmpA, MoveFileExW, GetProcAddress, FindResourceW, LoadResource, LockResource, GetLastError, CreateMutexW, SizeofResource, OutputDebugStringW, CopyFileW, SetCurrentDirectoryW, GetModuleHandleW, QueryPerformanceCounter, GetBinaryTypeW
                                USER32.dllGetSystemMetrics, SendNotifyMessageW, LoadCursorW, SetCursor, MessageBoxW, GetMessageW, CreateDialogParamW, PostMessageW, GetWindowRect, DestroyWindow, SendMessageW, SetWindowTextW, ShowWindow, IsWindow, OffsetRect, DispatchMessageW, IsDialogMessageW, CopyRect, TranslateMessage, GetDlgItem, GetDesktopWindow, SetWindowPos
                                ADVAPI32.dllCreateProcessAsUserW, OpenProcessToken, StartServiceA, QueryServiceConfigA, DeleteService, ControlService, DuplicateTokenEx, GetUserNameW, RegCloseKey, RegOpenUserClassesRoot, RegCreateKeyExW, RegDeleteValueW, RegEnumKeyW, RegFlushKey, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, CloseServiceHandle, RegEnumValueW, CheckTokenMembership, FreeSid, AllocateAndInitializeSid, OpenSCManagerA, RegEnumKeyA, InitiateSystemShutdownA, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA, RegOpenCurrentUser, RegSetValueExA, RegQueryValueExA, RegDeleteValueA, RegCreateKeyExA, ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertStringSidToSidA, ConvertSidToStringSidA, SetSecurityInfo, GetSecurityInfo, SetEntriesInAclA, CreateServiceW, LookupPrivilegeValueA, LookupAccountSidA, RevertToSelf, ImpersonateLoggedOnUser, GetTokenInformation, GetLengthSid, CopySid, AdjustTokenPrivileges, DuplicateToken, OpenThreadToken, SetThreadToken, ConvertStringSecurityDescriptorToSecurityDescriptorA, QueryServiceStatusEx, OpenServiceA
                                SETUPAPI.dllSetupDiGetClassDevsA, SetupDiCallClassInstaller, SetupDiGetDeviceInstallParamsA, SetupDiSetClassInstallParamsA, SetupDiClassGuidsFromNameA, CM_Get_Device_IDA, CM_Get_DevNode_Status, SetupDiDestroyDeviceInfoList, SetupDiGetDeviceRegistryPropertyW, SetupDiGetDeviceInstanceIdW, SetupDiBuildDriverInfoList, SetupDiEnumDriverInfoA, SetupCopyOEMInfW, SetupDiGetINFClassW, SetupGetInfFileListW, SetupDiClassNameFromGuidW, CM_Locate_DevNodeA, CM_Get_Sibling, CM_Get_DevNode_Registry_PropertyA, CM_Get_Child, SetupDiSetDeviceInstallParamsA, SetupDiOpenDevRegKey, SetupDiGetDeviceInterfaceDetailA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInstanceIdA, SetupDiGetDeviceRegistryPropertyA, SetupDiDeleteDevRegKey, SetupDiRemoveDevice, SetupDiGetClassDevsW, SetupDiDestroyDriverInfoList, SetupDiEnumDeviceInfo
                                SHLWAPI.dllSHGetValueW, SHCopyKeyA, SHDeleteKeyA
                                SHELL32.dllSHFileOperationW, ShellExecuteW
                                ole32.dllCoCreateGuid, StringFromGUID2

                                Version Infos

                                DescriptionData
                                LegalCopyrightCopyright (c) 2003 - 2022 DisplayLink Corp. All rights reserved.
                                InternalNameSetup
                                FileVersion10, 2, 6751, 0
                                CompanyNameDisplayLink Corp.
                                ProductNameDisplayLink Core Software 10.2.6751.0
                                ProductVersion10, 2, 6751, 0
                                FileDescriptionInstalls DisplayLink Software
                                OriginalFilenameSetup.exe
                                Translation0x0809 0x04b0

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                NorwegianNorway
                                ChineseChina
                                EnglishUnited States
                                EnglishGreat Britain

                                Network Behavior

                                No network behavior found

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:03:43
                                Start date:20/04/2022
                                Path:C:\Users\user\Desktop\Setup.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Setup.exe"
                                Imagebase:0x9d0000
                                File size:79416048 bytes
                                MD5 hash:37C6031E6D7ED0910FAB1AB8D18F76F4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                General

                                Target ID:4
                                Start time:15:04:02
                                Start date:20/04/2022
                                Path:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\
                                Imagebase:0x400000
                                File size:41935376 bytes
                                MD5 hash:36A497196AD65CDBD3A4F50B1760DED1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                General

                                Target ID:6
                                Start time:15:04:03
                                Start date:20/04/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6406f0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:16
                                Start time:15:05:10
                                Start date:20/04/2022
                                Path:C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe
                                Wow64 process (32bit):true
                                Commandline:DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"
                                Imagebase:0x380000
                                File size:17413496 bytes
                                MD5 hash:F501A103478D855B0088A41117A4D4EC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Reputation:low

                                General

                                Target ID:19
                                Start time:15:05:23
                                Start date:20/04/2022
                                Path:C:\Windows\System32\msiexec.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\msiexec.exe /V
                                Imagebase:0x7ff774db0000
                                File size:66048 bytes
                                MD5 hash:4767B71A318E201188A0D0A420C8B608
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:21
                                Start time:15:05:26
                                Start date:20/04/2022
                                Path:C:\Windows\SysWOW64\msiexec.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D C
                                Imagebase:0x840000
                                File size:59904 bytes
                                MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:22
                                Start time:15:05:28
                                Start date:20/04/2022
                                Path:C:\Windows\System32\msiexec.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 C
                                Imagebase:0x7ff774db0000
                                File size:66048 bytes
                                MD5 hash:4767B71A318E201188A0D0A420C8B608
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:18.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0.9%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:3
                                  execution_graph 12620 418652 __set_app_type __p__fmode __p__commode 12621 4186c0 12620->12621 12622 4186d5 12621->12622 12623 4186c9 __setusermatherr 12621->12623 12628 418780 _controlfp 12622->12628 12623->12622 12625 4186da _initterm __getmainargs _initterm __p___initenv 12629 403f64 12625->12629 12628->12625 12639 4182c0 12629->12639 12631 403f6e GetVersionExA 12632 403f9f 12631->12632 12640 4025f0 SetConsoleCtrlHandler 12632->12640 12639->12631 12641 402623 12640->12641 12642 40260e _CxxThrowException 12640->12642 12643 40117d 12641->12643 12642->12641 12841 4182c0 12643->12841 12645 401187 SetFileApisToOEM 12842 40541c fputs 12645->12842 12647 4011a9 12648 4011b1 GetCommandLineW 12647->12648 12843 401dbf 12648->12843 12654 4011e9 12870 401e20 12654->12870 12660 401213 12883 4049bd 12660->12883 12662 401a18 13210 40100a 12662->13210 12665 404968 6 API calls 12667 401a2c 12665->12667 12666 40122b 12666->12662 12669 40128b 12666->12669 12673 401279 12666->12673 13026 401b73 12666->13026 13213 405205 free 12667->13213 13031 40101b 12669->13031 12888 401136 12673->12888 12674 405898 ctype 6 API calls 12676 401a47 12674->12676 12675 401b73 19 API calls 12675->12673 12677 405858 ctype free 12676->12677 12822 4019f4 12677->12822 12679 4012d4 12896 401efe 12679->12896 12685 401318 12686 40132c 12685->12686 13045 401ea1 12685->13045 12905 40247e 12686->12905 12689 401374 12911 401da7 12689->12911 12692 401351 12692->12689 12694 401e63 3 API calls 12692->12694 12694->12689 12696 4013b2 12698 4013db 12696->12698 12699 4013bf _CxxThrowException 12696->12699 12697 401396 _CxxThrowException 12697->12696 12700 40247e 3 API calls 12698->12700 12699->12698 12701 4013ee 12700->12701 12702 401e63 3 API calls 12701->12702 12703 401426 12701->12703 12704 40141d 12702->12704 12920 401cfc 12703->12920 13049 4075b6 12704->13049 12708 401cfc 7 API calls 12709 40146e 12708->12709 12928 4051de malloc 12709->12928 12711 401483 12931 40adb1 12711->12931 12714 4014e6 12716 4014f0 12714->12716 12717 4018d9 12714->12717 12715 4014cf _CxxThrowException 12715->12714 12719 4051de 2 API calls 12716->12719 13115 403303 12717->13115 12721 4014f7 12719->12721 12723 40150a 12721->12723 13053 401bbe 12721->13053 12722 401913 13205 40541c fputs 12722->13205 12941 401e63 12723->12941 12724 4019f9 12726 401a01 _CxxThrowException 12724->12726 12727 4016b7 12724->12727 12726->12662 13078 405898 12727->13078 12732 401934 12735 4054d0 fputs 12732->12735 12736 40193b 12735->12736 12742 405898 ctype 6 API calls 12736->12742 12740 401e63 3 API calls 12743 401589 12740->12743 12741 405898 ctype 6 API calls 12744 401710 12741->12744 12745 40195e 12742->12745 12948 401ac4 12743->12948 12747 405858 ctype free 12744->12747 12748 405858 ctype free 12745->12748 12750 40171f 12747->12750 12751 40196d 12748->12751 13085 405205 free 12750->13085 12754 405898 ctype 6 API calls 12751->12754 12752 401e63 3 API calls 12755 4015cd 12752->12755 12757 401982 12754->12757 12758 40247e 3 API calls 12755->12758 12756 401727 13086 405205 free 12756->13086 12761 405858 ctype free 12757->12761 12759 4015e9 12758->12759 12956 40b24e 12759->12956 12764 401991 12761->12764 12763 401732 13087 405205 free 12763->13087 13206 405205 free 12764->13206 12767 40164e 12774 401676 12767->12774 12784 40178c 12767->12784 12768 40173a 12770 405898 ctype 6 API calls 12768->12770 12769 401999 13207 405205 free 12769->13207 12773 401756 12770->12773 12772 401620 12772->12767 13056 40541c fputs 12772->13056 12779 405858 ctype free 12773->12779 12780 401694 12774->12780 12781 40167d _CxxThrowException 12774->12781 12775 4019a4 13208 405205 free 12775->13208 12778 4017f3 13103 405205 free 12778->13103 12787 401765 12779->12787 13069 405205 free 12780->13069 12781->12780 12783 4019ac 12789 401f40 ctype 6 API calls 12783->12789 12793 4017b9 12784->12793 13097 40541c fputs 12784->13097 12786 401647 13057 405434 12786->13057 13088 404968 12787->13088 12788 40169c 13070 401ca4 12788->13070 12798 4019be 12789->12798 12791 401802 12800 401ca4 free 12791->12800 12793->12778 13102 40541c fputs 12793->13102 12804 404968 6 API calls 12798->12804 12799 4017b2 13098 4054d0 12799->13098 12806 401812 12800->12806 12801 4017ec 12807 4054d0 fputs 12801->12807 12810 4019cd 12804->12810 13104 405205 free 12806->13104 12807->12778 12808 40177c 12808->12674 13209 405205 free 12810->13209 12813 40181d 12815 405898 ctype 6 API calls 12813->12815 12814 4018c9 12816 405898 ctype 6 API calls 12814->12816 12817 401852 12815->12817 12818 4019e8 12816->12818 12819 405858 ctype free 12817->12819 12820 405858 ctype free 12818->12820 12821 401861 12819->12821 12820->12822 12823 405898 ctype 6 API calls 12821->12823 12838 402665 SetConsoleCtrlHandler 12822->12838 12824 401876 12823->12824 12825 405858 ctype free 12824->12825 12826 401885 12825->12826 13105 405205 free 12826->13105 12828 40188d 13106 405205 free 12828->13106 12830 401898 13107 405205 free 12830->13107 12832 4018a0 13108 401f40 12832->13108 12835 404968 6 API calls 12836 4018c1 12835->12836 13114 405205 free 12836->13114 12839 402680 _CxxThrowException 12838->12839 12840 402695 exit _XcptFilter 12838->12840 12839->12840 12841->12645 12842->12647 12844 401ddd 12843->12844 12845 40247e 3 API calls 12844->12845 12846 4011cd 12845->12846 12847 404770 12846->12847 12848 40477a __EH_prolog 12847->12848 12849 401e20 3 API calls 12848->12849 12850 404789 12849->12850 13214 404ef8 12850->13214 12855 405898 ctype 6 API calls 12862 4047a6 12855->12862 12856 40247e malloc _CxxThrowException free 12856->12862 12858 401cfc 7 API calls 12858->12862 12859 40481e 13240 405205 free 12859->13240 12860 401e63 3 API calls 12860->12862 12862->12856 12862->12858 12862->12859 12862->12860 12864 405205 free ctype 12862->12864 13230 4046cd 12862->13230 12863 404826 13241 405205 free 12863->13241 12864->12862 12866 40482e 13242 405205 free 12866->13242 12868 4011de 12869 405205 free 12868->12869 12869->12654 12871 40247e 3 API calls 12870->12871 12872 4011f7 12871->12872 12873 401d43 12872->12873 12874 401d5a 12873->12874 12877 405205 free ctype 12874->12877 12878 401d94 12874->12878 12877->12874 13297 4059e1 12878->13297 12879 404848 12880 404852 __EH_prolog 12879->12880 12881 4051de 2 API calls 12880->12881 12882 40488a 12881->12882 12882->12660 12884 404a20 12883->12884 12886 4049da 12883->12886 12884->12666 12885 401cfc 7 API calls 12885->12886 12886->12884 12886->12885 13302 404a27 12886->13302 12889 401140 __EH_prolog 12888->12889 12890 401dbf 3 API calls 12889->12890 12891 401151 12890->12891 13327 40109a 12891->13327 12895 40116e 12895->12679 12897 401f10 12896->12897 12898 402521 3 API calls 12897->12898 12899 4012fa 12898->12899 12900 405668 12899->12900 12903 405671 12900->12903 12901 4054fa 5 API calls ctype 12901->12903 12902 401306 12904 405205 free 12902->12904 12903->12901 12903->12902 12904->12685 12906 40248e 12905->12906 12909 4024c4 12905->12909 12907 4051de 2 API calls 12906->12907 12908 402498 12907->12908 12908->12909 13526 405205 free 12908->13526 12909->12692 12912 40247e 3 API calls 12911->12912 12913 40137f 12912->12913 12914 407203 12913->12914 12915 40720d __EH_prolog 12914->12915 13527 406ff9 12915->13527 12921 401d06 __EH_prolog 12920->12921 12922 4051de 2 API calls 12921->12922 12923 401d11 12922->12923 12924 401d28 12923->12924 12925 401e20 3 API calls 12923->12925 12926 40dcd2 7 API calls 12924->12926 12925->12924 12927 40145f 12926->12927 12927->12708 12929 405203 12928->12929 12930 4051ef _CxxThrowException 12928->12930 12929->12711 12930->12929 12932 40adbb __EH_prolog 12931->12932 12933 405898 ctype 6 API calls 12932->12933 12937 40adca 12933->12937 12935 403d65 3 API calls 12935->12937 12937->12935 12940 4014cb 12937->12940 13615 40ae52 12937->13615 13618 40abb2 12937->13618 13645 40aef2 12937->13645 13653 402348 12937->13653 12940->12714 12940->12715 12942 401e6f 12941->12942 12944 40153f 12941->12944 12943 40247e 3 API calls 12942->12943 12943->12944 12945 401b44 12944->12945 12946 40247e 3 API calls 12945->12946 12947 401562 12946->12947 12947->12740 12949 401ace __EH_prolog 12948->12949 12950 40247e 3 API calls 12949->12950 12951 401af2 12950->12951 12952 40247e 3 API calls 12951->12952 12953 401b0a 12952->12953 13705 401b29 12953->13705 12957 40b258 __EH_prolog 12956->12957 13708 40bb9a 12957->13708 12959 40b321 12961 4051de 2 API calls 12959->12961 12960 401da7 3 API calls 12966 40b291 12960->12966 12962 40b32b 12961->12962 12968 40b33e 12962->12968 13780 40b8ee 12962->13780 12963 407203 12 API calls 12963->12966 12965 40b342 _CxxThrowException 12967 40b357 _CxxThrowException 12965->12967 12966->12959 12966->12960 12966->12963 12966->12965 12966->12967 13776 412d31 12966->13776 13779 405205 free 12966->13779 12967->12968 12973 40b3e6 12968->12973 13011 40b417 12968->13011 12970 401da7 3 API calls 12970->13011 12971 405858 ctype free 12974 40b770 12971->12974 12976 405858 ctype free 12973->12976 12977 401ca4 free 12974->12977 12975 407203 12 API calls 12975->13011 12978 40b400 12976->12978 12979 40b40f 12977->12979 12981 401ca4 free 12978->12981 12979->12772 12980 40b792 _CxxThrowException 12982 40b7a7 _CxxThrowException 12980->12982 12981->12979 12983 40b7bc 12982->12983 13802 405205 free 12983->13802 12984 401e63 malloc _CxxThrowException free 12984->13011 12986 405858 ctype free 12987 40b8d8 12986->12987 12988 401ca4 free 12987->12988 12988->12979 12991 40b7db 12992 403c87 6 API calls 12991->12992 12993 40b7ea 12992->12993 13803 405205 free 12993->13803 12996 40247e 3 API calls 12996->13011 12997 40b809 12999 403c87 6 API calls 12997->12999 12998 40b6fd 12998->12971 13001 40b818 12999->13001 13000 40b837 13805 405205 free 13000->13805 13804 405205 free 13001->13804 13004 40b83f 13005 403c87 6 API calls 13004->13005 13007 40b84f 13005->13007 13006 4059e1 memmove 13006->13011 13806 405205 free 13007->13806 13009 403c2b malloc _CxxThrowException free 13009->13011 13011->12970 13011->12975 13011->12980 13011->12982 13011->12983 13011->12984 13011->12991 13011->12996 13011->12997 13011->12998 13011->13000 13011->13006 13011->13009 13012 40b868 13011->13012 13013 40b89b 13011->13013 13016 405205 free ctype 13011->13016 13716 403bb3 13011->13716 13722 40cd30 13011->13722 13725 40b017 13011->13725 13792 403c87 13011->13792 13807 405205 free 13012->13807 13809 405205 free 13013->13809 13016->13011 13017 40b870 13019 403c87 6 API calls 13017->13019 13018 40b8a0 13020 403c87 6 API calls 13018->13020 13021 40b880 13019->13021 13023 40b8b0 13020->13023 13808 405205 free 13021->13808 13810 405205 free 13023->13810 13024 40b7c4 13024->12986 13027 40100a fputs 13026->13027 13028 401b78 13027->13028 13029 4010c3 19 API calls 13028->13029 13030 401b85 13029->13030 13030->12669 13032 401025 __EH_prolog 13031->13032 13033 401e20 3 API calls 13032->13033 13034 401034 13033->13034 15604 40557b 13034->15604 13037 40247e 3 API calls 13038 401054 13037->13038 15621 404d2b 13038->15621 13042 40107f 15637 405205 free 13042->15637 13044 401087 13044->12673 13044->12675 13046 401eb6 13045->13046 13047 4024d7 3 API calls 13046->13047 13048 401ecc 13047->13048 13048->12686 13050 4075c3 13049->13050 13051 4075da 13049->13051 13050->13051 13052 404def 3 API calls 13050->13052 13051->12703 13052->13051 13054 40247e 3 API calls 13053->13054 13055 401be5 13054->13055 13055->12723 13056->12786 13058 40543e __EH_prolog 13057->13058 13059 401dbf 3 API calls 13058->13059 13060 40544f 13059->13060 13061 4057a5 5 API calls 13060->13061 13062 405462 13061->13062 15645 40541c fputs 13062->15645 13064 40546b 15646 405205 free 13064->15646 13066 405473 15647 405205 free 13066->15647 13068 40547b 13068->12767 13069->12788 15648 405205 free 13070->15648 13072 401caf 15649 405205 free 13072->15649 13074 401cb7 15650 405205 free 13074->15650 13076 4016ac 13077 405205 free 13076->13077 13077->12727 15651 4058ad 13078->15651 13081 405858 13082 40587f 13081->13082 15662 405205 free 13082->15662 13084 4016fb 13084->12741 13085->12756 13086->12763 13087->12768 13089 404972 __EH_prolog 13088->13089 13090 40498b 13089->13090 15663 4048e2 13089->15663 13092 405898 ctype 6 API calls 13090->13092 13093 4049a5 13092->13093 13094 405858 ctype free 13093->13094 13095 401774 13094->13095 13096 405205 free 13095->13096 13096->12808 13097->12799 13099 4054ea 13098->13099 15679 40541c fputs 13099->15679 13101 4054f5 13101->12793 13102->12801 13103->12791 13104->12813 13105->12828 13106->12830 13107->12832 13109 401f4a __EH_prolog 13108->13109 13110 405898 ctype 6 API calls 13109->13110 13111 401f60 13110->13111 13112 405858 ctype free 13111->13112 13113 4018b2 13112->13113 13113->12835 13114->12814 13116 40330d __EH_prolog 13115->13116 13142 40333f 13116->13142 15680 402b38 13116->15680 13118 401da7 3 API calls 13118->13142 13119 4039dd 13120 405898 ctype 6 API calls 13119->13120 13122 4039fa 13120->13122 13121 40396f 13121->13119 15793 402d46 13121->15793 13124 405858 ctype free 13122->13124 13123 407203 12 API calls 13123->13142 13183 401905 13124->13183 13126 403bb3 3 API calls 13126->13142 13127 403992 13130 403129 8 API calls 13127->13130 13128 401b44 3 API calls 13128->13142 13129 405434 6 API calls 13129->13142 13132 4039ba 13130->13132 13131 401e63 3 API calls 13131->13142 15798 40541c fputs 13132->15798 13133 40cd30 100 API calls 13133->13142 13135 4039d6 15799 4054a8 13135->15799 13139 40541c fputs 13139->13142 13140 403a19 15803 405205 free 13140->15803 13141 403a62 15806 405205 free 13141->15806 13142->13118 13142->13121 13142->13123 13142->13126 13142->13128 13142->13129 13142->13131 13142->13133 13142->13139 13142->13140 13142->13141 13150 403aab 13142->13150 13154 40247e 3 API calls 13142->13154 13156 403c87 6 API calls 13142->13156 13162 40c14e 5 API calls 13142->13162 13168 403af6 13142->13168 13172 40c1f5 VariantClear 13142->13172 13176 403b48 13142->13176 13179 406014 17 API calls 13142->13179 13181 403631 SysFreeString 13142->13181 13195 402d46 fputc 13142->13195 13196 4076d9 VariantClear 13142->13196 13198 403278 _CxxThrowException VariantClear _CxxThrowException 13142->13198 13202 405205 free ctype 13142->13202 15689 403c2b 13142->15689 15693 40cdce 13142->15693 15743 402cc7 13142->15743 15747 402d09 13142->15747 15752 402be4 13142->15752 15765 402e24 13142->15765 15783 403129 13142->15783 13145 403a6d 15807 405205 free 13145->15807 13146 403a24 15804 405205 free 13146->15804 13149 403a78 13152 403c87 6 API calls 13149->13152 15809 405205 free 13150->15809 13151 403a2f 13155 403c87 6 API calls 13151->13155 13157 403a89 13152->13157 13154->13142 13159 403a40 13155->13159 13156->13142 15808 405205 free 13157->15808 13158 403ab6 15810 405205 free 13158->15810 15805 405205 free 13159->15805 13162->13142 13165 403a4b 13170 405898 ctype 6 API calls 13165->13170 13166 403ac1 13167 403c87 6 API calls 13166->13167 13171 403ad2 13167->13171 15812 405205 free 13168->15812 13174 403ba0 13170->13174 15811 405205 free 13171->15811 13172->13142 13173 403b01 15813 405205 free 13173->15813 13178 405858 ctype free 13174->13178 15816 405205 free 13176->15816 13178->13183 13179->13142 13180 403b0c 15814 405205 free 13180->15814 13181->13142 13183->12722 13183->12724 13186 403b53 15817 405205 free 13186->15817 13187 403b17 13191 403c87 6 API calls 13187->13191 13189 403b5e 15818 405205 free 13189->15818 13193 403b29 13191->13193 15815 405205 free 13193->15815 13195->13142 13196->13181 13197 403b69 13200 403c87 6 API calls 13197->13200 13198->13142 13201 403b7b 13200->13201 15819 405205 free 13201->15819 13202->13142 13205->12732 13206->12769 13207->12775 13208->12783 13209->12814 15938 40541c fputs 13210->15938 13212 40101a 13212->12665 13213->12808 13215 404f02 __EH_prolog 13214->13215 13243 404fd9 13215->13243 13221 404796 13222 404ebd 13221->13222 13223 404ec7 __EH_prolog 13222->13223 13224 404fd9 3 API calls 13223->13224 13225 404ed6 13224->13225 13274 404f33 13225->13274 13229 40479e 13229->12855 13237 4046d7 __EH_prolog 13230->13237 13231 40473b 13279 404e1a 13231->13279 13234 401e63 3 API calls 13236 404756 13234->13236 13235 404def 3 API calls 13235->13237 13282 405205 free 13236->13282 13237->13231 13237->13235 13239 40475e 13239->12862 13240->12863 13241->12866 13242->12868 13244 404fe3 __EH_prolog 13243->13244 13245 40247e 3 API calls 13244->13245 13246 404fff 13245->13246 13262 404def 13246->13262 13249 404def 3 API calls 13250 405016 13249->13250 13251 404def 3 API calls 13250->13251 13252 405020 13251->13252 13253 401e20 3 API calls 13252->13253 13254 40502c 13253->13254 13265 405205 free 13254->13265 13256 404f11 13257 404f8a 13256->13257 13258 404f1d 13257->13258 13259 404f9b 13257->13259 13261 405205 free 13258->13261 13259->13258 13270 405047 13259->13270 13261->13221 13266 4024d7 13262->13266 13265->13256 13267 40251b 13266->13267 13268 4024eb 13266->13268 13267->13249 13269 40247e 3 API calls 13268->13269 13269->13267 13271 40505e 13270->13271 13272 405066 memmove 13271->13272 13273 40508f 13271->13273 13272->13273 13273->13258 13275 404f39 13274->13275 13276 405047 memmove 13275->13276 13277 404ee2 13276->13277 13278 405205 free 13277->13278 13278->13229 13283 402521 13279->13283 13282->13239 13284 40252b __EH_prolog 13283->13284 13285 40255f 13284->13285 13286 402554 13284->13286 13287 40247e 3 API calls 13285->13287 13288 401e20 3 API calls 13286->13288 13289 402572 13287->13289 13290 40255d 13288->13290 13291 40247e 3 API calls 13289->13291 13290->13234 13292 40257f 13291->13292 13293 401e20 3 API calls 13292->13293 13294 4025b3 13293->13294 13296 405205 free 13294->13296 13296->13290 13298 4059f7 13297->13298 13300 401206 13298->13300 13301 405995 memmove 13298->13301 13300->12879 13301->13300 13304 404a31 __EH_prolog 13302->13304 13303 404a58 13303->12886 13304->13303 13305 404c83 _CxxThrowException 13304->13305 13306 404c98 _CxxThrowException 13304->13306 13307 404cad _CxxThrowException 13304->13307 13308 404cc2 _CxxThrowException 13304->13308 13309 404cd7 13304->13309 13316 401e63 3 API calls 13304->13316 13317 402521 3 API calls 13304->13317 13318 401dbf malloc _CxxThrowException free 13304->13318 13319 405668 ctype 5 API calls 13304->13319 13320 401cfc 7 API calls 13304->13320 13321 405205 free ctype 13304->13321 13322 404def 3 API calls 13304->13322 13323 404e3b 13304->13323 13305->13306 13306->13307 13307->13308 13308->13309 13310 404e1a 3 API calls 13309->13310 13311 404ce4 13310->13311 13312 401cfc 7 API calls 13311->13312 13314 404cf4 13312->13314 13326 405205 free 13314->13326 13316->13304 13317->13304 13318->13304 13319->13304 13320->13304 13321->13304 13322->13304 13324 402521 3 API calls 13323->13324 13325 404e50 13324->13325 13325->13304 13326->13303 13333 4010f3 13327->13333 13330 4010c0 13332 405205 free 13330->13332 13332->12895 13334 4010ff 13333->13334 13344 406062 13334->13344 13337 4010c3 13525 40541c fputs 13337->13525 13339 4010d8 13340 4010df _CxxThrowException 13339->13340 13341 4010f3 13340->13341 13342 406062 17 API calls 13341->13342 13343 401130 13342->13343 13343->13330 13345 40606c __EH_prolog 13344->13345 13382 405a9d 13345->13382 13347 406099 13348 40247e 3 API calls 13347->13348 13356 406136 13348->13356 13349 406176 13398 406031 13349->13398 13352 4061da 13357 405898 ctype 6 API calls 13352->13357 13353 401e20 3 API calls 13355 406199 13353->13355 13420 406276 13355->13420 13356->13349 13359 404def 3 API calls 13356->13359 13364 401d43 2 API calls 13356->13364 13417 40631a 13356->13417 13360 4061f2 13357->13360 13359->13356 13402 406506 13360->13402 13364->13356 13371 405898 ctype 6 API calls 13373 406232 13371->13373 13374 405858 ctype free 13373->13374 13375 40623e 13374->13375 13416 405205 free 13375->13416 13377 406246 13378 405898 ctype 6 API calls 13377->13378 13379 406259 13378->13379 13380 405858 ctype free 13379->13380 13381 4010af 13380->13381 13381->13330 13381->13337 13383 405aa7 __EH_prolog 13382->13383 13384 405898 ctype 6 API calls 13383->13384 13385 405ab4 13384->13385 13386 40247e 3 API calls 13385->13386 13387 405ac9 13386->13387 13388 405ad6 13387->13388 13391 405ae1 13387->13391 13450 405205 free 13388->13450 13390 405b22 13392 401cfc 7 API calls 13390->13392 13391->13390 13394 401cfc 7 API calls 13391->13394 13396 404def 3 API calls 13391->13396 13395 405b2e 13392->13395 13393 405ade 13393->13347 13394->13391 13451 405205 free 13395->13451 13396->13391 13399 40603c 13398->13399 13401 406056 13398->13401 13399->13401 13452 405a79 13399->13452 13401->13352 13401->13353 13456 4058f1 13402->13456 13404 40651e 13405 4061fe 13404->13405 13406 401cfc 7 API calls 13404->13406 13407 405d85 13405->13407 13406->13404 13408 405d8f __EH_prolog 13407->13408 13409 405e00 13408->13409 13415 402113 6 API calls 13408->13415 13473 405d36 13408->13473 13477 405e1c 13408->13477 13480 406350 13408->13480 13469 405d6a 13409->13469 13415->13408 13416->13377 13418 4024d7 3 API calls 13417->13418 13419 40632a 13418->13419 13419->13356 13421 40247e 3 API calls 13420->13421 13422 4061a8 13421->13422 13423 406417 13422->13423 13424 406421 __EH_prolog 13423->13424 13425 4051de 2 API calls 13424->13425 13426 40642d 13425->13426 13427 406457 13426->13427 13428 401e20 3 API calls 13426->13428 13430 40dcd2 7 API calls 13427->13430 13429 406447 13428->13429 13432 406478 12 API calls 13429->13432 13431 4061ba 13430->13431 13433 402113 13431->13433 13432->13427 13434 40211d __EH_prolog 13433->13434 13435 405898 ctype 6 API calls 13434->13435 13436 402143 13435->13436 13437 405858 ctype free 13436->13437 13438 40214e 13437->13438 13439 405898 ctype 6 API calls 13438->13439 13440 402161 13439->13440 13441 405858 ctype free 13440->13441 13442 40216c 13441->13442 13443 405898 ctype 6 API calls 13442->13443 13444 402183 13443->13444 13445 405858 ctype free 13444->13445 13446 40218e 13445->13446 13524 405205 free 13446->13524 13448 402196 13449 405205 free 13448->13449 13449->13352 13450->13393 13451->13393 13453 405a95 13452->13453 13455 405a8e 13452->13455 13454 405668 ctype 5 API calls 13453->13454 13454->13455 13455->13399 13457 405905 13456->13457 13467 405985 13456->13467 13458 405922 13457->13458 13459 40590d _CxxThrowException 13457->13459 13460 405934 _CxxThrowException 13458->13460 13461 405949 13458->13461 13459->13458 13460->13461 13462 4051de 2 API calls 13461->13462 13463 40594f 13462->13463 13464 405956 _CxxThrowException 13463->13464 13465 40596b memmove 13463->13465 13464->13465 13468 405205 free 13465->13468 13467->13404 13468->13467 13470 405d75 13469->13470 13488 4063d0 13470->13488 13474 405d41 13473->13474 13475 405d5e 13473->13475 13474->13475 13476 405a79 5 API calls 13474->13476 13475->13408 13476->13474 13478 401e20 3 API calls 13477->13478 13479 405e31 13478->13479 13479->13408 13481 40635a __EH_prolog 13480->13481 13482 4051de 2 API calls 13481->13482 13483 406365 13482->13483 13484 40637c 13483->13484 13502 406478 13483->13502 13486 40dcd2 7 API calls 13484->13486 13487 406388 13486->13487 13487->13408 13489 4063da __EH_prolog 13488->13489 13490 4051de 2 API calls 13489->13490 13491 4063e5 13490->13491 13492 4063fc 13491->13492 13499 4064df 13491->13499 13496 40dcd2 13492->13496 13497 4058c1 7 API calls 13496->13497 13498 405d82 13497->13498 13498->13371 13500 4062ce 12 API calls 13499->13500 13501 4064ed 13500->13501 13501->13492 13503 406482 __EH_prolog 13502->13503 13504 401e20 3 API calls 13503->13504 13505 40649d 13504->13505 13512 40653f 13505->13512 13510 40658b 12 API calls 13511 4064cd 13510->13511 13511->13484 13513 406549 __EH_prolog 13512->13513 13514 405898 ctype 6 API calls 13513->13514 13515 406570 13514->13515 13516 4065d7 12 API calls 13515->13516 13517 4064ad 13516->13517 13518 40658b 13517->13518 13519 406595 __EH_prolog 13518->13519 13520 405898 ctype 6 API calls 13519->13520 13521 4065bc 13520->13521 13522 406397 12 API calls 13521->13522 13523 4064bd 13522->13523 13523->13510 13524->13448 13525->13339 13526->12909 13528 407003 __EH_prolog 13527->13528 13529 406fd9 FindClose 13528->13529 13530 407011 13529->13530 13531 407022 FindFirstFileW 13530->13531 13532 40704a 13530->13532 13534 407048 13530->13534 13533 407039 13531->13533 13531->13534 13535 401dbf 3 API calls 13532->13535 13548 4070c5 13533->13548 13545 406fd9 13534->13545 13537 407055 AreFileApisANSI 13535->13537 13552 4057a5 13537->13552 13541 40708c 13565 405205 free 13541->13565 13543 407098 13543->13534 13566 40712d 13543->13566 13546 406fe3 FindClose 13545->13546 13547 401392 13545->13547 13546->13547 13547->12696 13547->12697 13549 407106 13548->13549 13578 403d65 13549->13578 13553 4057af __EH_prolog 13552->13553 13582 404630 13553->13582 13556 405827 13588 404569 13556->13588 13557 4057f2 WideCharToMultiByte 13557->13556 13560 405812 _CxxThrowException 13557->13560 13559 404630 3 API calls 13559->13557 13560->13556 13563 405844 FindFirstFileA 13564 405205 free 13563->13564 13564->13541 13565->13543 13567 407137 __EH_prolog 13566->13567 13593 4056b6 13567->13593 13572 401e63 3 API calls 13573 4071bd 13572->13573 13600 405205 free 13573->13600 13575 4071c5 13601 405205 free 13575->13601 13577 4071cd 13577->13534 13579 403d82 13578->13579 13580 40247e 3 API calls 13579->13580 13581 403d98 13580->13581 13581->13534 13583 404640 13582->13583 13587 404671 13582->13587 13584 4051de 2 API calls 13583->13584 13585 404647 13584->13585 13585->13587 13592 405205 free 13585->13592 13587->13556 13587->13557 13587->13559 13589 404630 3 API calls 13588->13589 13590 404584 13589->13590 13591 405205 free 13590->13591 13591->13563 13592->13587 13594 4056cd 13593->13594 13595 404630 3 API calls 13594->13595 13596 4056dc AreFileApisANSI 13595->13596 13597 4071e6 13596->13597 13602 4056fd 13597->13602 13600->13575 13601->13577 13603 405707 __EH_prolog 13602->13603 13604 40247e 3 API calls 13603->13604 13605 405725 13604->13605 13606 405743 MultiByteToWideChar 13605->13606 13608 40247e 3 API calls 13605->13608 13609 405772 13605->13609 13606->13609 13610 40575d _CxxThrowException 13606->13610 13607 401e20 3 API calls 13611 405788 13607->13611 13608->13606 13609->13607 13610->13609 13614 405205 free 13611->13614 13613 405790 13613->13572 13614->13613 13616 40247e 3 API calls 13615->13616 13617 40ae72 13616->13617 13617->12937 13619 40abbc __EH_prolog 13618->13619 13620 401dbf 3 API calls 13619->13620 13621 40abf3 13620->13621 13661 40ad0d 13621->13661 13625 40ac10 13627 401dbf 3 API calls 13625->13627 13637 40ac3e 13625->13637 13626 40acc3 13628 405898 ctype 6 API calls 13626->13628 13629 40ac21 13627->13629 13631 40acd2 13628->13631 13632 40ad0d 12 API calls 13629->13632 13630 401da7 malloc _CxxThrowException free 13630->13637 13634 405858 ctype free 13631->13634 13633 40ac32 13632->13633 13675 405205 free 13633->13675 13636 40acde 13634->13636 13638 405898 ctype 6 API calls 13636->13638 13637->13626 13637->13630 13639 401e63 malloc _CxxThrowException free 13637->13639 13644 405205 free ctype 13637->13644 13676 40ae91 13637->13676 13640 40acf0 13638->13640 13639->13637 13641 405858 ctype free 13640->13641 13642 40acfc 13641->13642 13642->12937 13644->13637 13646 40aefc __EH_prolog 13645->13646 13647 4051de 2 API calls 13646->13647 13648 40af07 13647->13648 13649 40af1e 13648->13649 13687 40af39 13648->13687 13651 40dcd2 7 API calls 13649->13651 13652 40af2a 13651->13652 13652->12937 13654 402352 __EH_prolog 13653->13654 13655 405898 ctype 6 API calls 13654->13655 13656 402376 13655->13656 13657 405858 ctype free 13656->13657 13658 402381 13657->13658 13704 405205 free 13658->13704 13660 402389 13660->12937 13662 40ad17 __EH_prolog 13661->13662 13663 405898 ctype 6 API calls 13662->13663 13664 40ad24 13663->13664 13665 40247e 3 API calls 13664->13665 13670 40ad39 13665->13670 13666 40ad98 13686 405205 free 13666->13686 13668 40ad86 13668->13666 13672 401cfc 7 API calls 13668->13672 13669 40ac04 13674 405205 free 13669->13674 13670->13666 13670->13668 13671 404def 3 API calls 13670->13671 13673 401cfc 7 API calls 13670->13673 13671->13670 13672->13666 13673->13670 13674->13625 13675->13637 13677 40ae9b __EH_prolog 13676->13677 13678 4051de 2 API calls 13677->13678 13679 40aea7 13678->13679 13680 40aed1 13679->13680 13681 401e20 3 API calls 13679->13681 13683 40dcd2 7 API calls 13680->13683 13682 40aec1 13681->13682 13684 401e20 3 API calls 13682->13684 13685 40aee2 13683->13685 13684->13680 13685->13637 13686->13669 13688 40af43 __EH_prolog 13687->13688 13689 401e20 3 API calls 13688->13689 13690 40af6a 13689->13690 13693 40af92 13690->13693 13694 40af9c __EH_prolog 13693->13694 13695 405898 ctype 6 API calls 13694->13695 13696 40afc3 13695->13696 13699 40afde 13696->13699 13700 4058f1 7 API calls 13699->13700 13701 40aff6 13700->13701 13702 40af7a 13701->13702 13703 40ae91 7 API calls 13701->13703 13702->13649 13703->13701 13704->13660 13706 40247e 3 API calls 13705->13706 13707 401594 13706->13707 13707->12752 13709 40bba4 __EH_prolog 13708->13709 13710 401e20 3 API calls 13709->13710 13711 40bbcc 13710->13711 13712 401e20 3 API calls 13711->13712 13713 40bbe2 13712->13713 13714 401e20 3 API calls 13713->13714 13715 40bc01 13714->13715 13715->12966 13717 403bbd __EH_prolog 13716->13717 13718 40247e 3 API calls 13717->13718 13719 403be5 13718->13719 13720 40247e 3 API calls 13719->13720 13721 403bfb 13720->13721 13721->13011 13811 40cb6b 13722->13811 13729 40b021 __EH_prolog 13725->13729 13726 40247e 3 API calls 13726->13729 13727 40b04e 13728 405858 ctype free 13727->13728 13730 40b23b 13728->13730 13729->13726 13729->13727 13731 40b0d8 13729->13731 13735 40b0ec 13729->13735 13745 40dcd2 7 API calls 13729->13745 14455 40c14e 13729->14455 14460 40c1f5 13729->14460 14463 406014 13729->14463 14466 405205 free 13729->14466 13730->13011 13731->13727 13733 401e20 3 API calls 13731->13733 13734 40b11c 13733->13734 13737 401dbf 3 API calls 13734->13737 14467 405205 free 13735->14467 13739 40b12d 13737->13739 14318 40bc1d 13739->14318 13744 40b14c 13747 40b1c0 13744->13747 14324 4069d7 13744->14324 13745->13729 14361 4091ba 13747->14361 13752 40b15f GetLastError 13753 40b16b 13752->13753 13755 401dbf 3 API calls 13753->13755 13754 40b200 14453 40541c fputs 13754->14453 14454 40548e fputc 13754->14454 13756 40b17d 13755->13756 13758 406f88 3 API calls 13756->13758 13757 40b209 14471 405205 free 13757->14471 13760 40b18f 13758->13760 13762 401e63 3 API calls 13760->13762 13761 40b1b4 13764 405898 ctype 6 API calls 13761->13764 13763 40b19c 13762->13763 14468 405205 free 13763->14468 13766 40b223 13764->13766 13768 405858 ctype free 13766->13768 13767 40b1a4 14469 405205 free 13767->14469 13768->13727 13770 40b1ac 14470 405205 free 13770->14470 13777 4058c1 7 API calls 13776->13777 13778 412d39 13777->13778 13778->12966 13779->12966 13781 40b8f8 __EH_prolog 13780->13781 13782 40247e 3 API calls 13781->13782 13783 40b942 13782->13783 13784 40247e 3 API calls 13783->13784 13785 40b957 13784->13785 13786 40247e 3 API calls 13785->13786 13787 40b96c 13786->13787 13788 40247e 3 API calls 13787->13788 13789 40b9b0 13788->13789 13790 4051de 2 API calls 13789->13790 13791 40b9dd 13790->13791 13791->12968 13793 403c91 __EH_prolog 13792->13793 13794 405898 ctype 6 API calls 13793->13794 13795 403cb5 13794->13795 13796 405858 ctype free 13795->13796 13797 403cc0 13796->13797 15602 405205 free 13797->15602 13799 403cc8 15603 405205 free 13799->15603 13801 403cd0 13801->13011 13802->13024 13803->13024 13804->13024 13805->13004 13806->13024 13807->13017 13808->13024 13809->13018 13810->13024 13812 40cb75 __EH_prolog 13811->13812 13813 4051de 2 API calls 13812->13813 13814 40cb8f 13813->13814 13815 40cba1 13814->13815 13852 40c8e9 13814->13852 13817 40247e 3 API calls 13815->13817 13818 40cbdb 13817->13818 13860 406ccc 13818->13860 13821 404e3b 3 API calls 13822 40cc01 13821->13822 13823 404e1a 3 API calls 13822->13823 13824 40cc14 13823->13824 13901 40ca75 13824->13901 13829 40cc7b 13954 406f88 13829->13954 13830 40cc4b 13951 405205 free 13830->13951 13833 40cc53 13952 405205 free 13833->13952 13836 401cfc 7 API calls 13838 40cc99 13836->13838 13837 40cc5b 13953 405205 free 13837->13953 13964 405205 free 13838->13964 13841 40cc63 13841->13011 13842 40cca5 13843 40cce0 13842->13843 13844 406f88 3 API calls 13842->13844 13847 401cfc 7 API calls 13842->13847 13965 405205 free 13842->13965 13966 405205 free 13843->13966 13844->13842 13846 40ccfc 13967 405205 free 13846->13967 13847->13842 13849 40cd04 13853 40c8f3 __EH_prolog 13852->13853 13854 40247e 3 API calls 13853->13854 13855 40c92d 13854->13855 13856 401b29 3 API calls 13855->13856 13857 40c938 13856->13857 13858 40247e 3 API calls 13857->13858 13859 40c94e 13858->13859 13859->13815 13861 406cd6 __EH_prolog 13860->13861 13862 406d82 13861->13862 13863 406cf6 13861->13863 13864 404630 3 API calls 13862->13864 13865 406d0f GetFullPathNameW 13863->13865 13867 40247e 3 API calls 13863->13867 13866 406d95 13864->13866 13871 406d2e 13865->13871 13969 40686d 13866->13969 13867->13865 13871->13821 13874 406dcc 13875 406de1 13874->13875 13876 406dd1 13874->13876 13986 406ec3 13875->13986 13985 405205 free 13876->13985 13883 406e09 13993 406ea2 13883->13993 13886 40675e 6 API calls 13887 406e26 13886->13887 13996 405205 free 13887->13996 13889 406e32 13890 406f88 3 API calls 13889->13890 13891 406e49 13890->13891 13892 401e63 3 API calls 13891->13892 13893 406e55 13892->13893 13997 405205 free 13893->13997 13895 406e5d 13998 405205 free 13895->13998 13897 406e65 13999 405205 free 13897->13999 13899 406e6d 14000 405205 free 13899->14000 13902 40ca7f __EH_prolog 13901->13902 13903 401e63 3 API calls 13902->13903 13904 40ca94 13903->13904 13905 406f88 3 API calls 13904->13905 13906 40caa1 13905->13906 13907 407203 12 API calls 13906->13907 13908 40cab2 13907->13908 14016 405205 free 13908->14016 13910 40cac6 13911 40cae0 13910->13911 13912 40cacb _CxxThrowException 13910->13912 13913 405898 ctype 6 API calls 13911->13913 13912->13911 13914 40cae8 13913->13914 13915 40c58b 13914->13915 13916 40c595 __EH_prolog 13915->13916 14017 40c4d4 13916->14017 13919 40247e 3 API calls 13920 40c694 13919->13920 14031 40c0d0 13920->14031 13923 40c6aa 14039 405205 free 13923->14039 13924 40c6ec 13925 40c6f1 13924->13925 13926 40c762 13924->13926 14040 40c82b 13925->14040 14056 405b48 13926->14056 13930 40c63d 13930->13829 13930->13830 13933 401e63 3 API calls 13935 40c704 13933->13935 13934 401e63 3 API calls 13936 40c77c 13934->13936 13951->13833 13952->13837 13953->13841 13955 406f92 __EH_prolog 13954->13955 13956 401e20 3 API calls 13955->13956 13957 406fa4 13956->13957 13958 40631a 3 API calls 13957->13958 13959 406fb3 13958->13959 13960 401e20 3 API calls 13959->13960 13961 406fbf 13960->13961 14317 405205 free 13961->14317 13963 406fc7 13963->13836 13964->13842 13965->13842 13966->13846 13967->13849 13970 406877 __EH_prolog 13969->13970 13971 401dbf 3 API calls 13970->13971 13972 406889 AreFileApisANSI 13971->13972 13973 4057a5 5 API calls 13972->13973 13974 4068a5 13973->13974 14001 405205 free 13974->14001 13976 4068ad 13977 406c54 13976->13977 13978 406c80 GetFullPathNameA 13977->13978 13979 406c78 13977->13979 13982 406c9a 13978->13982 13980 404630 3 API calls 13979->13980 13980->13978 13981 406ca6 13984 405205 free 13981->13984 13982->13981 13983 406cb1 lstrlenA 13982->13983 13983->13981 13984->13874 13985->13871 14002 406edf 13986->14002 13989 40675e AreFileApisANSI 13990 4056fd 5 API calls 13989->13990 13991 40677d 13990->13991 13992 405205 free 13991->13992 13992->13883 13994 406edf 3 API calls 13993->13994 13995 406e18 13994->13995 13995->13886 13996->13889 13997->13895 13998->13897 13999->13899 14000->13871 14001->13976 14004 406ee9 __EH_prolog 14002->14004 14003 406f1d 14006 404630 3 API calls 14003->14006 14004->14003 14005 406f12 14004->14005 14007 404569 3 API calls 14005->14007 14008 406f30 14006->14008 14009 406def 14007->14009 14010 404630 3 API calls 14008->14010 14009->13989 14011 406f3d 14010->14011 14012 404569 3 API calls 14011->14012 14013 406f6b 14012->14013 14015 405205 free 14013->14015 14015->14009 14016->13910 14018 40c4de __EH_prolog 14017->14018 14019 4051de 2 API calls 14018->14019 14020 40c4ea 14019->14020 14111 407d8c 14020->14111 14023 40c532 GetLastError 14025 40c56a 14023->14025 14024 40c53c 14026 405b48 3 API calls 14024->14026 14025->13919 14025->13930 14027 40c546 14026->14027 14028 40c20b 94 API calls 14027->14028 14029 40c560 14028->14029 14114 405205 free 14029->14114 14032 40c0da __EH_prolog 14031->14032 14121 40760a 14032->14121 14034 40c101 14125 4076d9 14034->14125 14036 403d65 3 API calls 14036->14034 14039->13930 14042 40c835 __EH_prolog 14040->14042 14041 40c6f9 14041->13933 14042->14041 14043 404e1a 3 API calls 14042->14043 14049 40c87a 14043->14049 14044 40c8df 14045 40c8a5 14049->14044 14049->14045 14057 405b5a 14056->14057 14058 404e1a 3 API calls 14057->14058 14059 405b7f 14058->14059 14059->13934 14115 407499 14111->14115 14114->14025 14118 407478 14115->14118 14119 40745b 9 API calls 14118->14119 14120 407496 14119->14120 14120->14023 14120->14024 14128 407754 14121->14128 14124 40762d 14124->14034 14124->14036 14131 4076e0 14125->14131 14129 4076d9 VariantClear 14128->14129 14130 407612 SysAllocString 14129->14130 14130->14124 14132 4076ec 14131->14132 14133 4076df 14132->14133 14134 407705 VariantClear 14132->14134 14133->13923 14133->13924 14134->14133 14317->13963 14319 40b140 14318->14319 14320 40bc30 14318->14320 14323 405205 free 14319->14323 14320->14319 14321 405047 memmove 14320->14321 14472 40bc94 14320->14472 14321->14320 14323->13744 14325 4069e1 __EH_prolog 14324->14325 14326 401dbf 3 API calls 14325->14326 14332 4069f2 14326->14332 14327 406a46 14328 401e20 3 API calls 14327->14328 14354 406a52 14328->14354 14330 406a69 GetLastError 14333 406ae6 14330->14333 14330->14354 14331 406b3e 14334 401e63 3 API calls 14331->14334 14332->14327 14335 406a34 14332->14335 14336 405047 memmove 14332->14336 14338 401da7 3 API calls 14333->14338 14350 406b4b 14334->14350 14497 405205 free 14335->14497 14336->14327 14337 406baf 14496 405205 free 14337->14496 14339 406aee 14338->14339 14341 407203 12 API calls 14339->14341 14344 406afe 14341->14344 14343 406b2a 14343->13747 14343->13752 14345 406b02 14344->14345 14346 406b32 14344->14346 14491 405205 free 14345->14491 14494 405205 free 14346->14494 14347 404e3b 3 API calls 14347->14350 14350->14337 14350->14347 14355 406990 8 API calls 14350->14355 14495 405205 free 14350->14495 14351 406b1a 14492 405205 free 14351->14492 14352 404e3b 3 API calls 14352->14354 14354->14330 14354->14331 14354->14337 14354->14352 14357 401e63 3 API calls 14354->14357 14480 406990 14354->14480 14490 405205 free 14354->14490 14355->14350 14356 406b22 14493 405205 free 14356->14493 14357->14354 14362 409208 14361->14362 14363 401e63 3 API calls 14362->14363 14364 409252 14363->14364 14365 405898 ctype 6 API calls 14364->14365 14366 40927c 14365->14366 14367 406506 7 API calls 14366->14367 14368 409286 14367->14368 14369 401e63 3 API calls 14368->14369 14370 40929e 14369->14370 14371 4075b6 3 API calls 14370->14371 14372 4092a4 14371->14372 14373 40f3f3 14372->14373 14417 40faa0 14372->14417 14380 40f3fd __EH_prolog 14373->14380 14375 40f587 14377 4051de 2 API calls 14375->14377 14376 40fd1f 12 API calls 14376->14380 14405 40f5ba 14377->14405 14378 405858 free ctype 14378->14380 14380->14375 14380->14376 14380->14378 14402 40f44d 14380->14402 14645 40fbc0 14380->14645 14651 40fb33 14380->14651 14655 40fcc5 14380->14655 14382 40fae0 14635 40fc32 14382->14635 14384 40f629 14388 40fc32 6 API calls 14384->14388 14386 4051de 2 API calls 14386->14405 14389 40f649 14388->14389 14390 405898 ctype 6 API calls 14389->14390 14392 40f65c 14390->14392 14393 405858 ctype free 14392->14393 14393->14402 14395 40f708 14396 40fc32 6 API calls 14395->14396 14397 40f739 14396->14397 14398 405898 ctype 6 API calls 14397->14398 14400 40f74c 14398->14400 14401 405858 ctype free 14400->14401 14401->14402 14402->13754 14403 41024e 50 API calls 14403->14405 14404 40f922 14406 40fc32 6 API calls 14404->14406 14405->14382 14405->14384 14405->14386 14405->14395 14405->14403 14405->14404 14407 40f841 14405->14407 14410 40f8af 14405->14410 14414 40f995 14405->14414 14500 40ff72 14405->14500 14504 40e298 14405->14504 14658 40fe9a 14405->14658 14409 40f87c 14406->14409 14408 40fc32 6 API calls 14407->14408 14408->14409 14412 405898 ctype 6 API calls 14409->14412 14411 40fc32 6 API calls 14410->14411 14411->14409 14413 40f9e6 14412->14413 14415 405858 ctype free 14413->14415 14416 40fc32 6 API calls 14414->14416 14415->14402 14416->14409 14435 40f5fb 14417->14435 14418 40fae0 14419 40fc32 6 API calls 14418->14419 14421 40fafb 14419->14421 14420 40f629 14424 40fc32 6 API calls 14420->14424 14423 40fce7 ctype 6 API calls 14421->14423 14422 4051de 2 API calls 14422->14435 14431 40f668 14423->14431 14425 40f649 14424->14425 14426 405898 ctype 6 API calls 14425->14426 14428 40f65c 14426->14428 14427 40fe9a 2 API calls 14427->14435 14429 405858 ctype free 14428->14429 14429->14431 14430 40ff72 50 API calls 14430->14435 14431->13754 14432 40f708 14433 40fc32 6 API calls 14432->14433 14434 40f739 14433->14434 14436 405898 ctype 6 API calls 14434->14436 14435->14418 14435->14420 14435->14422 14435->14427 14435->14430 14435->14432 14437 40e298 88 API calls 14435->14437 14440 41024e 50 API calls 14435->14440 14441 40f922 14435->14441 14443 40f841 14435->14443 14446 40f8af 14435->14446 14450 40f995 14435->14450 14438 40f74c 14436->14438 14437->14435 14439 405858 ctype free 14438->14439 14439->14431 14440->14435 14442 40fc32 6 API calls 14441->14442 14445 40f87c 14442->14445 14444 40fc32 6 API calls 14443->14444 14444->14445 14448 405898 ctype 6 API calls 14445->14448 14447 40fc32 6 API calls 14446->14447 14447->14445 14449 40f9e6 14448->14449 14451 405858 ctype free 14449->14451 14452 40fc32 6 API calls 14450->14452 14451->14431 14452->14445 14453->13757 14454->13757 14456 40c0d0 5 API calls 14455->14456 14457 40c161 14456->14457 14458 40c175 14457->14458 14459 401e63 3 API calls 14457->14459 14458->13729 14459->14458 14461 40c17b VariantClear 14460->14461 14462 40c208 14461->14462 14462->13729 15552 405f95 14463->15552 14466->13729 14467->13727 14468->13767 14469->13770 14470->13761 14471->13761 14473 40bca3 14472->14473 14475 40bcbc 14473->14475 14476 40bce9 14473->14476 14475->14320 14477 40bcf9 14476->14477 14478 4024d7 3 API calls 14477->14478 14479 40bd07 memmove 14478->14479 14479->14475 14481 4069c3 CreateDirectoryW 14480->14481 14482 40699f 14480->14482 14484 4069d3 14481->14484 14483 40686d 6 API calls 14482->14483 14485 4069ac 14483->14485 14484->14354 14498 40697c CreateDirectoryA 14485->14498 14487 4069b3 14499 405205 free 14487->14499 14489 4069bd 14489->14484 14490->14354 14491->14351 14492->14356 14493->14343 14494->14331 14495->14350 14496->14335 14497->14343 14498->14487 14499->14489 14501 40ff9b 14500->14501 14668 4100a4 14501->14668 14505 40e2a2 __EH_prolog 14504->14505 15230 417875 InitializeCriticalSection 14505->15230 14507 40e3d4 15232 40ee0a 14507->15232 14509 40e40b 14511 405898 ctype 6 API calls 14509->14511 14609 40e5e4 14509->14609 14510 4051de malloc _CxxThrowException 14514 40e2d0 14510->14514 14512 40e436 14511->14512 14513 4051de 2 API calls 14512->14513 14532 40e457 14512->14532 14513->14532 14514->14507 14514->14510 15282 40db88 14514->15282 14515 40e4a2 14519 405858 ctype free 14515->14519 14516 40e4ea 14521 40e5d5 14516->14521 14533 40e804 14516->14533 14536 40e8dc 14516->14536 14541 40e86f 14516->14541 15244 407b40 14516->15244 15298 40d71e 14516->15298 15301 40d743 14516->15301 15304 40f2b4 14516->15304 14522 40e4b1 14519->14522 15310 40f163 14521->15310 15288 40d03f 14522->15288 14526 40ecd3 14529 405858 ctype free 14526->14529 14527 40ed2f 14534 4058f1 7 API calls 14527->14534 14531 40ece2 14529->14531 14530 40ea31 14535 405858 ctype free 14530->14535 14537 40d03f free 14531->14537 14532->14515 14532->14516 14539 405858 ctype free 14533->14539 14538 40ed58 14534->14538 14540 40ea4e 14535->14540 14550 405858 ctype free 14536->14550 14542 40ecf1 DeleteCriticalSection 14537->14542 14543 40ed78 14538->14543 14551 40dcd2 7 API calls 14538->14551 14544 40e835 14539->14544 14545 40d03f free 14540->14545 14559 405858 ctype free 14541->14559 14547 40e4d5 14542->14547 15258 4090e7 14543->15258 15270 40d329 14543->15270 14552 40d03f free 14544->14552 14553 40ea5d DeleteCriticalSection 14545->14553 14546 40ea72 14560 405858 ctype free 14546->14560 14548 405898 ctype 6 API calls 14547->14548 14554 40ed1c 14548->14554 14549 40eadf 14563 405858 ctype free 14549->14563 14555 40e8fc 14550->14555 14551->14538 14557 40e844 DeleteCriticalSection 14552->14557 14553->14546 14556 40d03f free 14555->14556 14566 40e90b DeleteCriticalSection 14556->14566 14622 40e859 14557->14622 14558 40ed9b 14569 40e8a0 14559->14569 14570 40eaa5 14560->14570 14571 40eafc 14563->14571 14565 40eb38 SysFreeString 14575 40eb4c 14565->14575 14574 40e920 14566->14574 14577 40d03f free 14569->14577 14578 40d03f free 14570->14578 14572 40d03f free 14571->14572 14579 40eb0b DeleteCriticalSection 14572->14579 14573 401dbf 3 API calls 14573->14609 14586 405898 ctype 6 API calls 14574->14586 14580 405858 ctype free 14575->14580 14583 40e8af DeleteCriticalSection 14577->14583 14584 40eab4 DeleteCriticalSection 14578->14584 14579->14622 14587 40eb61 14580->14587 14582 4058f1 7 API calls 14582->14609 14583->14622 14584->14622 14585 408ffb 4 API calls 14585->14609 14590 40e936 14586->14590 14591 40d03f free 14587->14591 14589 405898 ctype 6 API calls 14593 40ec14 14589->14593 14594 405858 ctype free 14590->14594 14595 40eb70 DeleteCriticalSection 14591->14595 14597 405858 ctype free 14593->14597 14598 40e942 14594->14598 14595->14622 14597->14598 14598->14405 14600 40eb98 15319 405205 free 14600->15319 14603 40eb9d 15320 405205 free 14603->15320 14606 405858 free ctype 14606->14609 14607 40e758 SysFreeString 14607->14609 14608 40ebac SysFreeString 14610 40ebc2 14608->14610 14609->14530 14609->14546 14609->14549 14609->14565 14609->14573 14609->14582 14609->14585 14609->14600 14609->14606 14611 40dcd2 7 API calls 14609->14611 14613 40ec25 14609->14613 14615 40ea27 14609->14615 15248 417717 14609->15248 15251 4176f6 14609->15251 15317 405205 free 14609->15317 15318 405205 free 14609->15318 14612 405858 ctype free 14610->14612 14611->14609 14616 40ebd7 14612->14616 14614 405858 ctype free 14613->14614 14617 40ec34 14614->14617 15254 40d9ad 14615->15254 14618 40d03f free 14616->14618 14619 405858 ctype free 14617->14619 14620 40ebe6 DeleteCriticalSection 14618->14620 14621 40ec43 14619->14621 14620->14622 14623 405858 ctype free 14621->14623 14622->14589 14624 40ec52 14623->14624 14625 40d03f free 14624->14625 14626 40ec61 DeleteCriticalSection 14625->14626 14627 40ec76 14626->14627 14628 405898 ctype 6 API calls 14627->14628 14629 40ec8c 14628->14629 14630 405858 ctype free 14629->14630 14630->14598 14636 40fc3c __EH_prolog 14635->14636 14637 405898 ctype 6 API calls 14636->14637 14638 40fc60 14637->14638 14639 405858 ctype free 14638->14639 14640 40fc6b 14639->14640 14641 405858 ctype free 14640->14641 14642 40fc91 14641->14642 14643 40d03f free 14642->14643 14644 40fafb 14643->14644 14662 40fce7 14644->14662 14646 40fbca __EH_prolog 14645->14646 14647 40fc18 14646->14647 14648 4058f1 7 API calls 14646->14648 14647->14380 14649 40fc0f 14648->14649 14650 40fcc5 7 API calls 14649->14650 14650->14647 14652 40fb42 14651->14652 14654 40fb48 14651->14654 14652->14380 14653 40fb5e _CxxThrowException 14653->14652 14654->14652 14654->14653 14656 4058c1 7 API calls 14655->14656 14657 40fccd 14656->14657 14657->14380 14659 40fea4 __EH_prolog 14658->14659 14660 4051de 2 API calls 14659->14660 14661 40fece 14660->14661 14661->14405 14663 40fcf1 __EH_prolog 14662->14663 14664 405898 ctype 6 API calls 14663->14664 14665 40fd07 14664->14665 14666 405858 ctype free 14665->14666 14667 40fd12 14666->14667 14667->14402 14669 40ffb6 14668->14669 14671 4100b2 14668->14671 14669->14405 14671->14669 14672 40ffbb 14671->14672 14673 40ffc5 __EH_prolog 14672->14673 14679 40247e 3 API calls 14673->14679 14682 4074e1 14673->14682 14685 409572 14673->14685 14993 40949b 14673->14993 14674 410019 14674->14671 14675 410012 14675->14674 15000 40275d 14675->15000 15012 40541c fputs 14675->15012 14679->14675 15013 4072dd 14682->15013 14687 40957c __EH_prolog 14685->14687 14686 40247e 3 API calls 14688 4095ce 14686->14688 14687->14686 14689 40c14e 5 API calls 14688->14689 14690 4095e9 14689->14690 14691 40c1f5 VariantClear 14690->14691 14716 409712 14690->14716 14693 409601 14691->14693 14694 401e63 3 API calls 14693->14694 14693->14716 14696 409615 14694->14696 14695 409639 14698 4076d9 VariantClear 14695->14698 14696->14695 14697 409652 14696->14697 14699 4076d9 VariantClear 14696->14699 14703 4076d9 VariantClear 14697->14703 14700 40976c 14698->14700 14701 40967a 14699->14701 15063 405205 free 14700->15063 15031 40c17b 14701->15031 14703->14700 14706 4096da 14708 4076d9 VariantClear 14706->14708 14709 4096fa 14708->14709 14710 40970b 14709->14710 14711 40973c 14709->14711 14863 409a74 14709->14863 14713 4051de 2 API calls 14710->14713 14711->14695 14714 40976e 14711->14714 14713->14716 14714->14697 14715 409774 14714->14715 14717 4076d9 VariantClear 14715->14717 15223 405205 free 14716->15223 14718 4097c6 14717->14718 15035 4094e5 14718->15035 14721 4094e5 VariantClear 14722 4097f8 14721->14722 14722->14716 15226 405205 free 14863->15226 14918 4097a5 14918->14675 14994 401e63 3 API calls 14993->14994 14996 4094ad 14994->14996 14995 4094df 14995->14675 14996->14995 14997 404def 3 API calls 14996->14997 14998 40631a 3 API calls 14996->14998 14999 406990 8 API calls 14996->14999 14997->14996 14998->14996 14999->14996 15001 40276b 15000->15001 15003 40278f 15001->15003 15227 40541c fputs 15001->15227 15004 405434 6 API calls 15003->15004 15005 40279b 15004->15005 15006 4027c8 15005->15006 15228 40541c fputs 15005->15228 15006->14674 15008 4027ba 15009 4054d0 fputs 15008->15009 15010 4027c1 15009->15010 15229 40541c fputs 15010->15229 15012->14674 15014 4072e7 __EH_prolog 15013->15014 15015 407351 15014->15015 15016 4072f8 15014->15016 15017 40738f FindCloseChangeNotification 15015->15017 15018 401dbf malloc _CxxThrowException free 15016->15018 15019 407358 15017->15019 15020 407303 AreFileApisANSI 15018->15020 15021 40735c CreateFileW 15019->15021 15022 40737f 15019->15022 15023 4057a5 malloc _CxxThrowException free WideCharToMultiByte _CxxThrowException 15020->15023 15021->15022 15022->14675 15024 40731f 15023->15024 15025 4072a4 CreateFileA FindCloseChangeNotification 15024->15025 15026 407339 15025->15026 15027 405205 ctype free 15026->15027 15028 407343 15027->15028 15029 405205 ctype free 15028->15029 15030 40734b 15029->15030 15030->15022 15032 40c185 __EH_prolog 15031->15032 15033 4076d9 VariantClear 15032->15033 15034 40968c 15033->15034 15034->14695 15034->14706 15034->14716 15059 407a07 15034->15059 15037 4094ef __EH_prolog 15035->15037 15036 4076d9 VariantClear 15038 409560 15036->15038 15037->15036 15038->14716 15038->14721 15060 407a15 15059->15060 15061 407a34 15059->15061 15060->15061 15062 407a1f _CxxThrowException 15060->15062 15061->14706 15062->15061 15063->14918 15223->14918 15226->14918 15227->15003 15228->15008 15229->15006 15231 4178bf 15230->15231 15231->14514 15335 40eed7 15232->15335 15235 405898 ctype 6 API calls 15236 40ee23 15235->15236 15237 412d31 7 API calls 15236->15237 15242 40ee49 15236->15242 15237->15236 15238 40eed0 15238->14509 15239 412d31 7 API calls 15239->15242 15240 40dcd2 7 API calls 15241 40eeb0 15240->15241 15241->15238 15241->15240 15242->15239 15242->15241 15243 40dcd2 7 API calls 15242->15243 15243->15242 15245 407b4a __EH_prolog 15244->15245 15344 407a70 15245->15344 15247 407b6e 15247->14516 15249 41772f 15248->15249 15250 41771e VirtualFree 15248->15250 15249->14609 15250->15249 15252 417701 VirtualAlloc 15251->15252 15253 4176fd 15251->15253 15252->15253 15253->14609 15255 40d9d8 _CxxThrowException 15254->15255 15256 40d9be 15254->15256 15257 40d9ed 15255->15257 15256->15255 15256->15257 15257->14526 15257->14527 15259 4090f5 15258->15259 15260 4090fb 15258->15260 15359 417823 15259->15359 15262 40910e 15260->15262 15263 417823 2 API calls 15260->15263 15268 40912b 15260->15268 15262->15268 15353 417846 ResetEvent 15262->15353 15263->15262 15268->14558 15271 405898 ctype 6 API calls 15270->15271 15272 40d33b 15271->15272 15273 405898 ctype 6 API calls 15272->15273 15274 40d346 15273->15274 15283 40db92 __EH_prolog 15282->15283 15284 4051de 2 API calls 15283->15284 15286 40db9e 15284->15286 15285 40dcd2 7 API calls 15287 40dbcd 15285->15287 15286->15285 15287->14514 15289 40d049 __EH_prolog 15288->15289 15290 405858 ctype free 15289->15290 15291 40d05f 15290->15291 15292 405858 ctype free 15291->15292 15293 40d06b 15292->15293 15294 405858 ctype free 15293->15294 15435 40d61a 15298->15435 15302 40d61a 12 API calls 15301->15302 15303 40d74b 15302->15303 15303->14516 15305 40f2be __EH_prolog 15304->15305 15306 4051de 2 API calls 15305->15306 15309 40f2ca 15306->15309 15307 40dcd2 7 API calls 15308 40f2f9 15307->15308 15308->14516 15309->15307 15525 40d5a0 15310->15525 15317->14609 15318->14607 15319->14603 15320->14608 15336 405898 ctype 6 API calls 15335->15336 15337 40eedf 15336->15337 15338 405898 ctype 6 API calls 15337->15338 15339 40eee7 15338->15339 15340 405898 ctype 6 API calls 15339->15340 15341 40eeef 15340->15341 15342 405898 ctype 6 API calls 15341->15342 15343 40ee1b 15342->15343 15343->15235 15345 407a7a __EH_prolog 15344->15345 15346 4051de 2 API calls 15345->15346 15349 407b10 15345->15349 15347 407afe 15346->15347 15347->15349 15350 4080e2 15347->15350 15349->15247 15351 4176f6 VirtualAlloc 15350->15351 15352 40816b 15351->15352 15352->15349 15368 417811 15359->15368 15371 4177d1 CreateEventA 15368->15371 15436 40d624 __EH_prolog 15435->15436 15443 40d1d5 15436->15443 15444 40d1df __EH_prolog 15443->15444 15481 40d08f 15444->15481 15482 40d099 __EH_prolog 15481->15482 15483 4058f1 7 API calls 15482->15483 15484 40d11b 15483->15484 15526 405898 ctype 6 API calls 15525->15526 15527 40d5aa 15526->15527 15528 40d198 7 API calls 15527->15528 15529 40d5b6 15528->15529 15530 405898 ctype 6 API calls 15529->15530 15531 40d5c0 15530->15531 15532 40d198 7 API calls 15531->15532 15553 405f9f __EH_prolog 15552->15553 15554 405a9d 12 API calls 15553->15554 15555 405fd0 15554->15555 15562 405eb0 15555->15562 15558 405898 ctype 6 API calls 15559 405ff5 15558->15559 15560 405858 ctype free 15559->15560 15561 406001 15560->15561 15561->13729 15563 405eba __EH_prolog 15562->15563 15585 405e72 15563->15585 15566 405e72 5 API calls 15567 405eef 15566->15567 15568 405d36 5 API calls 15567->15568 15570 405ed7 15567->15570 15569 405f08 15568->15569 15569->15570 15589 4062ce 15569->15589 15570->15558 15573 401d43 2 API calls 15574 405f29 15573->15574 15575 405eb0 17 API calls 15574->15575 15576 405f40 15575->15576 15577 405f66 15576->15577 15578 405f4b 15576->15578 15580 405898 ctype 6 API calls 15577->15580 15579 405898 ctype 6 API calls 15578->15579 15581 405f56 15579->15581 15582 405f75 15580->15582 15583 405858 ctype free 15581->15583 15584 405858 ctype free 15582->15584 15583->15570 15584->15570 15588 405e7e 15585->15588 15586 405ea5 15586->15566 15586->15570 15588->15586 15595 405c6b 15588->15595 15590 4062d8 __EH_prolog 15589->15590 15591 405898 ctype 6 API calls 15590->15591 15592 4062ff 15591->15592 15593 406506 7 API calls 15592->15593 15594 405f17 15593->15594 15594->15573 15597 405c7a 15595->15597 15596 405d29 15596->15588 15597->15596 15599 405b87 15597->15599 15600 405b9d CharUpperW GetLastError WideCharToMultiByte CharUpperA MultiByteToWideChar 15599->15600 15601 405b9a 15600->15601 15601->15597 15602->13799 15603->13801 15605 405585 __EH_prolog 15604->15605 15606 405598 CharUpperW 15605->15606 15620 401041 15605->15620 15607 4055a5 GetLastError 15606->15607 15606->15620 15608 4055b0 15607->15608 15607->15620 15609 401dbf 3 API calls 15608->15609 15610 4055b9 15609->15610 15611 4057a5 5 API calls 15610->15611 15612 4055ca 15611->15612 15638 405205 free 15612->15638 15614 4055d6 CharUpperA 15615 4056fd 5 API calls 15614->15615 15616 4055ee 15615->15616 15639 405205 free 15616->15639 15618 405612 15640 405205 free 15618->15640 15620->13037 15623 404d35 __EH_prolog 15621->15623 15622 401dbf 3 API calls 15622->15623 15623->15622 15624 404da7 15623->15624 15625 404dd5 15623->15625 15629 40106c 15623->15629 15641 405205 free 15623->15641 15628 404e1a 3 API calls 15624->15628 15644 405205 free 15625->15644 15630 404db5 15628->15630 15636 405205 free 15629->15636 15631 401e63 3 API calls 15630->15631 15632 404dc2 15631->15632 15642 405205 free 15632->15642 15634 404dca 15643 405205 free 15634->15643 15636->13042 15637->13044 15638->15614 15639->15618 15640->15620 15641->15623 15642->15634 15643->15629 15644->15629 15645->13064 15646->13066 15647->13068 15648->13072 15649->13074 15650->13076 15654 40f243 15651->15654 15656 40f25a 15654->15656 15655 40f292 15657 4059e1 memmove 15655->15657 15656->15655 15659 40d676 6 API calls 15656->15659 15661 405205 free 15656->15661 15658 4016ec 15657->15658 15658->13081 15659->15656 15661->15656 15662->13084 15664 404913 15663->15664 15667 4048ef 15663->15667 15672 40492d 15664->15672 15670 40490d 15667->15670 15671 405205 free 15667->15671 15670->13090 15671->15670 15673 404937 __EH_prolog 15672->15673 15674 405898 ctype 6 API calls 15673->15674 15675 404950 15674->15675 15676 405858 ctype free 15675->15676 15677 40491a 15676->15677 15677->15670 15678 405205 free 15677->15678 15678->15670 15679->13101 15681 402b42 __EH_prolog 15680->15681 15682 405898 ctype 6 API calls 15681->15682 15686 402b4e 15682->15686 15684 403d65 3 API calls 15684->15686 15686->15684 15688 402bae 15686->15688 15820 402bbf 15686->15820 15823 403e31 15686->15823 15831 405205 free 15686->15831 15688->13142 15690 403c3c 15689->15690 15691 401e20 3 API calls 15690->15691 15692 403c48 15691->15692 15692->13142 15694 40cdd8 __EH_prolog 15693->15694 15695 40cdf1 15694->15695 15696 40cf09 15694->15696 15698 40cf0f 15695->15698 15699 40ceb3 15695->15699 15700 40ce03 15695->15700 15697 40cf1d 15696->15697 15696->15698 15702 40247e 3 API calls 15697->15702 15859 4078c8 15698->15859 15706 40ced8 15699->15706 15709 40cec6 FileTimeToLocalFileTime 15699->15709 15703 40ce37 15700->15703 15704 40ce08 15700->15704 15705 40cf31 15702->15705 15703->15698 15707 40ce41 15703->15707 15704->15698 15711 40ce1a 15704->15711 15708 40cf46 15705->15708 15714 404def 3 API calls 15705->15714 15710 40247e 3 API calls 15706->15710 15712 40ce75 15707->15712 15713 40ce4b 15707->15713 15715 40cf58 15708->15715 15722 404def 3 API calls 15708->15722 15709->15706 15716 40cef3 15709->15716 15717 40ce32 15710->15717 15731 401dbf 3 API calls 15711->15731 15718 40cea5 15712->15718 15719 40ce7b 15712->15719 15835 40cfdf 15713->15835 15714->15708 15723 40cf6b 15715->15723 15724 404def 3 API calls 15715->15724 15849 40786f 15716->15849 15717->13142 15727 40cfdf 3 API calls 15718->15727 15725 40cfdf 3 API calls 15719->15725 15722->15715 15726 40cf7e 15723->15726 15730 404def 3 API calls 15723->15730 15724->15723 15729 40ce88 15725->15729 15734 404def 3 API calls 15726->15734 15736 40cf91 15726->15736 15727->15717 15733 40aa31 3 API calls 15729->15733 15730->15726 15731->15717 15737 40ce6d 15733->15737 15734->15736 15735 40cfa4 15739 40cfb7 15735->15739 15741 404def 3 API calls 15735->15741 15736->15735 15738 404def 3 API calls 15736->15738 15879 405205 free 15737->15879 15738->15735 15742 401e20 3 API calls 15739->15742 15741->15739 15742->15737 15745 402cd4 15743->15745 15744 401dbf 3 API calls 15746 402d02 15744->15746 15745->15744 15746->13142 15750 402d14 15747->15750 15751 402d42 15747->15751 15750->15751 15895 402ad1 15750->15895 15899 402aed 15750->15899 15751->13142 15753 402bee __EH_prolog 15752->15753 15754 405898 ctype 6 API calls 15753->15754 15761 402bfc 15754->15761 15755 402ca1 15755->13142 15756 402cb4 SysFreeString 15756->15755 15757 402bbf 3 API calls 15757->15761 15758 402cc7 3 API calls 15758->15761 15759 401e63 3 API calls 15759->15761 15761->15755 15761->15756 15761->15757 15761->15758 15761->15759 15762 403e31 7 API calls 15761->15762 15908 405205 free 15761->15908 15909 405205 free 15761->15909 15762->15761 15764 402c91 SysFreeString 15764->15755 15764->15761 15779 402e2e __EH_prolog 15765->15779 15766 40301e 15766->13142 15767 402ad1 fputc 15767->15779 15768 403046 15769 4076d9 VariantClear 15768->15769 15769->15766 15770 40541c fputs 15770->15779 15771 40760a 2 API calls 15771->15779 15774 403031 _CxxThrowException 15774->15768 15775 40cdce 8 API calls 15775->15779 15776 40c1f5 VariantClear 15776->15779 15777 401dbf 3 API calls 15777->15779 15778 4076d9 VariantClear 15778->15779 15779->15766 15779->15767 15779->15768 15779->15770 15779->15771 15779->15774 15779->15775 15779->15776 15779->15777 15779->15778 15781 405434 6 API calls 15779->15781 15782 402aed 7 API calls 15779->15782 15910 4076b1 15779->15910 15914 402d9e 15779->15914 15924 405205 free 15779->15924 15781->15779 15782->15779 15787 403133 __EH_prolog 15783->15787 15784 402ad1 fputc 15784->15787 15786 401dbf malloc _CxxThrowException free 15786->15787 15787->15784 15787->15786 15788 4076d9 VariantClear 15787->15788 15789 403265 15787->15789 15791 401ea1 malloc _CxxThrowException free 15787->15791 15792 402aed 7 API calls 15787->15792 15926 4030be 15787->15926 15934 405205 free 15787->15934 15788->15787 15789->13142 15791->15787 15792->15787 15795 402d51 15793->15795 15797 402d80 15793->15797 15794 402ad1 fputc 15794->15795 15795->15794 15795->15797 15936 40548e fputc 15795->15936 15797->13127 15798->13135 15800 4054c0 15799->15800 15937 40541c fputs 15800->15937 15802 4054cb 15802->13119 15803->13146 15804->13151 15805->13165 15806->13145 15807->13149 15808->13165 15809->13158 15810->13166 15811->13165 15812->13173 15813->13180 15814->13187 15815->13165 15816->13186 15817->13189 15818->13197 15819->13165 15821 40247e 3 API calls 15820->15821 15822 402bd6 15821->15822 15822->15686 15824 403e3b __EH_prolog 15823->15824 15825 4051de 2 API calls 15824->15825 15826 403e46 15825->15826 15827 403e5d 15826->15827 15832 403f2d 15826->15832 15829 40dcd2 7 API calls 15827->15829 15830 403e69 15829->15830 15830->15686 15831->15686 15833 401e20 3 API calls 15832->15833 15834 403f45 15833->15834 15834->15827 15836 40cff7 15835->15836 15837 401dbf 3 API calls 15836->15837 15838 40ce58 15837->15838 15839 40aa31 15838->15839 15840 40aa3b __EH_prolog 15839->15840 15841 401e20 3 API calls 15840->15841 15842 40aa4d 15841->15842 15843 401ea1 3 API calls 15842->15843 15844 40aa5c 15843->15844 15845 401e20 3 API calls 15844->15845 15846 40aa68 15845->15846 15880 405205 free 15846->15880 15848 40aa70 15848->15737 15850 407879 __EH_prolog 15849->15850 15881 40776a FileTimeToSystemTime 15850->15881 15852 407892 15853 4056b6 3 API calls 15852->15853 15854 40789e 15853->15854 15883 4066fc 15854->15883 15858 4078b6 15858->15717 15860 407944 15859->15860 15861 4078dc 15859->15861 15865 40793e 15860->15865 15867 407916 15860->15867 15868 40794f 15860->15868 15862 4078de 15861->15862 15861->15865 15863 4078e2 15862->15863 15864 407924 15862->15864 15863->15867 15869 4078e9 15863->15869 15866 40247e 3 API calls 15864->15866 15891 4079af 15865->15891 15876 407911 15866->15876 15887 4079db 15867->15887 15868->15865 15871 407952 15868->15871 15872 407957 _CxxThrowException 15869->15872 15878 4078f3 15869->15878 15871->15872 15873 40796c 15871->15873 15872->15873 15875 40786f 6 API calls 15873->15875 15875->15876 15876->15717 15877 401dbf 3 API calls 15877->15876 15878->15877 15879->15717 15880->15848 15882 407788 15881->15882 15882->15852 15884 4056fd 5 API calls 15883->15884 15885 406711 15884->15885 15886 405205 free 15885->15886 15886->15858 15888 4079f4 15887->15888 15889 401dbf 3 API calls 15888->15889 15890 407a00 15889->15890 15890->15876 15892 4079c8 15891->15892 15893 401dbf 3 API calls 15892->15893 15894 4079d4 15893->15894 15894->15876 15896 402ae9 15895->15896 15897 402ada 15895->15897 15896->15750 15897->15896 15907 40548e fputc 15897->15907 15901 402b05 15899->15901 15900 402ad1 fputc 15902 402b1e 15900->15902 15901->15900 15903 405434 6 API calls 15902->15903 15904 402b2a 15903->15904 15905 402ad1 fputc 15904->15905 15906 402b32 15905->15906 15906->15750 15907->15897 15908->15761 15909->15764 15911 4076bf 15910->15911 15912 4076ba 15910->15912 15911->15779 15913 407754 VariantClear 15912->15913 15913->15911 15915 402dc3 15914->15915 15916 402dae _CxxThrowException 15914->15916 15917 402dd0 FileTimeToLocalFileTime 15915->15917 15923 402e05 15915->15923 15916->15915 15918 402df4 15917->15918 15919 402ddf _CxxThrowException 15917->15919 15921 40776a FileTimeToSystemTime 15918->15921 15919->15918 15921->15923 15922 402e1f 15922->15779 15925 40541c fputs 15923->15925 15924->15779 15925->15922 15928 4030c8 __EH_prolog 15926->15928 15927 401dbf 3 API calls 15929 4030ff 15927->15929 15928->15927 15930 402aed 7 API calls 15929->15930 15931 403112 15930->15931 15935 405205 free 15931->15935 15933 40311a 15933->15787 15934->15787 15935->15933 15936->15795 15937->15802 15938->13212 15939 4082d7 15940 4082f5 15939->15940 15941 4082e4 15939->15941 15941->15940 15945 4082fc 15941->15945 15946 408306 __EH_prolog 15945->15946 15947 417717 ctype VirtualFree 15946->15947 15948 4082ef 15947->15948 15949 405205 free 15948->15949 15949->15940 15950 40ba99 15951 40baa6 15950->15951 15955 40bab7 15950->15955 15951->15955 15956 40babe 15951->15956 15957 40bac8 __EH_prolog 15956->15957 15971 405205 free 15957->15971 15959 40baf3 15960 405898 ctype 6 API calls 15959->15960 15961 40bb0e 15960->15961 15962 405858 ctype free 15961->15962 15963 40bb19 15962->15963 15972 405205 free 15963->15972 15965 40bb36 15973 405205 free 15965->15973 15967 40bb3e 15974 405205 free 15967->15974 15969 40bab1 15970 405205 free 15969->15970 15970->15955 15971->15959 15972->15965 15973->15967 15974->15969 15975 414aeb 15980 414b07 15975->15980 15978 414b00 15981 414b11 __EH_prolog 15980->15981 15989 4176e8 free 15981->15989 15983 414b42 15990 41373f 15983->15990 15988 405205 free 15988->15978 15989->15983 15991 413749 __EH_prolog 15990->15991 15998 40802c 15991->15998 15994 41380c 15995 413816 __EH_prolog 15994->15995 16001 408a6c 15995->16001 15999 417717 ctype VirtualFree 15998->15999 16000 408037 15999->16000 16000->15994 16002 417717 ctype VirtualFree 16001->16002 16003 408a76 16002->16003 16003->15978 16003->15988 16004 4028ea 16005 402912 16004->16005 16010 40541c fputs 16005->16010 16007 402919 16008 405434 6 API calls 16007->16008 16009 402920 16008->16009 16010->16007 16011 40f0af 16012 40f0cd 16011->16012 16013 40f0bc 16011->16013 16013->16012 16017 40f0ee 16013->16017 16018 40f0f8 __EH_prolog 16017->16018 16019 405898 ctype 6 API calls 16018->16019 16020 40f11c 16019->16020 16021 405858 ctype free 16020->16021 16022 40f127 16021->16022 16023 405898 ctype 6 API calls 16022->16023 16024 40f13e 16023->16024 16025 405858 ctype free 16024->16025 16026 40f149 16025->16026 16027 40d03f free 16026->16027 16028 40f0c7 16027->16028 16029 405205 free 16028->16029 16029->16012 16030 41034e 16031 41035b 16030->16031 16032 41036c 16030->16032 16031->16032 16036 410373 16031->16036 16037 41037d __EH_prolog 16036->16037 16041 4103ae 16037->16041 16040 405205 free 16040->16032 16042 4103b8 __EH_prolog 16041->16042 16043 405858 ctype free 16042->16043 16044 4103d1 16043->16044 16045 405858 ctype free 16044->16045 16046 4103e0 16045->16046 16047 405858 ctype free 16046->16047 16048 4103ef 16047->16048 16049 405858 ctype free 16048->16049 16050 4103fe 16049->16050 16051 405858 ctype free 16050->16051 16052 41040d 16051->16052 16055 410425 16052->16055 16056 41042f __EH_prolog 16055->16056 16057 405898 ctype 6 API calls 16056->16057 16058 410453 16057->16058 16059 405858 ctype free 16058->16059 16060 41045e 16059->16060 16061 405858 ctype free 16060->16061 16062 41046a 16061->16062 16063 405898 ctype 6 API calls 16062->16063 16064 410481 16063->16064 16065 405858 ctype free 16064->16065 16066 41048c 16065->16066 16067 405858 ctype free 16066->16067 16068 410498 16067->16068 16069 405858 ctype free 16068->16069 16070 4104a4 16069->16070 16071 405858 ctype free 16070->16071 16072 410366 16071->16072 16072->16040

                                  Executed Functions

                                  Function 00406FF9 Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1586 406ff9-407013 call 4182c0 call 406fd9 1591 4070b6-4070c2 1586->1591 1592 407019-407020 1586->1592 1593 407022-407037 FindFirstFileW 1592->1593 1594 40704a-40709d call 401dbf AreFileApisANSI call 4057a5 FindFirstFileA call 405205 * 2 1592->1594 1595 407039-407048 call 4070c5 1593->1595 1596 4070ae-4070b3 1593->1596 1594->1596 1607 40709f-4070a9 call 40712d 1594->1607 1595->1596 1596->1591 1607->1596
                                  C-Code - Quality: 86%
                                  			E00406FF9(void** __ecx, void* __edx, void* __edi, void* __eflags) {
				signed int _t23;
				signed int _t25;
				void* _t33;
				void* _t39;
				void* _t48;
				void** _t51;
				void* _t53;

				_t48 = __edx;
				E004182C0(E004191B8, _t53);
				_t51 = __ecx;
				_t23 = E00406FD9(__ecx);
				if(_t23 != 0) {
					if( *0x421274 == 0) {
						E00401DBF(_t53 - 0x18,  *(_t53 + 8));
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						_t25 = AreFileApisANSI();
						asm("sbb eax, eax");
						 *_t51 = FindFirstFileA( *(E004057A5(__edi, _t53 - 0x24, _t53 - 0x18,  ~_t25 + 1)), _t53 - 0x164);
						_t33 = E00405205(_t32,  *((intOrPtr*)(_t53 - 0x24)));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						E00405205(_t33,  *((intOrPtr*)(_t53 - 0x18)));
						__eflags =  *_t51 - 0xffffffff;
						if(__eflags != 0) {
							_push( *((intOrPtr*)(_t53 + 0xc)));
							_push(_t53 - 0x164);
							E0040712D(_t48, __eflags);
						}
					} else {
						_t39 = FindFirstFileW( *(_t53 + 8), _t53 - 0x3b4); // executed
						_t61 = _t39 - 0xffffffff;
						 *_t51 = _t39;
						if(_t39 != 0xffffffff) {
							E004070C5(_t48, _t61, _t53 - 0x3b4,  *((intOrPtr*)(_t53 + 0xc)));
						}
					}
					_t23 = 0 |  *_t51 != 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t23;
			}










                                  0x00406ff9
                                  0x00406ffe
                                  0x0040700a
                                  0x0040700c
                                  0x00407013
                                  0x00407020
                                  0x00407050
                                  0x00407055
                                  0x00407059
                                  0x00407061
                                  0x00407085
                                  0x00407087
                                  0x0040708f
                                  0x00407093
                                  0x00407098
                                  0x0040709d
                                  0x0040709f
                                  0x004070a8
                                  0x004070a9
                                  0x004070a9
                                  0x00407022
                                  0x0040702c
                                  0x00407032
                                  0x00407035
                                  0x00407037
                                  0x00407043
                                  0x00407043
                                  0x00407037
                                  0x004070b3
                                  0x004070b3
                                  0x004070ba
                                  0x004070c2

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00406FFE
                                    • Part of subcall function 00406FD9: FindClose.KERNELBASE(00000000,?,00407011,0042020C), ref: 00406FE4
                                  • FindFirstFileW.KERNELBASE(?,?,0042020C), ref: 0040702C
                                  • AreFileApisANSI.KERNEL32(?,0042020C), ref: 00407059
                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001), ref: 0040707C
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FileFind$First$ApisCloseH_prolog
                                  • String ID:
                                  • API String ID: 4121580741-0
                                  • Opcode ID: 3e66eb79f3fedd06d2bc858971f844a6ec41873597ac4a3acbbea5f43a61a800
                                  • Instruction ID: 5e4eded5624a4855f43a7bfc5cf46179f24fbd7a0dd910f4545fd754820fc3a4
                                  • Opcode Fuzzy Hash: 3e66eb79f3fedd06d2bc858971f844a6ec41873597ac4a3acbbea5f43a61a800
                                  • Instruction Fuzzy Hash: AA21507180010AEFCF21AFA4CD05AEE7BB9EF05314F10476AE161A21D1D7389A45CB15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403F64 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00403F64(void* __edx) {
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t29;
				void* _t33;
				void* _t35;
				void* _t37;

				_t29 = __edx;
				E004182C0(E00418D64, _t35);
				 *((intOrPtr*)(_t35 - 0x10)) = _t37 - 0xc4;
				 *0x421270 = 0x421290;
				 *(_t35 - 0xd0) = 0x94;
				_t18 = GetVersionExA(_t35 - 0xd0);
				_t40 = _t18;
				if(_t18 != 0) {
					__eflags =  *((intOrPtr*)(_t35 - 0xc0)) - 2;
					_t6 =  *((intOrPtr*)(_t35 - 0xc0)) == 2;
					__eflags = _t6;
					_t19 = _t18 & 0xffffff00 | _t6;
				} else {
					_t19 = 0;
				}
				 *0x421274 = _t19;
				E004025F0(_t35 - 0x18);
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				 *(_t35 - 4) = 1;
				_t21 = E0040117D(_t29, _t40); // executed
				_t33 = _t21;
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				E00402665(_t35 - 0x18); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t33;
			}










                                  0x00403f64
                                  0x00403f69
                                  0x00403f7d
                                  0x00403f81
                                  0x00403f8b
                                  0x00403f95
                                  0x00403f9b
                                  0x00403f9d
                                  0x00403fa3
                                  0x00403faa
                                  0x00403faa
                                  0x00403faa
                                  0x00403f9f
                                  0x00403f9f
                                  0x00403f9f
                                  0x00403fb0
                                  0x00403fb5
                                  0x00403fba
                                  0x00403fbe
                                  0x00403fc2
                                  0x00403fc7
                                  0x0040421f
                                  0x00404226
                                  0x00404232
                                  0x0040423b

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prologVersion
                                  • String ID:
                                  • API String ID: 1836448879-0
                                  • Opcode ID: 78b00d36a6892248e535e1540c9e6d3059826de45966e9df41fe4f0d0713c33d
                                  • Instruction ID: 803148422fd3b4ae7056b3718a2c2e6afdd9d764897792735462901d9be78cbc
                                  • Opcode Fuzzy Hash: 78b00d36a6892248e535e1540c9e6d3059826de45966e9df41fe4f0d0713c33d
                                  • Instruction Fuzzy Hash: 4A018475D00209DFDB20DBA4D9057DE7FB4EB15394F1002EAE111B31D1D7780605CA69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E298 Relevance: 28.8, APIs: 15, Strings: 1, Instructions: 849COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E0040E298(signed int __ecx, signed int __edx, void* __eflags) {
				signed int _t483;
				signed int _t503;
				signed int _t517;
				intOrPtr* _t518;
				signed int _t520;
				intOrPtr* _t522;
				signed int _t524;
				signed int _t530;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t547;
				intOrPtr* _t548;
				intOrPtr* _t559;
				signed int _t560;
				signed int _t561;
				signed int _t571;
				signed int _t572;
				void* _t573;
				signed int _t575;
				void* _t581;
				void* _t584;
				signed int _t592;
				signed int _t593;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t612;
				signed int _t623;
				signed int _t624;
				signed int _t625;
				signed int _t631;
				signed int _t645;
				signed int _t646;
				intOrPtr _t648;
				signed int _t649;
				signed char _t653;
				char _t655;
				signed int _t656;
				signed int _t661;
				signed int _t666;
				signed int _t676;
				intOrPtr _t714;
				intOrPtr _t715;
				signed int _t723;
				signed int _t752;
				signed int _t755;
				signed int _t783;
				signed int _t801;
				signed int* _t813;
				signed int _t814;
				signed int _t815;
				intOrPtr _t817;
				signed int _t819;
				intOrPtr _t820;
				signed int _t821;
				signed int _t822;
				intOrPtr* _t823;
				signed int _t824;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				signed int _t830;
				signed int _t831;
				void* _t832;

				_t806 = __edx;
				E004182C0(E00419F8A, _t832);
				_t826 = __ecx;
				 *(_t832 - 0x14) = __ecx;
				E00402463(_t832 - 0x38);
				 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
				_t676 = 0;
				 *(_t832 - 4) = 0;
				 *((intOrPtr*)(_t832 - 0x5c)) = 0;
				E00417875(_t832 - 0x38, _t832 - 0x58);
				 *(_t832 - 4) = 1;
				E00408D12(_t832 - 0x5c,  *(_t832 + 8));
				 *(_t832 - 0x10) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(_t832 + 0x18)) + 0x30)) <= 0) {
					L19:
					 *((intOrPtr*)(_t832 - 0x3c)) =  *((intOrPtr*)( *((intOrPtr*)(_t832 + 0x18)) + 8));
					E0040E243(_t832 - 0x108);
					 *(_t832 - 4) = 4;
					E0040F18F(_t832 - 0xb8);
					 *(_t832 - 4) = 5;
					E0040EE0A(_t832 - 0xb8, _t806,  *((intOrPtr*)(_t832 + 0x18)), _t832 - 0x108);
					if( *_t826 == _t676) {
						L21:
						E00405898();
						_t483 =  *(_t826 + 0x74);
						_t813 = _t826 + 0x74;
						if(_t483 != _t676) {
							 *((intOrPtr*)( *_t483 + 8))(_t483);
							 *_t813 = _t676;
						}
						if( *((intOrPtr*)(_t826 + 0x68)) != _t676) {
							_push(0x88);
							_t645 = E004051DE();
							 *(_t832 + 8) = _t645;
							 *(_t832 - 4) = 6;
							if(_t645 == _t676) {
								_t646 = 0;
								__eflags = 0;
							} else {
								_t646 = E0040F047(_t645);
							}
							 *(_t832 - 4) = 5;
							 *((intOrPtr*)(_t826 + 0x6c)) = _t646;
							E00408D12(_t813, _t646);
							_t648 =  *((intOrPtr*)(_t826 + 0x6c));
							if(_t648 == _t676) {
								_t649 = 0;
								__eflags = 0;
							} else {
								_t649 = _t648 + 4;
							}
							 *((intOrPtr*)(_t826 + 0x70)) = _t649;
						}
						_t806 = _t832 - 0x108;
						_t814 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t826 + 0x70))))))(_t832 - 0x108);
						_t852 = _t814 - _t676;
						if(_t814 == _t676) {
							__eflags =  *((intOrPtr*)(_t832 - 0x3c)) - _t676;
							 *(_t832 - 0x18) = _t676;
							if(__eflags <= 0) {
								L50:
								E0040F163(_t826 + 4, __eflags, _t832 - 0x108);
								 *_t826 = 1;
								L51:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t826 + 0x70)))) + 4))();
								__eflags =  *((intOrPtr*)(_t832 - 0x3c)) - _t676;
								 *(_t832 + 0x10) = _t676;
								 *(_t832 - 0x40) = _t676;
								 *(_t832 - 0x1c) = _t676;
								if( *((intOrPtr*)(_t832 - 0x3c)) <= _t676) {
									L125:
									E0040D9AD(_t832 - 0x108,  *((intOrPtr*)( *((intOrPtr*)(_t832 - 0xc0)))), _t832 - 0x7c, _t832 - 0x120);
									__eflags =  *((intOrPtr*)(_t826 + 0x68)) - _t676;
									if( *((intOrPtr*)(_t826 + 0x68)) != _t676) {
										 *((intOrPtr*)( *((intOrPtr*)(_t826 + 0x6c)) + 0x70)) =  *((intOrPtr*)(_t832 - 0x7c));
									}
									__eflags =  *((intOrPtr*)(_t832 - 0x3c)) - _t676;
									if( *((intOrPtr*)(_t832 - 0x3c)) != _t676) {
										E00407282(_t832 - 0x11c, 4);
										 *((intOrPtr*)(_t832 - 0x11c)) = 0x41b794;
										 *(_t832 - 4) = 0x27;
										E004058F1(_t832 - 0x11c,  *((intOrPtr*)(_t832 - 0x30)));
										_t815 = 0;
										__eflags =  *((intOrPtr*)(_t832 - 0x30)) - _t676;
										if( *((intOrPtr*)(_t832 - 0x30)) <= _t676) {
											L132:
											_t827 =  *(_t826 + 0x74);
											 *((intOrPtr*)(_t832 - 0x78)) =  *((intOrPtr*)(_t832 + 0x1c));
											_t828 =  *((intOrPtr*)( *_t827 + 0xc))(_t827,  *((intOrPtr*)(_t832 - 0x110)), _t676,  *((intOrPtr*)(_t832 - 0x30)), _t832 - 0x78, _t676, 1,  *((intOrPtr*)(_t832 + 0x20)));
											 *(_t832 - 4) = 5;
											E00405858(_t832 - 0x11c);
											 *(_t832 - 4) = 1;
											E0040EFF7(_t832 - 0x108, __eflags);
											 *(_t832 - 4) = _t676;
											E0040F02C(_t832 - 0x5c);
											_t465 = _t832 - 4;
											 *_t465 =  *(_t832 - 4) | 0xffffffff;
											__eflags =  *_t465;
											E0040DB50(_t832 - 0x38);
											L133:
											_t503 = _t828;
											goto L134;
										} else {
											goto L131;
										}
										do {
											L131:
											E0040DCD2(_t832 - 0x11c, _t806,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t832 - 0x2c)) + _t815 * 4)))));
											_t815 = _t815 + 1;
											__eflags = _t815 -  *((intOrPtr*)(_t832 - 0x30));
										} while (_t815 <  *((intOrPtr*)(_t832 - 0x30)));
										goto L132;
									} else {
										 *(_t832 - 4) = 0x25;
										E00405858(_t832 - 0xb8);
										 *(_t832 - 4) = 1;
										E0040D03F(_t832 - 0x108, __eflags);
										 *(_t832 - 4) = _t676;
										DeleteCriticalSection(_t832 - 0x58);
										E0040CD67(_t832 - 0x5c);
										 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
										 *(_t832 - 4) = 0x26;
										goto L129;
									}
								}
								 *(_t832 - 0x10) = _t676;
								do {
									 *(_t832 + 8) = _t676;
									_t817 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t832 + 0x18)) + 0xc)) +  *(_t832 - 0x1c) * 4));
									_t517 =  *( *(_t832 - 0x10) +  *((intOrPtr*)(_t826 + 0x84)));
									 *(_t832 - 0x20) = _t517;
									_t518 =  *_t517;
									 *(_t832 - 4) = 0x12;
									 *((intOrPtr*)( *_t518))(_t518, 0x41b2d8, _t832 + 8);
									_t520 =  *(_t832 + 8);
									__eflags = _t520 - _t676;
									if(_t520 == _t676) {
										L58:
										__eflags = _t520 - _t676;
										 *(_t832 - 4) = 5;
										if(_t520 != _t676) {
											 *((intOrPtr*)( *_t520 + 8))(_t520);
										}
										 *(_t832 - 0x24) = _t676;
										_t806 = _t832 - 0x24;
										_t522 =  *( *(_t832 - 0x20));
										 *(_t832 - 4) = 0x17;
										 *((intOrPtr*)( *_t522))(_t522, 0x41b288, _t832 - 0x24);
										_t524 =  *(_t832 - 0x24);
										__eflags = _t524 - _t676;
										if(_t524 == _t676) {
											L67:
											__eflags = _t524 - _t676;
											 *(_t832 - 4) = 5;
											if(_t524 != _t676) {
												 *((intOrPtr*)( *_t524 + 8))(_t524);
											}
											 *(_t832 - 0x10) =  *(_t832 - 0x10) + 4;
											 *(_t832 - 0x14) =  *(_t817 + 0x14);
											 *(_t832 + 8) =  *(_t817 + 0x18);
											E00407282(_t832 - 0x90, 4);
											 *((intOrPtr*)(_t832 - 0x90)) = 0x41b770;
											 *(_t832 - 4) = 0x21;
											E00407282(_t832 - 0xa4, 4);
											 *((intOrPtr*)(_t832 - 0xa4)) = 0x41b770;
											 *(_t832 - 4) = 0x22;
											E004058F1(_t832 - 0x90,  *(_t832 - 0x14));
											_t819 =  *(_t832 + 8);
											_t530 = E004058F1(_t832 - 0xa4, _t819);
											__eflags = _t819 - _t676;
											if(_t819 <= _t676) {
												_t820 =  *((intOrPtr*)(_t832 + 0x18));
												goto L88;
											} else {
												 *(_t832 + 8) = _t819;
												_t820 =  *((intOrPtr*)(_t832 + 0x18));
												do {
													_t530 = E0040DCD2(_t832 - 0xa4, _t806,  *(_t820 + 0x48) +  *(_t832 - 0x40) * 8);
													 *(_t832 - 0x40) =  *(_t832 - 0x40) + 1;
													_t238 = _t832 + 8;
													 *_t238 =  *(_t832 + 8) - 1;
													__eflags =  *_t238;
												} while ( *_t238 != 0);
												L88:
												__eflags =  *(_t832 - 0x14) - _t676;
												 *(_t832 - 0x20) = _t676;
												if( *(_t832 - 0x14) <= _t676) {
													goto L105;
												} else {
													goto L89;
												}
												do {
													L89:
													_t714 =  *((intOrPtr*)(_t820 + 0x1c));
													 *(_t832 + 8) = _t676;
													__eflags = _t714 - _t676;
													if(_t714 <= _t676) {
														L93:
														_t535 = _t530 | 0xffffffff;
														__eflags = _t535;
														L94:
														__eflags = _t535 - _t676;
														if(_t535 < _t676) {
															_t715 =  *((intOrPtr*)(_t820 + 0x30));
															 *(_t832 + 8) = _t676;
															__eflags = _t715 - _t676;
															if(_t715 <= _t676) {
																L101:
																_t536 = _t535 | 0xffffffff;
																__eflags = _t536;
																L102:
																__eflags = _t536 - _t676;
																if(_t536 < _t676) {
																	 *(_t832 - 4) = 0x21;
																	E00405858(_t832 - 0xa4);
																	 *(_t832 - 4) = 5;
																	E00405858(_t832 - 0x90);
																	 *(_t832 - 4) = 0x23;
																	E00405858(_t832 - 0xb8);
																	 *(_t832 - 4) = 1;
																	E0040D03F(_t832 - 0x108, __eflags);
																	 *(_t832 - 4) = _t676;
																	DeleteCriticalSection(_t832 - 0x58);
																	E0040CD67(_t832 - 0x5c);
																	 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
																	 *(_t832 - 4) = 0x24;
																	E00405898();
																	 *(_t832 - 4) =  *(_t832 - 4) | 0xffffffff;
																	E00405858(_t832 - 0x38);
																	_t503 = 0x80004005;
																	goto L134;
																}
																_t723 =  *(_t832 + 0x14);
																goto L104;
															}
															_t548 =  *((intOrPtr*)(_t820 + 0x34));
															while(1) {
																_t806 =  *(_t832 + 0x10);
																__eflags =  *_t548 -  *(_t832 + 0x10);
																if( *_t548 ==  *(_t832 + 0x10)) {
																	break;
																}
																 *(_t832 + 8) =  *(_t832 + 8) + 1;
																_t548 = _t548 + 4;
																__eflags =  *(_t832 + 8) - _t715;
																if( *(_t832 + 8) < _t715) {
																	continue;
																}
																goto L101;
															}
															_t536 =  *(_t832 + 8);
															goto L102;
														}
														_t536 =  *( *((intOrPtr*)(_t820 + 0x20)) + 4 + _t535 * 8);
														_t723 =  *(_t820 + 0x48);
														goto L104;
													}
													_t547 =  *((intOrPtr*)(_t820 + 0x20));
													while(1) {
														_t806 =  *(_t832 + 0x10);
														__eflags =  *_t547 -  *(_t832 + 0x10);
														if( *_t547 ==  *(_t832 + 0x10)) {
															break;
														}
														 *(_t832 + 8) =  *(_t832 + 8) + 1;
														_t547 = _t547 + 8;
														__eflags =  *(_t832 + 8) - _t714;
														if( *(_t832 + 8) < _t714) {
															continue;
														}
														goto L93;
													}
													_t535 =  *(_t832 + 8);
													goto L94;
													L104:
													E0040DCD2(_t832 - 0x90, _t806, _t723 + _t536 * 8);
													 *(_t832 - 0x20) =  *(_t832 - 0x20) + 1;
													_t530 =  *(_t832 - 0x20);
													 *(_t832 + 0x10) =  *(_t832 + 0x10) + 1;
													__eflags = _t530 -  *(_t832 - 0x14);
												} while (_t530 <  *(_t832 - 0x14));
												goto L105;
											}
										} else {
											__eflags =  *((intOrPtr*)(_t832 + 0x24)) - _t676;
											if( *((intOrPtr*)(_t832 + 0x24)) == _t676) {
												__eflags = _t524 - _t676;
												 *(_t832 - 4) = 5;
												if(_t524 != _t676) {
													 *((intOrPtr*)( *_t524 + 8))(_t524);
												}
												 *(_t832 - 4) = 0x18;
												E00405858(_t832 - 0xb8);
												 *(_t832 - 4) = 1;
												E0040D03F(_t832 - 0x108, __eflags);
												 *(_t832 - 4) = _t676;
												DeleteCriticalSection(_t832 - 0x58);
												E0040CD67(_t832 - 0x5c);
												 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
												 *(_t832 - 4) = 0x19;
												_t828 = 0x80004005;
												L123:
												E00405898();
												 *(_t832 - 4) =  *(_t832 - 4) | 0xffffffff;
												E00405858(_t832 - 0x38);
												goto L133;
											}
											 *(_t832 - 0x18) = _t676;
											_t559 =  *((intOrPtr*)(_t832 + 0x24));
											_t806 = _t832 - 0x18;
											 *(_t832 - 4) = 0x1a;
											_t560 =  *((intOrPtr*)( *_t559 + 0xc))(_t559, _t832 - 0x18);
											__eflags = _t560 - _t676;
											 *(_t832 + 8) = _t560;
											if(_t560 != _t676) {
												__imp__#6( *(_t832 - 0x18));
												_t561 =  *(_t832 - 0x24);
												 *(_t832 - 4) = 5;
												__eflags = _t561 - _t676;
												if(_t561 != _t676) {
													 *((intOrPtr*)( *_t561 + 8))(_t561);
												}
												 *(_t832 - 4) = 0x1b;
												E00405858(_t832 - 0xb8);
												 *(_t832 - 4) = 1;
												E0040D03F(_t832 - 0x108, __eflags);
												 *(_t832 - 4) = _t676;
												DeleteCriticalSection(_t832 - 0x58);
												E0040CD67(_t832 - 0x5c);
												 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
												_t828 =  *(_t832 + 8);
												 *(_t832 - 4) = 0x1c;
												goto L123;
											}
											 *(_t832 - 0x64) = _t676;
											 *(_t832 - 0x60) = _t676;
											 *((intOrPtr*)(_t832 - 0x68)) = 0x41b7b4;
											 *(_t832 - 4) = 0x1d;
											E00401DBF(_t832 - 0x74,  *(_t832 - 0x18));
											 *(_t832 - 4) = 0x1e;
											 *(_t832 - 0x14) =  *((intOrPtr*)(_t832 - 0x70)) +  *((intOrPtr*)(_t832 - 0x70));
											E00408FFB(_t832 - 0x68,  *((intOrPtr*)(_t832 - 0x70)) +  *((intOrPtr*)(_t832 - 0x70)));
											__eflags =  *((intOrPtr*)(_t832 - 0x70)) - _t676;
											 *(_t832 + 8) = _t676;
											if( *((intOrPtr*)(_t832 - 0x70)) <= _t676) {
												L65:
												_t571 =  *(_t832 - 0x24);
												_t572 =  *((intOrPtr*)( *_t571 + 0xc))(_t571,  *(_t832 - 0x60),  *(_t832 - 0x14));
												_push( *((intOrPtr*)(_t832 - 0x74)));
												__eflags = _t572 - _t676;
												 *(_t832 + 8) = _t572;
												if(_t572 != _t676) {
													_t573 = E00405205(_t572);
													 *((intOrPtr*)(_t832 - 0x68)) = 0x41b7b4;
													E00405205(_t573,  *(_t832 - 0x60));
													__imp__#6( *(_t832 - 0x18));
													_t575 =  *(_t832 - 0x24);
													 *(_t832 - 4) = 5;
													__eflags = _t575 - _t676;
													if(_t575 != _t676) {
														 *((intOrPtr*)( *_t575 + 8))(_t575);
													}
													 *(_t832 - 4) = 0x1f;
													E00405858(_t832 - 0xb8);
													 *(_t832 - 4) = 1;
													E0040D03F(_t832 - 0x108, __eflags);
													 *(_t832 - 4) = _t676;
													DeleteCriticalSection(_t832 - 0x58);
													E0040CD67(_t832 - 0x5c);
													 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
													_t828 =  *(_t832 + 8);
													 *(_t832 - 4) = 0x20;
													goto L123;
												}
												_t581 = E00405205(_t572);
												 *((intOrPtr*)(_t832 - 0x68)) = 0x41b7b4;
												E00405205(_t581,  *(_t832 - 0x60));
												__imp__#6( *(_t832 - 0x18));
												_t524 =  *(_t832 - 0x24);
												goto L67;
											} else {
												goto L64;
											}
											do {
												L64:
												_t584 =  *(_t832 + 8) +  *(_t832 + 8);
												_t752 =  *((intOrPtr*)(_t584 +  *((intOrPtr*)(_t832 - 0x74))));
												 *( *(_t832 - 0x60) + _t584) = _t752;
												 *(_t832 + 8) =  *(_t832 + 8) + 1;
												_t806 = _t752;
												 *( *(_t832 - 0x60) + _t584 + 1) = _t752;
												__eflags =  *(_t832 + 8) -  *((intOrPtr*)(_t832 - 0x70));
											} while ( *(_t832 + 8) <  *((intOrPtr*)(_t832 - 0x70)));
											goto L65;
										}
									}
									_t755 =  *(_t817 + 0xc);
									__eflags = _t755 - 0xffffffff;
									 *(_t832 - 0x14) = _t755;
									if(_t755 > 0xffffffff) {
										__eflags = _t520 - _t676;
										 *(_t832 - 4) = 5;
										if(_t520 != _t676) {
											 *((intOrPtr*)( *_t520 + 8))(_t520);
										}
										 *(_t832 - 4) = 0x13;
										E00405858(_t832 - 0xb8);
										 *(_t832 - 4) = 1;
										E0040D03F(_t832 - 0x108, __eflags);
										 *(_t832 - 4) = _t676;
										DeleteCriticalSection(_t832 - 0x58);
										E0040CD67(_t832 - 0x5c);
										 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
										 *(_t832 - 4) = 0x14;
										L83:
										_t828 = 0x80004001;
										goto L123;
									}
									__eflags = _t755 - _t676;
									if(_t755 <= _t676) {
										goto L58;
									}
									_t592 =  *((intOrPtr*)( *_t520 + 0xc))(_t520,  *((intOrPtr*)(_t817 + 0x10)),  *(_t832 - 0x14));
									__eflags = _t592 - _t676;
									 *(_t832 - 0x14) = _t592;
									if(_t592 != _t676) {
										_t593 =  *(_t832 + 8);
										 *(_t832 - 4) = 5;
										__eflags = _t593 - _t676;
										if(_t593 != _t676) {
											 *((intOrPtr*)( *_t593 + 8))(_t593);
										}
										 *(_t832 - 4) = 0x15;
										E00405858(_t832 - 0xb8);
										 *(_t832 - 4) = 1;
										E0040D03F(_t832 - 0x108, __eflags);
										 *(_t832 - 4) = _t676;
										DeleteCriticalSection(_t832 - 0x58);
										E0040CD67(_t832 - 0x5c);
										 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
										_t828 =  *(_t832 - 0x14);
										 *(_t832 - 4) = 0x16;
										goto L123;
									}
									_t520 =  *(_t832 + 8);
									goto L58;
									L105:
									_t821 =  *(_t832 - 0x1c);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t826 + 0x70)))) + 8))(_t821,  *((intOrPtr*)(_t832 - 0x84)),  *((intOrPtr*)(_t832 - 0x98)));
									 *(_t832 - 4) = 0x21;
									E00405858(_t832 - 0xa4);
									 *(_t832 - 4) = 5;
									E00405858(_t832 - 0x90);
									_t822 = _t821 + 1;
									__eflags = _t822 -  *((intOrPtr*)(_t832 - 0x3c));
									 *(_t832 - 0x1c) = _t822;
								} while (_t822 <  *((intOrPtr*)(_t832 - 0x3c)));
								goto L125;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t823 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t832 + 0x18)) + 0xc)) +  *(_t832 - 0x18) * 4));
								 *(_t832 + 0x10) = _t676;
								 *(_t832 + 8) = _t676;
								_push(_t676);
								_push(_t832 + 8);
								_push(_t832 + 0x10);
								 *(_t832 - 4) = 0xa;
								_push( *((intOrPtr*)(_t823 + 4)));
								_push( *_t823); // executed
								_t603 = E00407B40( *(_t832 - 0x18)); // executed
								__eflags = _t603 - _t676;
								 *(_t832 - 0x1c) = _t603;
								if(_t603 != _t676) {
									break;
								}
								 *(_t832 - 0x10) = _t676;
								__eflags =  *((intOrPtr*)(_t823 + 0x14)) - 1;
								 *(_t832 - 4) = 0xd;
								if( *((intOrPtr*)(_t823 + 0x14)) != 1) {
									L40:
									__eflags =  *(_t832 + 8) - _t676;
									if( *(_t832 + 8) == _t676) {
										_t612 =  *(_t832 + 0x10);
										 *(_t832 - 4) = 5;
										__eflags = _t612 - _t676;
										if(_t612 != _t676) {
											 *((intOrPtr*)( *_t612 + 8))(_t612);
										}
										 *(_t832 - 4) = 0x10;
										E00405858(_t832 - 0xb8);
										 *(_t832 - 4) = 1;
										E0040D03F(_t832 - 0x108, __eflags);
										 *(_t832 - 4) = _t676;
										DeleteCriticalSection(_t832 - 0x58);
										E0040CD67(_t832 - 0x5c);
										 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
										 *(_t832 - 4) = 0x11;
										E00405898();
										 *(_t832 - 4) =  *(_t832 - 4) | 0xffffffff;
										E00405858(_t832 - 0x38);
										_t503 = 0x80004001;
										goto L134;
									}
									E00408D12(_t832 - 0x10,  *(_t832 + 8));
									__eflags =  *((intOrPtr*)(_t826 + 0x68)) - _t676;
									if(__eflags != 0) {
										E0040D743( *((intOrPtr*)(_t826 + 0x6c)), _t806, _t832, __eflags,  *(_t832 + 8));
									}
									L43:
									_push(_t832 - 0x10);
									E0040F2B4(_t826 + 0x78, _t806);
									_t623 =  *(_t832 - 0x10);
									 *(_t832 - 4) = 0xa;
									__eflags = _t623 - _t676;
									if(_t623 != _t676) {
										 *((intOrPtr*)( *_t623 + 8))(_t623);
									}
									_t624 =  *(_t832 + 8);
									 *(_t832 - 4) = 9;
									__eflags = _t624 - _t676;
									if(_t624 != _t676) {
										 *((intOrPtr*)( *_t624 + 8))(_t624);
									}
									_t625 =  *(_t832 + 0x10);
									 *(_t832 - 4) = 5;
									__eflags = _t625 - _t676;
									if(_t625 != _t676) {
										 *((intOrPtr*)( *_t625 + 8))(_t625);
									}
									 *(_t832 - 0x18) =  *(_t832 - 0x18) + 1;
									__eflags =  *(_t832 - 0x18) -  *((intOrPtr*)(_t832 - 0x3c));
									if(__eflags < 0) {
										continue;
									} else {
										goto L50;
									}
								}
								__eflags =  *((intOrPtr*)(_t823 + 0x18)) - 1;
								if( *((intOrPtr*)(_t823 + 0x18)) != 1) {
									goto L40;
								}
								_t783 =  *(_t832 + 0x10);
								__eflags = _t783 - _t676;
								if(_t783 == _t676) {
									_t631 =  *(_t832 + 8);
									 *(_t832 - 4) = 9;
									__eflags = _t631 - _t676;
									if(_t631 != _t676) {
										 *((intOrPtr*)( *_t631 + 8))(_t631);
										_t783 =  *(_t832 + 0x10);
									}
									__eflags = _t783 - _t676;
									 *(_t832 - 4) = 5;
									if(_t783 != _t676) {
										 *((intOrPtr*)( *_t783 + 8))(_t783);
									}
									 *(_t832 - 4) = 0xe;
									E00405858(_t832 - 0xb8);
									 *(_t832 - 4) = 1;
									E0040D03F(_t832 - 0x108, __eflags);
									 *(_t832 - 4) = _t676;
									DeleteCriticalSection(_t832 - 0x58);
									E0040CD67(_t832 - 0x5c);
									 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
									 *(_t832 - 4) = 0xf;
									goto L83;
								}
								E00408D12(_t832 - 0x10, _t783);
								__eflags =  *((intOrPtr*)(_t826 + 0x68)) - _t676;
								if(__eflags != 0) {
									E0040D71E( *((intOrPtr*)(_t826 + 0x6c)), _t806, _t832, __eflags,  *(_t832 + 0x10));
								}
								goto L43;
							}
							_t604 =  *(_t832 + 8);
							 *(_t832 - 4) = 9;
							__eflags = _t604 - _t676;
							if(_t604 != _t676) {
								 *((intOrPtr*)( *_t604 + 8))(_t604);
							}
							_t605 =  *(_t832 + 0x10);
							 *(_t832 - 4) = 5;
							__eflags = _t605 - _t676;
							if(_t605 != _t676) {
								 *((intOrPtr*)( *_t605 + 8))(_t605);
							}
							 *(_t832 - 4) = 0xb;
							E00405858(_t832 - 0xb8);
							 *(_t832 - 4) = 1;
							E0040D03F(_t832 - 0x108, __eflags);
							 *(_t832 - 4) = _t676;
							DeleteCriticalSection(_t832 - 0x58);
							E0040CD67(_t832 - 0x5c);
							 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
							_t828 =  *(_t832 - 0x1c);
							 *(_t832 - 4) = 0xc;
							goto L123;
						} else {
							 *(_t832 - 4) = 7;
							E00405858(_t832 - 0xb8);
							 *(_t832 - 4) = 1;
							E0040D03F(_t832 - 0x108, _t852);
							 *(_t832 - 4) = _t676;
							DeleteCriticalSection(_t832 - 0x58);
							E0040CD67(_t832 - 0x5c);
							 *((intOrPtr*)(_t832 - 0x38)) = 0x41b7a4;
							 *(_t832 - 4) = 8;
							_t676 = _t814;
							L129:
							E00405898();
							 *(_t832 - 4) =  *(_t832 - 4) | 0xffffffff;
							E00405858(_t832 - 0x38);
							_t503 = _t676;
							L134:
							 *[fs:0x0] =  *((intOrPtr*)(_t832 - 0xc));
							return _t503;
						}
					}
					_t653 = E0040EF20(_t832 - 0x108, _t826 + 4);
					asm("sbb al, al");
					_t655 =  ~_t653 + 1;
					 *((char*)(_t832 + 0xb)) = _t655;
					if(_t655 == 0) {
						goto L51;
					}
					goto L21;
				} else {
					_t830 =  *(_t832 + 0x14);
					 *(_t832 + 8) = _t830;
					while(1) {
						_push(0x18);
						_t656 = E004051DE();
						if(_t656 == _t676) {
							_t824 = 0;
							__eflags = 0;
						} else {
							 *(_t656 + 4) = _t676;
							 *_t656 = 0x41b7c8;
							_t824 = _t656;
						}
						 *(_t832 - 0x20) = _t824;
						if(_t824 != _t676) {
							 *((intOrPtr*)( *_t824 + 4))(_t824);
						}
						_push(0x28);
						 *((intOrPtr*)(_t824 + 8)) = _t832 - 0x5c;
						 *((intOrPtr*)(_t824 + 0x10)) =  *((intOrPtr*)(_t832 + 0xc));
						 *(_t824 + 0x14) =  *(_t832 + 0x10);
						 *((intOrPtr*)(_t832 + 0xc)) =  *((intOrPtr*)(_t832 + 0xc)) +  *_t830;
						 *(_t832 - 4) = 2;
						asm("adc [ebp+0x10], ecx");
						_t661 = E004051DE();
						if(_t661 == _t676) {
							_t831 = 0;
							__eflags = 0;
						} else {
							 *(_t661 + 4) = _t676;
							 *(_t661 + 8) = _t676;
							 *_t661 = 0x41b7b8;
							_t831 = _t661;
						}
						 *(_t832 - 0x1c) = _t831;
						if(_t831 != _t676) {
							 *((intOrPtr*)( *_t831 + 4))(_t831);
						}
						_t33 = _t831 + 8; // 0x8
						 *(_t832 - 4) = 3;
						E00408D12(_t33, _t824);
						_t801 =  *(_t832 + 8);
						 *((intOrPtr*)(_t831 + 0x10)) =  *_t801;
						 *((intOrPtr*)(_t831 + 0x14)) =  *((intOrPtr*)(_t801 + 4));
						 *(_t831 + 0x18) = _t676;
						_push(_t832 - 0x1c);
						 *(_t831 + 0x1c) = _t676;
						 *(_t831 + 0x20) = _t676;
						E0040DB88(_t832 - 0x38, _t806);
						_t666 =  *(_t832 - 0x1c);
						 *(_t832 - 4) = 2;
						if(_t666 != _t676) {
							 *((intOrPtr*)( *_t666 + 8))(_t666);
						}
						 *(_t832 - 4) = 1;
						if(_t824 != _t676) {
							 *((intOrPtr*)( *_t824 + 8))(_t824);
						}
						 *(_t832 - 0x10) =  *(_t832 - 0x10) + 1;
						 *(_t832 + 8) =  *(_t832 + 8) + 8;
						if( *(_t832 - 0x10) >=  *((intOrPtr*)( *((intOrPtr*)(_t832 + 0x18)) + 0x30))) {
							break;
						}
						_t830 =  *(_t832 + 8);
					}
					_t826 =  *(_t832 - 0x14);
					goto L19;
				}
			}



































































                                  0x0040e298
                                  0x0040e29d
                                  0x0040e2aa
                                  0x0040e2b0
                                  0x0040e2b3
                                  0x0040e2b8
                                  0x0040e2c2
                                  0x0040e2c5
                                  0x0040e2c8
                                  0x0040e2cb
                                  0x0040e2d6
                                  0x0040e2da
                                  0x0040e2e2
                                  0x0040e2ea
                                  0x0040e3d7
                                  0x0040e3e3
                                  0x0040e3e6
                                  0x0040e3f1
                                  0x0040e3f5
                                  0x0040e400
                                  0x0040e406
                                  0x0040e40d
                                  0x0040e42e
                                  0x0040e431
                                  0x0040e436
                                  0x0040e439
                                  0x0040e43e
                                  0x0040e443
                                  0x0040e446
                                  0x0040e446
                                  0x0040e44b
                                  0x0040e44d
                                  0x0040e452
                                  0x0040e458
                                  0x0040e45d
                                  0x0040e461
                                  0x0040e46c
                                  0x0040e46c
                                  0x0040e463
                                  0x0040e465
                                  0x0040e465
                                  0x0040e471
                                  0x0040e475
                                  0x0040e478
                                  0x0040e47d
                                  0x0040e482
                                  0x0040e489
                                  0x0040e489
                                  0x0040e484
                                  0x0040e484
                                  0x0040e484
                                  0x0040e48b
                                  0x0040e48b
                                  0x0040e491
                                  0x0040e49c
                                  0x0040e49e
                                  0x0040e4a0
                                  0x0040e4ea
                                  0x0040e4ed
                                  0x0040e4f0
                                  0x0040e5d5
                                  0x0040e5df
                                  0x0040e5e4
                                  0x0040e5e7
                                  0x0040e5ec
                                  0x0040e5ef
                                  0x0040e5f2
                                  0x0040e5f5
                                  0x0040e5f8
                                  0x0040e5fb
                                  0x0040eca2
                                  0x0040ecbb
                                  0x0040ecc0
                                  0x0040ecc3
                                  0x0040eccb
                                  0x0040eccb
                                  0x0040ecce
                                  0x0040ecd1
                                  0x0040ed37
                                  0x0040ed3c
                                  0x0040ed4f
                                  0x0040ed53
                                  0x0040ed58
                                  0x0040ed5a
                                  0x0040ed5d
                                  0x0040ed78
                                  0x0040ed7e
                                  0x0040ed88
                                  0x0040eda1
                                  0x0040eda3
                                  0x0040eda7
                                  0x0040edb2
                                  0x0040edb6
                                  0x0040edbe
                                  0x0040edc1
                                  0x0040edc6
                                  0x0040edc6
                                  0x0040edc6
                                  0x0040edcd
                                  0x0040edd2
                                  0x0040edd2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040ed5f
                                  0x0040ed5f
                                  0x0040ed6d
                                  0x0040ed72
                                  0x0040ed73
                                  0x0040ed73
                                  0x00000000
                                  0x0040ecd3
                                  0x0040ecd9
                                  0x0040ecdd
                                  0x0040ece8
                                  0x0040ecec
                                  0x0040ecf4
                                  0x0040ecf8
                                  0x0040ed01
                                  0x0040ed06
                                  0x0040ed0d
                                  0x00000000
                                  0x0040ed0d
                                  0x0040ecd1
                                  0x0040e601
                                  0x0040e604
                                  0x0040e60a
                                  0x0040e610
                                  0x0040e61c
                                  0x0040e61f
                                  0x0040e622
                                  0x0040e630
                                  0x0040e634
                                  0x0040e636
                                  0x0040e639
                                  0x0040e63b
                                  0x0040e66b
                                  0x0040e66b
                                  0x0040e66d
                                  0x0040e671
                                  0x0040e676
                                  0x0040e676
                                  0x0040e679
                                  0x0040e67f
                                  0x0040e688
                                  0x0040e68a
                                  0x0040e691
                                  0x0040e693
                                  0x0040e696
                                  0x0040e698
                                  0x0040e766
                                  0x0040e766
                                  0x0040e768
                                  0x0040e76c
                                  0x0040e771
                                  0x0040e771
                                  0x0040e777
                                  0x0040e77b
                                  0x0040e789
                                  0x0040e78c
                                  0x0040e796
                                  0x0040e7a4
                                  0x0040e7a8
                                  0x0040e7ad
                                  0x0040e7bc
                                  0x0040e7c0
                                  0x0040e7c5
                                  0x0040e7cf
                                  0x0040e7d4
                                  0x0040e7d6
                                  0x0040e94c
                                  0x00000000
                                  0x0040e7dc
                                  0x0040e7dc
                                  0x0040e7df
                                  0x0040e7e2
                                  0x0040e7f2
                                  0x0040e7f7
                                  0x0040e7fa
                                  0x0040e7fa
                                  0x0040e7fa
                                  0x0040e7fa
                                  0x0040e94f
                                  0x0040e94f
                                  0x0040e952
                                  0x0040e955
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e95b
                                  0x0040e95b
                                  0x0040e95b
                                  0x0040e95e
                                  0x0040e961
                                  0x0040e963
                                  0x0040e97a
                                  0x0040e97a
                                  0x0040e97a
                                  0x0040e97d
                                  0x0040e97d
                                  0x0040e97f
                                  0x0040e992
                                  0x0040e995
                                  0x0040e998
                                  0x0040e99a
                                  0x0040e9b5
                                  0x0040e9b5
                                  0x0040e9b5
                                  0x0040e9b8
                                  0x0040e9b8
                                  0x0040e9ba
                                  0x0040ec2b
                                  0x0040ec2f
                                  0x0040ec3a
                                  0x0040ec3e
                                  0x0040ec49
                                  0x0040ec4d
                                  0x0040ec58
                                  0x0040ec5c
                                  0x0040ec64
                                  0x0040ec68
                                  0x0040ec71
                                  0x0040ec76
                                  0x0040ec80
                                  0x0040ec87
                                  0x0040ec8c
                                  0x0040ec93
                                  0x0040ec98
                                  0x00000000
                                  0x0040ec98
                                  0x0040e9c0
                                  0x00000000
                                  0x0040e9c0
                                  0x0040e99c
                                  0x0040e99f
                                  0x0040e99f
                                  0x0040e9a2
                                  0x0040e9a4
                                  0x00000000
                                  0x00000000
                                  0x0040e9aa
                                  0x0040e9ad
                                  0x0040e9b0
                                  0x0040e9b3
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e9b3
                                  0x0040ea2c
                                  0x00000000
                                  0x0040ea2c
                                  0x0040e984
                                  0x0040e988
                                  0x00000000
                                  0x0040e988
                                  0x0040e965
                                  0x0040e968
                                  0x0040e968
                                  0x0040e96b
                                  0x0040e96d
                                  0x00000000
                                  0x00000000
                                  0x0040e96f
                                  0x0040e972
                                  0x0040e975
                                  0x0040e978
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e978
                                  0x0040e98d
                                  0x00000000
                                  0x0040e9c3
                                  0x0040e9cd
                                  0x0040e9d2
                                  0x0040e9d5
                                  0x0040e9d8
                                  0x0040e9db
                                  0x0040e9db
                                  0x00000000
                                  0x0040e95b
                                  0x0040e69e
                                  0x0040e69e
                                  0x0040e6a1
                                  0x0040eadf
                                  0x0040eae1
                                  0x0040eae5
                                  0x0040eaea
                                  0x0040eaea
                                  0x0040eaf3
                                  0x0040eaf7
                                  0x0040eb02
                                  0x0040eb06
                                  0x0040eb0e
                                  0x0040eb12
                                  0x0040eb1b
                                  0x0040eb20
                                  0x0040eb27
                                  0x0040eb2e
                                  0x0040ec0c
                                  0x0040ec0f
                                  0x0040ec14
                                  0x0040ec1b
                                  0x00000000
                                  0x0040ec1b
                                  0x0040e6a7
                                  0x0040e6aa
                                  0x0040e6ad
                                  0x0040e6b4
                                  0x0040e6b8
                                  0x0040e6bb
                                  0x0040e6bd
                                  0x0040e6c0
                                  0x0040eb3b
                                  0x0040eb41
                                  0x0040eb44
                                  0x0040eb48
                                  0x0040eb4a
                                  0x0040eb4f
                                  0x0040eb4f
                                  0x0040eb58
                                  0x0040eb5c
                                  0x0040eb67
                                  0x0040eb6b
                                  0x0040eb73
                                  0x0040eb77
                                  0x0040eb80
                                  0x0040eb85
                                  0x0040eb8c
                                  0x0040eb8f
                                  0x00000000
                                  0x0040eb8f
                                  0x0040e6c6
                                  0x0040e6c9
                                  0x0040e6cc
                                  0x0040e6d9
                                  0x0040e6dd
                                  0x0040e6ea
                                  0x0040e6ef
                                  0x0040e6f2
                                  0x0040e6f7
                                  0x0040e6fa
                                  0x0040e6fd
                                  0x0040e727
                                  0x0040e72a
                                  0x0040e733
                                  0x0040e736
                                  0x0040e739
                                  0x0040e73b
                                  0x0040e73e
                                  0x0040eb98
                                  0x0040eba0
                                  0x0040eba7
                                  0x0040ebb1
                                  0x0040ebb7
                                  0x0040ebba
                                  0x0040ebbe
                                  0x0040ebc0
                                  0x0040ebc5
                                  0x0040ebc5
                                  0x0040ebce
                                  0x0040ebd2
                                  0x0040ebdd
                                  0x0040ebe1
                                  0x0040ebe9
                                  0x0040ebed
                                  0x0040ebf6
                                  0x0040ebfb
                                  0x0040ec02
                                  0x0040ec05
                                  0x00000000
                                  0x0040ec05
                                  0x0040e744
                                  0x0040e74c
                                  0x0040e753
                                  0x0040e75d
                                  0x0040e763
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e6ff
                                  0x0040e6ff
                                  0x0040e708
                                  0x0040e70a
                                  0x0040e70e
                                  0x0040e713
                                  0x0040e716
                                  0x0040e71b
                                  0x0040e722
                                  0x0040e722
                                  0x00000000
                                  0x0040e6ff
                                  0x0040e698
                                  0x0040e63d
                                  0x0040e640
                                  0x0040e643
                                  0x0040e646
                                  0x0040ea31
                                  0x0040ea33
                                  0x0040ea37
                                  0x0040ea3c
                                  0x0040ea3c
                                  0x0040ea45
                                  0x0040ea49
                                  0x0040ea54
                                  0x0040ea58
                                  0x0040ea60
                                  0x0040ea64
                                  0x0040ea6d
                                  0x0040ea72
                                  0x0040ea79
                                  0x0040e8d2
                                  0x0040e8d2
                                  0x00000000
                                  0x0040e8d2
                                  0x0040e64c
                                  0x0040e64e
                                  0x00000000
                                  0x00000000
                                  0x0040e65a
                                  0x0040e65d
                                  0x0040e65f
                                  0x0040e662
                                  0x0040ea85
                                  0x0040ea88
                                  0x0040ea8c
                                  0x0040ea8e
                                  0x0040ea93
                                  0x0040ea93
                                  0x0040ea9c
                                  0x0040eaa0
                                  0x0040eaab
                                  0x0040eaaf
                                  0x0040eab7
                                  0x0040eabb
                                  0x0040eac4
                                  0x0040eac9
                                  0x0040ead0
                                  0x0040ead3
                                  0x00000000
                                  0x0040ead3
                                  0x0040e668
                                  0x00000000
                                  0x0040e9e4
                                  0x0040e9ed
                                  0x0040e9f9
                                  0x0040ea02
                                  0x0040ea06
                                  0x0040ea11
                                  0x0040ea15
                                  0x0040ea1a
                                  0x0040ea1b
                                  0x0040ea1e
                                  0x0040ea1e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e4f6
                                  0x0040e4f6
                                  0x0040e4ff
                                  0x0040e502
                                  0x0040e505
                                  0x0040e50b
                                  0x0040e50c
                                  0x0040e510
                                  0x0040e511
                                  0x0040e515
                                  0x0040e518
                                  0x0040e51a
                                  0x0040e51f
                                  0x0040e521
                                  0x0040e524
                                  0x00000000
                                  0x00000000
                                  0x0040e52a
                                  0x0040e52d
                                  0x0040e531
                                  0x0040e535
                                  0x0040e563
                                  0x0040e563
                                  0x0040e566
                                  0x0040e8dc
                                  0x0040e8df
                                  0x0040e8e3
                                  0x0040e8e5
                                  0x0040e8ea
                                  0x0040e8ea
                                  0x0040e8f3
                                  0x0040e8f7
                                  0x0040e902
                                  0x0040e906
                                  0x0040e90e
                                  0x0040e912
                                  0x0040e91b
                                  0x0040e920
                                  0x0040e92a
                                  0x0040e931
                                  0x0040e936
                                  0x0040e93d
                                  0x0040e942
                                  0x00000000
                                  0x0040e942
                                  0x0040e572
                                  0x0040e577
                                  0x0040e57a
                                  0x0040e582
                                  0x0040e582
                                  0x0040e587
                                  0x0040e58d
                                  0x0040e58e
                                  0x0040e593
                                  0x0040e596
                                  0x0040e59a
                                  0x0040e59c
                                  0x0040e5a1
                                  0x0040e5a1
                                  0x0040e5a4
                                  0x0040e5a7
                                  0x0040e5ab
                                  0x0040e5ad
                                  0x0040e5b2
                                  0x0040e5b2
                                  0x0040e5b5
                                  0x0040e5b8
                                  0x0040e5bc
                                  0x0040e5be
                                  0x0040e5c3
                                  0x0040e5c3
                                  0x0040e5c6
                                  0x0040e5cc
                                  0x0040e5cf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e5cf
                                  0x0040e537
                                  0x0040e53b
                                  0x00000000
                                  0x00000000
                                  0x0040e53d
                                  0x0040e540
                                  0x0040e542
                                  0x0040e86f
                                  0x0040e872
                                  0x0040e876
                                  0x0040e878
                                  0x0040e87d
                                  0x0040e880
                                  0x0040e880
                                  0x0040e883
                                  0x0040e885
                                  0x0040e889
                                  0x0040e88e
                                  0x0040e88e
                                  0x0040e897
                                  0x0040e89b
                                  0x0040e8a6
                                  0x0040e8aa
                                  0x0040e8b2
                                  0x0040e8b6
                                  0x0040e8bf
                                  0x0040e8c4
                                  0x0040e8cb
                                  0x00000000
                                  0x0040e8cb
                                  0x0040e54c
                                  0x0040e551
                                  0x0040e554
                                  0x0040e55c
                                  0x0040e55c
                                  0x00000000
                                  0x0040e554
                                  0x0040e804
                                  0x0040e807
                                  0x0040e80b
                                  0x0040e80d
                                  0x0040e812
                                  0x0040e812
                                  0x0040e815
                                  0x0040e818
                                  0x0040e81c
                                  0x0040e81e
                                  0x0040e823
                                  0x0040e823
                                  0x0040e82c
                                  0x0040e830
                                  0x0040e83b
                                  0x0040e83f
                                  0x0040e847
                                  0x0040e84b
                                  0x0040e854
                                  0x0040e859
                                  0x0040e860
                                  0x0040e863
                                  0x00000000
                                  0x0040e4a2
                                  0x0040e4a8
                                  0x0040e4ac
                                  0x0040e4b7
                                  0x0040e4bb
                                  0x0040e4c3
                                  0x0040e4c7
                                  0x0040e4d0
                                  0x0040e4d5
                                  0x0040e4dc
                                  0x0040e4e3
                                  0x0040ed14
                                  0x0040ed17
                                  0x0040ed1c
                                  0x0040ed23
                                  0x0040ed28
                                  0x0040edd4
                                  0x0040edda
                                  0x0040ede2
                                  0x0040ede2
                                  0x0040e4a0
                                  0x0040e41a
                                  0x0040e421
                                  0x0040e423
                                  0x0040e425
                                  0x0040e428
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040e2f0
                                  0x0040e2f0
                                  0x0040e2f3
                                  0x0040e2fb
                                  0x0040e2fb
                                  0x0040e2fd
                                  0x0040e305
                                  0x0040e314
                                  0x0040e314
                                  0x0040e307
                                  0x0040e307
                                  0x0040e30a
                                  0x0040e310
                                  0x0040e310
                                  0x0040e318
                                  0x0040e31b
                                  0x0040e320
                                  0x0040e320
                                  0x0040e326
                                  0x0040e328
                                  0x0040e32e
                                  0x0040e334
                                  0x0040e339
                                  0x0040e33f
                                  0x0040e343
                                  0x0040e346
                                  0x0040e34e
                                  0x0040e360
                                  0x0040e360
                                  0x0040e350
                                  0x0040e350
                                  0x0040e353
                                  0x0040e356
                                  0x0040e35c
                                  0x0040e35c
                                  0x0040e364
                                  0x0040e367
                                  0x0040e36c
                                  0x0040e36c
                                  0x0040e370
                                  0x0040e373
                                  0x0040e377
                                  0x0040e37c
                                  0x0040e384
                                  0x0040e38a
                                  0x0040e38d
                                  0x0040e390
                                  0x0040e394
                                  0x0040e397
                                  0x0040e39a
                                  0x0040e39f
                                  0x0040e3a2
                                  0x0040e3a8
                                  0x0040e3ad
                                  0x0040e3ad
                                  0x0040e3b2
                                  0x0040e3b6
                                  0x0040e3bb
                                  0x0040e3bb
                                  0x0040e3be
                                  0x0040e3c7
                                  0x0040e3ce
                                  0x00000000
                                  0x00000000
                                  0x0040e2f8
                                  0x0040e2f8
                                  0x0040e3d4
                                  0x00000000
                                  0x0040e3d4

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040E29D
                                    • Part of subcall function 00417875: InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,Function_0001864C,0041BC48,000000FF), ref: 004178A1
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040E4C7
                                    • Part of subcall function 004051DE: malloc.MSVCRT ref: 004051E4
                                    • Part of subcall function 004051DE: _CxxThrowException.MSVCRT(?,0041C8F8), ref: 004051FE
                                  • SysFreeString.OLEAUT32(?), ref: 0040E75D
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040E84B
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040E8B6
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040E912
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040EA64
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040EABB
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040EB12
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  • SysFreeString.OLEAUT32(?), ref: 0040EB3B
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040EB77
                                  • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040EC68
                                    • Part of subcall function 00408FFB: memmove.MSVCRT ref: 00409028
                                  • SysFreeString.OLEAUT32(?), ref: 0040EBB1
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040EBED
                                  • DeleteCriticalSection.KERNEL32(?), ref: 0040ECF8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Delete$FreeString$ExceptionH_prologInitializeThrowfreemallocmemmove
                                  • String ID: '
                                  • API String ID: 1423385844-1997036262
                                  • Opcode ID: 127e2af20df32e6808e9cd04c2e9d972f3f8cd7014072d9ebbae6572d5fc03fe
                                  • Instruction ID: 80b2c8988c2d5294cdf240943b189e08b3e3a611ba902a9cbd16e8e2f669b25e
                                  • Opcode Fuzzy Hash: 127e2af20df32e6808e9cd04c2e9d972f3f8cd7014072d9ebbae6572d5fc03fe
                                  • Instruction Fuzzy Hash: 2D824B74900249DFCF10DFA5C984ADDBBB0FF18308F2484AEE455A7291DB38AA99CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040117D Relevance: 23.4, APIs: 8, Strings: 5, Instructions: 616COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 323 40117d-401254 call 4182c0 SetFileApisToOEM call 40541c call 402463 GetCommandLineW call 401dbf call 404770 call 405205 call 401e20 call 401d43 call 404848 call 4049bd call 404d1e 347 401a18-401a38 call 40100a call 404968 call 405205 323->347 348 40125a-40126b call 404d1e 323->348 367 401a3f-401a53 call 405898 call 405858 347->367 348->347 354 401271-401277 348->354 356 401279-40127c 354->356 357 40127e-401284 354->357 359 4012a6-40131c call 401000 call 401f25 call 401136 call 404d1e call 401efe call 405668 call 405205 356->359 360 401286 call 401b73 357->360 361 40128b-40129f call 40101b 357->361 388 40132c-401358 call 404d1e call 40247e 359->388 389 40131e-401327 call 401ea1 359->389 360->361 361->359 369 4012a1 call 401b73 361->369 379 401a55-401a63 367->379 369->359 395 401374-401394 call 401da7 call 407203 388->395 396 40135a-40136f call 404d1e call 401e63 388->396 389->388 404 4013b2-4013bd 395->404 405 401396-4013ad _CxxThrowException 395->405 396->395 406 4013db-401401 call 40247e call 404d1e 404->406 407 4013bf-4013d6 _CxxThrowException 404->407 405->404 412 401403-401421 call 404d1e call 401e63 call 4075b6 406->412 413 401426-40148f call 402463 * 2 call 401cfc * 2 call 4051de 406->413 407->406 412->413 429 401491-4014a5 call 401fd9 413->429 430 4014a7-4014aa 413->430 431 4014ac-4014b8 429->431 430->431 434 4014c0-4014cd call 40adb1 431->434 435 4014ba-4014bc 431->435 438 4014e6-4014ea 434->438 439 4014cf-4014e1 _CxxThrowException 434->439 435->434 440 4014f0-401503 call 4051de 438->440 441 4018d9-401908 call 403303 438->441 439->438 448 401505-40150c call 401bbe 440->448 449 40150e 440->449 446 401913-401941 call 405400 call 40541c call 4054d0 441->446 447 40190a-40190d 441->447 474 401943-401945 446->474 475 401949-4019d9 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 401f40 call 404968 call 405205 446->475 447->446 451 4019f9-4019fb 447->451 450 401510-401519 448->450 449->450 454 401521-40161b call 401e63 call 401b44 call 401e63 call 401ac4 call 401e63 call 40247e call 40b24e 450->454 455 40151b-40151d 450->455 457 401a01-401a13 _CxxThrowException 451->457 458 4016c9-4016cf 451->458 501 401620-401626 454->501 455->454 457->347 461 4016d1-4016d3 458->461 462 4016d7-401787 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 405898 call 405858 call 404968 call 405205 458->462 461->462 462->367 474->475 572 4019e0-4019f7 call 405898 call 405858 475->572 504 401628-401651 call 405400 call 40541c call 405434 501->504 505 40165a-401664 501->505 504->505 554 401653 504->554 510 40166a-401670 505->510 511 40178c-401790 505->511 510->511 517 401676-40167b 510->517 513 4017c0-4017ca 511->513 514 401792-4017bb call 405400 call 40541c call 4054d0 call 405400 511->514 522 4017fa-401824 call 405205 call 401ca4 call 405205 513->522 523 4017cc-4017f5 call 405400 call 40541c call 4054d0 call 405400 513->523 514->513 525 401694-4016be call 405205 call 401ca4 call 405205 517->525 526 40167d-40168f _CxxThrowException 517->526 570 401826-401828 522->570 571 40182c-401835 522->571 523->522 567 4016c0-4016c2 525->567 568 4016c6 525->568 526->525 554->505 567->568 568->458 570->571 573 401837-401839 571->573 574 40183d-4018d4 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 401f40 call 404968 call 405205 571->574 572->379 573->574 574->572
                                  C-Code - Quality: 76%
                                  			E0040117D(void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t287;
				signed int _t305;
				void* _t306;
				intOrPtr* _t311;
				intOrPtr* _t314;
				void* _t322;
				intOrPtr _t337;
				signed int _t343;
				intOrPtr _t376;
				intOrPtr _t381;
				signed int _t385;
				intOrPtr _t399;
				signed int _t409;
				intOrPtr _t455;
				intOrPtr _t457;
				signed int _t521;
				signed int _t528;
				signed int _t529;
				intOrPtr _t541;
				intOrPtr _t545;
				intOrPtr _t552;
				void* _t561;
				signed int _t562;
				signed int _t563;
				void* _t567;
				intOrPtr _t569;
				intOrPtr _t571;
				signed int _t572;
				signed int _t573;
				void* _t574;
				void* _t576;

				_t561 = __edx;
				E004182C0(E004189C1, _t574);
				_push(_t567);
				 *((intOrPtr*)(_t574 - 0x10)) = _t576 - 0x1c8;
				SetFileApisToOEM();
				E0040541C(0x421290,  *0x420060);
				E00402463(_t574 - 0x58);
				 *((intOrPtr*)(_t574 - 0x58)) = 0x41b38c;
				 *(_t574 - 4) = 0;
				E00401DBF(_t574 - 0x30, GetCommandLineW());
				 *(_t574 - 4) = 1;
				_push(_t574 - 0x58);
				_push(_t574 - 0x30);
				_t287 = E00404770(_t561);
				 *(_t574 - 4) = 0;
				E00405205(_t287,  *((intOrPtr*)(_t574 - 0x30)));
				E00401E20(_t574 - 0x64,  *((intOrPtr*)( *((intOrPtr*)(_t574 - 0x4c)))));
				 *(_t574 - 4) = 2;
				E00401D43(0, _t574 - 0x58, _t567, 0, 1);
				_push(6);
				E00404848(_t574 - 0xb4);
				_push(_t574 - 0x58);
				_push(0x41b180);
				 *(_t574 - 4) = 4;
				E004049BD(_t574 - 0xb4);
				 *(_t574 - 4) = 3;
				if( *((intOrPtr*)(E00404D1E(_t574 - 0xb4, 0))) != 0) {
					L62:
					E0040100A();
					 *(_t574 - 4) = 2;
					E00405205(E00404968(_t574 - 0xb4),  *((intOrPtr*)(_t574 - 0x64)));
					 *((intOrPtr*)(_t574 - 0x58)) = 0x41b38c;
					 *(_t574 - 4) = 6;
					goto L63;
				} else {
					_t569 = 1;
					if( *((intOrPtr*)(E00404D1E(_t574 - 0xb4, _t569))) != 0) {
						goto L62;
					}
					if( *((intOrPtr*)(_t574 - 0xa4)) != 0) {
						__eflags =  *((intOrPtr*)(_t574 - 0xa4)) - _t569;
						if( *((intOrPtr*)(_t574 - 0xa4)) > _t569) {
							E00401B73();
						}
						_push(_t574 - 0x24);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t574 - 0xa0)))));
						_t305 = E0040101B(0x41b38c);
						__eflags = _t305;
						if(_t305 == 0) {
							E00401B73();
						}
					} else {
						 *((intOrPtr*)(_t574 - 0x24)) = _t569;
					}
					_t306 = E00401000(_t574 - 0x24);
					E00401F25(_t574 - 0xdc);
					_push(0);
					_push(_t306);
					_push(_t574 - 0xac);
					 *(_t574 - 4) = 7;
					_push(_t574 - 0xdc);
					E00401136();
					_t311 = E00404D1E(_t574 - 0xb4, 3);
					_t571 =  *0x420064; // 0x42020c
					 *((char*)(_t574 - 0x12)) =  *_t311;
					_t314 = E00401EFE(_t574 - 0x64, _t574 - 0x30, 4);
					 *(_t574 - 4) = 8;
					 *((char*)(_t574 - 0x19)) = E00405668( *_t314, _t571) != 0;
					 *(_t574 - 4) = 7;
					E00405205(_t315,  *((intOrPtr*)(_t574 - 0x30)));
					if( *((intOrPtr*)(_t574 - 0x19)) != 0) {
						E00401EA1(_t574 - 0x64, _t561,  *0x420064);
					}
					 *((char*)(_t574 - 0x11)) =  *((intOrPtr*)(E00404D1E(_t574 - 0xb4, 4)));
					 *((intOrPtr*)(_t574 - 0x44)) = 0;
					 *((intOrPtr*)(_t574 - 0x40)) = 0;
					 *((intOrPtr*)(_t574 - 0x3c)) = 0;
					E0040247E(_t574 - 0x44, 0xf);
					 *(_t574 - 4) = 9;
					if( *((intOrPtr*)(_t574 - 0x11)) != 0) {
						E00401E63(_t574 - 0x44,  *((intOrPtr*)( *((intOrPtr*)(E00404D1E(_t574 - 0xb4, 4) + 0x10)))));
					}
					E00401DA7(_t574 - 0x10c);
					 *(_t574 - 4) = 0xa;
					_push(_t574 - 0x13c);
					_push( *((intOrPtr*)(_t574 - 0x64)));
					_t322 = E00407203(_t574 - 0x10c, _t561, 0x41b38c); // executed
					if(_t322 == 0) {
						_t457 =  *0x420078; // 0x42007c
						_push(0x41be20);
						 *((intOrPtr*)(_t574 - 0xbc)) = _t457;
						_push(_t574 - 0xbc);
						L004182FC();
					}
					if(( *(_t574 - 0x13c) >> 0x00000004 & 0x00000001) != 0) {
						_t455 =  *0x420078; // 0x42007c
						_push(0x41be20);
						 *((intOrPtr*)(_t574 - 0xb8)) = _t455;
						_push(_t574 - 0xb8);
						L004182FC();
					}
					 *((intOrPtr*)(_t574 - 0x70)) = 0;
					 *((intOrPtr*)(_t574 - 0x6c)) = 0;
					 *((intOrPtr*)(_t574 - 0x68)) = 0;
					E0040247E(_t574 - 0x70, 0xf);
					 *(_t574 - 4) = 0xb;
					if( *((intOrPtr*)(E00404D1E(_t574 - 0xb4, 5))) != 0) {
						E00401E63(_t574 - 0x70,  *((intOrPtr*)( *((intOrPtr*)(E00404D1E(_t574 - 0xb4, 5) + 0x10)))));
						E004075B6(_t574 - 0x70);
					}
					E00402463(_t574 - 0x98);
					 *((intOrPtr*)(_t574 - 0x98)) = 0x41b38c;
					 *(_t574 - 4) = 0xc;
					E00402463(_t574 - 0x84);
					 *((intOrPtr*)(_t574 - 0x84)) = 0x41b38c;
					_push(_t574 - 0x64);
					 *(_t574 - 4) = 0xd;
					E00401CFC(_t574 - 0x98, _t561);
					_push(_t574 - 0x64);
					E00401CFC(_t574 - 0x84, _t561);
					_push(0x1c);
					 *((intOrPtr*)(_t574 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t574 - 0xd0)))) + 0xc;
					_t572 = E004051DE();
					 *(_t574 - 0x18) = _t572;
					 *(_t574 - 4) = 0xe;
					if(_t572 == 0) {
						 *(_t574 - 0x18) = 0;
						_t572 = 0;
					} else {
						_t88 = _t572 + 8; // 0x8
						 *((intOrPtr*)(_t572 + 4)) = 0;
						E00401FD9(_t88);
						 *_t572 = 0x41b380;
						 *(_t574 - 0x18) = _t572;
					}
					 *(_t574 - 4) = 0xd;
					 *(_t574 - 0xfc) = _t572;
					if(_t572 != 0) {
						 *((intOrPtr*)( *_t572 + 4))(_t572);
					}
					 *(_t574 - 4) = 0xf;
					_t337 = E0040ADB1(_t572, _t561);
					if(_t337 != 0) {
						 *((intOrPtr*)(_t574 - 0xc4)) = _t337;
						_push(0x41be10);
						_push(_t574 - 0xc4);
						L004182FC();
					}
					if( *((intOrPtr*)(_t574 - 0x24)) == 2) {
						 *(_t574 - 0x38) = 0;
						_push(_t574 - 0x38);
						_push(_t574 - 0x44);
						_push(_t574 - 0x11);
						_push(0);
						_push(1);
						_push( *((intOrPtr*)(_t574 - 0x20)));
						 *(_t574 - 0x34) = 0;
						_push(_t574 - 0x84);
						_push(_t574 - 0x98);
						_push(_t572);
						_t343 = E00403303(_t561, __eflags);
						__eflags =  *(_t574 - 0x34);
						if(__eflags > 0) {
							L56:
							E004054D0(E0040541C(E00405400(0x421290, E0040540E), "Errors: "), _t561, __eflags,  *(_t574 - 0x38),  *(_t574 - 0x34));
							__eflags = _t572;
							 *(_t574 - 4) = 0xd;
							if(_t572 != 0) {
								 *((intOrPtr*)( *_t572 + 8))(_t572);
							}
							 *((intOrPtr*)(_t574 - 0x84)) = 0x41b38c;
							 *(_t574 - 4) = 0x18;
							E00405898();
							 *(_t574 - 4) = 0xc;
							E00405858(_t574 - 0x84);
							 *((intOrPtr*)(_t574 - 0x98)) = 0x41b38c;
							 *(_t574 - 4) = 0x19;
							E00405898();
							 *(_t574 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t574 - 0x98),  *((intOrPtr*)(_t574 - 0x70))),  *((intOrPtr*)(_t574 - 0x10c))),  *((intOrPtr*)(_t574 - 0x44)));
							 *(_t574 - 4) = 3;
							E00401F40(_t574 - 0xdc);
							 *(_t574 - 4) = 2;
							E00405205(E00404968(_t574 - 0xb4),  *((intOrPtr*)(_t574 - 0x64)));
							 *((intOrPtr*)(_t574 - 0x58)) = 0x41b38c;
							 *(_t574 - 4) = 0x1a;
							goto L59;
						}
						__eflags =  *(_t574 - 0x38);
						if(__eflags <= 0) {
							__eflags = _t343;
							if(_t343 == 0) {
								goto L42;
							}
							 *(_t574 - 0xc8) = _t343;
							_push(0x41be10);
							_push(_t574 - 0xc8);
							L004182FC();
							goto L62;
						}
						goto L56;
					} else {
						_push(0x48);
						_t521 = E004051DE();
						 *(_t574 - 0x34) = _t521;
						 *(_t574 - 4) = 0x10;
						if(_t521 == 0) {
							_t573 = 0;
							__eflags = 0;
						} else {
							_t573 = E00401BBE(_t521);
						}
						 *(_t574 - 4) = 0xf;
						 *(_t574 - 0x34) = _t573;
						if(_t573 != 0) {
							 *((intOrPtr*)( *_t573 + 4))(_t573);
						}
						_t376 =  *0x421270; // 0x421290
						_t104 = _t573 + 0x10; // 0x10
						 *((intOrPtr*)(_t573 + 0x40)) = _t376;
						 *((char*)(_t573 + 0xc)) =  *((intOrPtr*)(_t574 - 0x11));
						 *(_t574 - 4) = 0x11;
						E00401E63(_t104, _t574 - 0x44);
						 *((intOrPtr*)(_t573 + 0x20)) = 0;
						 *(_t573 + 0x28) = 0;
						 *(_t573 + 0x30) = 0;
						 *((intOrPtr*)(_t573 + 0x38)) = 0;
						 *((intOrPtr*)(_t573 + 0x24)) = 0;
						 *(_t573 + 0x2c) = 0;
						 *(_t573 + 0x34) = 0;
						 *((intOrPtr*)(_t573 + 0x3c)) = 0;
						E00401B44(_t574 - 0xf8);
						_t381 =  *0x421270; // 0x421290
						 *((intOrPtr*)(_t574 - 0xf4)) = _t381;
						 *((char*)(_t574 - 0xf0)) =  *((intOrPtr*)(_t574 - 0x11));
						 *(_t574 - 4) = 0x12;
						E00401E63(_t574 - 0xec, _t574 - 0x44);
						_t385 = E00401AC4(_t574 - 0x1ac);
						 *(_t574 - 4) = 0x13;
						 *((char*)(_t574 - 0x1ac)) = 0;
						 *((char*)(_t574 - 0x1ab)) = _t385 & 0xffffff00 |  *((intOrPtr*)(_t574 - 0x24)) == 0x00000000;
						 *((intOrPtr*)(_t574 - 0x1a8)) = 0;
						 *(_t574 - 0x144) = 0 |  *((intOrPtr*)(_t574 - 0x12)) != 0x00000000;
						E00401E63(_t574 - 0x1a4, _t574 - 0x70);
						 *((char*)(_t574 - 0x198)) =  *((intOrPtr*)(_t574 - 0x12));
						 *((intOrPtr*)(_t574 - 0x30)) = 0;
						 *((intOrPtr*)(_t574 - 0x2c)) = 0;
						 *((intOrPtr*)(_t574 - 0x28)) = 0;
						E0040247E(_t574 - 0x30, 0xf);
						 *(_t574 - 4) = 0x14;
						_push(_t574 - 0x1d4);
						_push(_t574 - 0x30);
						_push(_t573);
						_push(_t574 - 0xf8);
						_push(_t574 - 0x1ac);
						_push( *((intOrPtr*)(_t574 - 0x20)));
						_push(_t574 - 0x84);
						_push(_t574 - 0x98);
						_push( *(_t574 - 0x18));
						_t399 = E0040B24E(_t561,  *((intOrPtr*)(_t574 - 0x12))); // executed
						 *((intOrPtr*)(_t574 - 0x20)) = _t399;
						if( *((intOrPtr*)(_t574 - 0x2c)) != 0) {
							_push( *((intOrPtr*)(_t574 - 0x30)));
							_t552 =  *0x421270; // 0x421290
							E00405434(E0040541C(E00405400(_t552, E0040540E), "Error: "), 0x41b38c);
							if( *((intOrPtr*)(_t574 - 0x20)) == 0) {
								 *((intOrPtr*)(_t574 - 0x20)) = 0x80004005;
							}
						}
						_t528 =  *(_t573 + 0x28);
						_t562 =  *(_t573 + 0x2c);
						if((_t528 | _t562) != 0 || ( *(_t573 + 0x30) |  *(_t573 + 0x34)) != 0) {
							__eflags = _t528 | _t562;
							if(__eflags != 0) {
								_t545 =  *0x421270; // 0x421290
								E00405400(E004054D0(E0040541C(E00405400(_t545, E0040540E), "Archive Errors: "), _t562, __eflags, _t528, _t562), E0040540E);
							}
							_t529 =  *(_t573 + 0x30);
							_t563 =  *(_t573 + 0x34);
							_t405 = _t529 | _t563;
							__eflags = _t529 | _t563;
							if(__eflags != 0) {
								_t541 =  *0x421270; // 0x421290
								_t405 = E00405400(E004054D0(E0040541C(E00405400(_t541, E0040540E), "Sub items Errors: "), _t563, __eflags, _t529, _t563), E0040540E);
							}
							E00405205(_t405,  *((intOrPtr*)(_t574 - 0x30)));
							 *(_t574 - 4) = 0x12;
							E00405205(E00401CA4(_t574 - 0x1ac),  *((intOrPtr*)(_t574 - 0xec)));
							__eflags = _t573;
							 *(_t574 - 4) = 0xf;
							if(_t573 != 0) {
								 *((intOrPtr*)( *_t573 + 8))(_t573);
							}
							_t409 =  *(_t574 - 0x18);
							 *(_t574 - 4) = 0xd;
							__eflags = _t409;
							if(_t409 != 0) {
								 *((intOrPtr*)( *_t409 + 8))(_t409);
							}
							 *((intOrPtr*)(_t574 - 0x84)) = 0x41b38c;
							 *(_t574 - 4) = 0x15;
							E00405898();
							 *(_t574 - 4) = 0xc;
							E00405858(_t574 - 0x84);
							 *((intOrPtr*)(_t574 - 0x98)) = 0x41b38c;
							 *(_t574 - 4) = 0x16;
							E00405898();
							 *(_t574 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t574 - 0x98),  *((intOrPtr*)(_t574 - 0x70))),  *((intOrPtr*)(_t574 - 0x10c))),  *((intOrPtr*)(_t574 - 0x44)));
							 *(_t574 - 4) = 3;
							E00401F40(_t574 - 0xdc);
							 *(_t574 - 4) = 2;
							E00405205(E00404968(_t574 - 0xb4),  *((intOrPtr*)(_t574 - 0x64)));
							 *((intOrPtr*)(_t574 - 0x58)) = 0x41b38c;
							 *(_t574 - 4) = 0x17;
							L59:
							E00405898();
							 *(_t574 - 4) =  *(_t574 - 4) | 0xffffffff;
							E00405858(_t574 - 0x58);
							_push(2);
							_pop(0);
							goto L64;
						} else {
							_t434 =  *((intOrPtr*)(_t574 - 0x20));
							if(_t434 != 0) {
								 *((intOrPtr*)(_t574 - 0xc0)) = _t434;
								_t434 = _t574 - 0xc0;
								_push(0x41be10);
								_push(_t574 - 0xc0);
								L004182FC();
							}
							E00405205(_t434,  *((intOrPtr*)(_t574 - 0x30)));
							 *(_t574 - 4) = 0x12;
							E00405205(E00401CA4(_t574 - 0x1ac),  *((intOrPtr*)(_t574 - 0xec)));
							 *(_t574 - 4) = 0xf;
							if(_t573 != 0) {
								 *((intOrPtr*)( *_t573 + 8))(_t573);
							}
							_t572 =  *(_t574 - 0x18);
							L42:
							 *(_t574 - 4) = 0xd;
							if(_t572 != 0) {
								 *((intOrPtr*)( *_t572 + 8))(_t572);
							}
							 *((intOrPtr*)(_t574 - 0x84)) = 0x41b38c;
							 *(_t574 - 4) = 0x1b;
							E00405898();
							 *(_t574 - 4) = 0xc;
							E00405858(_t574 - 0x84);
							 *((intOrPtr*)(_t574 - 0x98)) = 0x41b38c;
							 *(_t574 - 4) = 0x1c;
							E00405898();
							 *(_t574 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t574 - 0x98),  *((intOrPtr*)(_t574 - 0x70))),  *((intOrPtr*)(_t574 - 0x10c))),  *((intOrPtr*)(_t574 - 0x44)));
							 *((intOrPtr*)(_t574 - 0xdc)) = 0x41b378;
							 *(_t574 - 4) = 0x1d;
							E00405898();
							 *(_t574 - 4) = 3;
							E00405858(_t574 - 0xdc);
							 *(_t574 - 4) = 2;
							E00405205(E00404968(_t574 - 0xb4),  *((intOrPtr*)(_t574 - 0x64)));
							 *((intOrPtr*)(_t574 - 0x58)) = 0x41b38c;
							 *(_t574 - 4) = 0x1e;
							L63:
							E00405898();
							 *(_t574 - 4) =  *(_t574 - 4) | 0xffffffff;
							E00405858(_t574 - 0x58);
							L64:
							 *[fs:0x0] =  *((intOrPtr*)(_t574 - 0xc));
							return 0;
						}
					}
				}
			}





































                                  0x0040117d
                                  0x00401182
                                  0x0040118e
                                  0x00401190
                                  0x00401193
                                  0x004011a4
                                  0x004011ac
                                  0x004011b6
                                  0x004011bb
                                  0x004011c8
                                  0x004011d0
                                  0x004011d4
                                  0x004011d8
                                  0x004011d9
                                  0x004011e1
                                  0x004011e4
                                  0x004011f2
                                  0x004011fd
                                  0x00401201
                                  0x00401206
                                  0x0040120e
                                  0x0040121c
                                  0x0040121d
                                  0x00401222
                                  0x00401226
                                  0x00401246
                                  0x00401254
                                  0x00401a18
                                  0x00401a18
                                  0x00401a23
                                  0x00401a2f
                                  0x00401a35
                                  0x00401a38
                                  0x00000000
                                  0x0040125a
                                  0x00401262
                                  0x0040126b
                                  0x00000000
                                  0x00000000
                                  0x00401277
                                  0x0040127e
                                  0x00401284
                                  0x00401286
                                  0x00401286
                                  0x00401294
                                  0x00401297
                                  0x00401298
                                  0x0040129d
                                  0x0040129f
                                  0x004012a1
                                  0x004012a1
                                  0x00401279
                                  0x00401279
                                  0x00401279
                                  0x004012a9
                                  0x004012b6
                                  0x004012bb
                                  0x004012c2
                                  0x004012c3
                                  0x004012ca
                                  0x004012ce
                                  0x004012cf
                                  0x004012dc
                                  0x004012e3
                                  0x004012e9
                                  0x004012f5
                                  0x004012fb
                                  0x0040130b
                                  0x0040130f
                                  0x00401313
                                  0x0040131c
                                  0x00401327
                                  0x00401327
                                  0x00401340
                                  0x00401343
                                  0x00401346
                                  0x00401349
                                  0x0040134c
                                  0x00401354
                                  0x00401358
                                  0x0040136f
                                  0x0040136f
                                  0x0040137a
                                  0x00401385
                                  0x00401389
                                  0x0040138a
                                  0x0040138d
                                  0x00401394
                                  0x00401396
                                  0x0040139b
                                  0x004013a0
                                  0x004013ac
                                  0x004013ad
                                  0x004013ad
                                  0x004013bd
                                  0x004013bf
                                  0x004013c4
                                  0x004013c9
                                  0x004013d5
                                  0x004013d6
                                  0x004013d6
                                  0x004013e0
                                  0x004013e3
                                  0x004013e6
                                  0x004013e9
                                  0x004013f6
                                  0x00401401
                                  0x00401418
                                  0x00401421
                                  0x00401421
                                  0x0040142c
                                  0x00401431
                                  0x0040143d
                                  0x00401441
                                  0x00401446
                                  0x00401455
                                  0x00401456
                                  0x0040145a
                                  0x00401468
                                  0x00401469
                                  0x00401474
                                  0x0040147b
                                  0x00401483
                                  0x00401486
                                  0x0040148b
                                  0x0040148f
                                  0x004014a7
                                  0x004014aa
                                  0x00401491
                                  0x00401491
                                  0x00401494
                                  0x00401497
                                  0x0040149c
                                  0x004014a2
                                  0x004014a2
                                  0x004014ae
                                  0x004014b2
                                  0x004014b8
                                  0x004014bd
                                  0x004014bd
                                  0x004014c2
                                  0x004014c6
                                  0x004014cd
                                  0x004014cf
                                  0x004014db
                                  0x004014e0
                                  0x004014e1
                                  0x004014e1
                                  0x004014ea
                                  0x004018dc
                                  0x004018df
                                  0x004018e3
                                  0x004018e7
                                  0x004018e8
                                  0x004018e9
                                  0x004018f1
                                  0x004018f4
                                  0x004018f7
                                  0x004018fe
                                  0x004018ff
                                  0x00401900
                                  0x00401905
                                  0x00401908
                                  0x00401913
                                  0x00401936
                                  0x0040193b
                                  0x0040193d
                                  0x00401941
                                  0x00401946
                                  0x00401946
                                  0x00401949
                                  0x00401955
                                  0x00401959
                                  0x00401964
                                  0x00401968
                                  0x0040196d
                                  0x00401979
                                  0x0040197d
                                  0x00401988
                                  0x004019a7
                                  0x004019b5
                                  0x004019b9
                                  0x004019c4
                                  0x004019d0
                                  0x004019d6
                                  0x004019d9
                                  0x00000000
                                  0x004019d9
                                  0x0040190a
                                  0x0040190d
                                  0x004019f9
                                  0x004019fb
                                  0x00000000
                                  0x00000000
                                  0x00401a01
                                  0x00401a0d
                                  0x00401a12
                                  0x00401a13
                                  0x00000000
                                  0x00401a13
                                  0x00000000
                                  0x004014f0
                                  0x004014f0
                                  0x004014f8
                                  0x004014fa
                                  0x004014ff
                                  0x00401503
                                  0x0040150e
                                  0x0040150e
                                  0x00401505
                                  0x0040150a
                                  0x0040150a
                                  0x00401512
                                  0x00401516
                                  0x00401519
                                  0x0040151e
                                  0x0040151e
                                  0x00401521
                                  0x00401526
                                  0x00401529
                                  0x0040152f
                                  0x00401536
                                  0x0040153a
                                  0x0040153f
                                  0x00401542
                                  0x00401545
                                  0x00401548
                                  0x00401551
                                  0x00401554
                                  0x00401557
                                  0x0040155a
                                  0x0040155d
                                  0x00401562
                                  0x0040156d
                                  0x00401576
                                  0x00401580
                                  0x00401584
                                  0x0040158f
                                  0x0040159d
                                  0x004015a1
                                  0x004015aa
                                  0x004015b5
                                  0x004015be
                                  0x004015c8
                                  0x004015d5
                                  0x004015db
                                  0x004015de
                                  0x004015e1
                                  0x004015e4
                                  0x004015ef
                                  0x004015f3
                                  0x004015f7
                                  0x004015fe
                                  0x004015ff
                                  0x00401606
                                  0x0040160d
                                  0x00401610
                                  0x00401617
                                  0x00401618
                                  0x0040161b
                                  0x00401623
                                  0x00401626
                                  0x00401628
                                  0x0040162b
                                  0x00401649
                                  0x00401651
                                  0x00401653
                                  0x00401653
                                  0x00401651
                                  0x0040165a
                                  0x0040165d
                                  0x00401664
                                  0x0040178e
                                  0x00401790
                                  0x0040179a
                                  0x004017bb
                                  0x004017bb
                                  0x004017c0
                                  0x004017c3
                                  0x004017c8
                                  0x004017c8
                                  0x004017ca
                                  0x004017d4
                                  0x004017f5
                                  0x004017f5
                                  0x004017fd
                                  0x00401803
                                  0x00401818
                                  0x0040181d
                                  0x00401820
                                  0x00401824
                                  0x00401829
                                  0x00401829
                                  0x0040182c
                                  0x0040182f
                                  0x00401833
                                  0x00401835
                                  0x0040183a
                                  0x0040183a
                                  0x0040183d
                                  0x00401849
                                  0x0040184d
                                  0x00401858
                                  0x0040185c
                                  0x00401861
                                  0x0040186d
                                  0x00401871
                                  0x0040187c
                                  0x0040189b
                                  0x004018a9
                                  0x004018ad
                                  0x004018b8
                                  0x004018c4
                                  0x004018ca
                                  0x004018cd
                                  0x004019e0
                                  0x004019e3
                                  0x004019e8
                                  0x004019ef
                                  0x004019f4
                                  0x004019f6
                                  0x00000000
                                  0x00401676
                                  0x00401676
                                  0x0040167b
                                  0x0040167d
                                  0x00401683
                                  0x00401689
                                  0x0040168e
                                  0x0040168f
                                  0x0040168f
                                  0x00401697
                                  0x0040169d
                                  0x004016b2
                                  0x004016ba
                                  0x004016be
                                  0x004016c3
                                  0x004016c3
                                  0x004016c6
                                  0x004016c9
                                  0x004016cb
                                  0x004016cf
                                  0x004016d4
                                  0x004016d4
                                  0x004016d7
                                  0x004016e3
                                  0x004016e7
                                  0x004016f2
                                  0x004016f6
                                  0x004016fb
                                  0x00401707
                                  0x0040170b
                                  0x00401716
                                  0x00401735
                                  0x0040173d
                                  0x0040174d
                                  0x00401751
                                  0x0040175c
                                  0x00401760
                                  0x0040176b
                                  0x00401777
                                  0x0040177d
                                  0x00401780
                                  0x00401a3f
                                  0x00401a42
                                  0x00401a47
                                  0x00401a4e
                                  0x00401a55
                                  0x00401a5a
                                  0x00401a63
                                  0x00401a63
                                  0x00401664
                                  0x004014ea

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00401182
                                  • SetFileApisToOEM.KERNEL32 ref: 00401193
                                    • Part of subcall function 0040541C: fputs.MSVCRT ref: 00405426
                                  • GetCommandLineW.KERNEL32 ref: 004011BE
                                    • Part of subcall function 00404770: __EH_prolog.LIBCMT ref: 00404775
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                    • Part of subcall function 00404848: __EH_prolog.LIBCMT ref: 0040484D
                                  • _CxxThrowException.MSVCRT(?,0041BE20), ref: 004013AD
                                  • _CxxThrowException.MSVCRT(?,0041BE20), ref: 004013D6
                                  • _CxxThrowException.MSVCRT(?,0041BE10), ref: 004014E1
                                    • Part of subcall function 00401AC4: __EH_prolog.LIBCMT ref: 00401AC9
                                    • Part of subcall function 0040B24E: __EH_prolog.LIBCMT ref: 0040B253
                                  • _CxxThrowException.MSVCRT(?,0041BE10), ref: 0040168F
                                    • Part of subcall function 00405434: __EH_prolog.LIBCMT ref: 00405439
                                    • Part of subcall function 00403303: __EH_prolog.LIBCMT ref: 00403308
                                  • _CxxThrowException.MSVCRT(?,0041BE10), ref: 00401A13
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrow$ApisCommandFileLinefputsfree
                                  • String ID: Archive Errors: $Error: $Errors: $Sub items Errors: $U @
                                  • API String ID: 2866236303-1140942031
                                  • Opcode ID: e53b9bee5c7677578000c63fb71b51643244b2fcceea14a299493ab56ed23dab
                                  • Instruction ID: d4566c52c96a2e8a08256c20245b126f96d1062372c72e728d87f6b637d2a96e
                                  • Opcode Fuzzy Hash: e53b9bee5c7677578000c63fb71b51643244b2fcceea14a299493ab56ed23dab
                                  • Instruction Fuzzy Hash: B3428E70D01258DADF21EBA5C985BDEBBB4AF15304F1040EFE449B32A2DB385A84CF59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418652 Relevance: 15.1, APIs: 10, Instructions: 74COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 63%
                                  			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				int _v32;
				char** _v36;
				int _v40;
				void _v44;
				char** _v48;
				intOrPtr _v52;
				intOrPtr* _t18;
				intOrPtr* _t19;
				void* _t22;
				void _t24;
				int _t31;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t39;
				void* _t43;
				intOrPtr _t48;

				_t43 = __edx;
				_push(0xffffffff);
				_push(0x41bcb0);
				_push(0x41864c);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_v28 = _t48 - 0x20;
				_v8 = _v8 & 0x00000000;
				__set_app_type(1);
				 *0x4255a4 =  *0x4255a4 | 0xffffffff;
				 *0x4255a8 =  *0x4255a8 | 0xffffffff;
				_t18 = __p__fmode();
				_t35 =  *0x421488; // 0x0
				 *_t18 = _t35;
				_t19 = __p__commode();
				_t36 =  *0x421484; // 0x0
				 *_t19 = _t36;
				 *0x4255a0 = _adjust_fdiv;
				_t22 = E00418795( *_adjust_fdiv);
				if( *0x421260 == 0) {
					__setusermatherr(E00418792);
				}
				E00418780(_t22);
				_push(0x420050);
				_push(0x42004c);
				L0041877A();
				_t24 =  *0x421480; // 0x0
				_v44 = _t24;
				__getmainargs( &_v32,  &_v48,  &_v36,  *0x42147c,  &_v44);
				_push(0x420048);
				_push(0x420000);
				L0041877A();
				 *(__p___initenv()) = _v36;
				_push(_v36);
				_push(_v48);
				_push(_v32);
				_t31 = E00403F64(_t43); // executed
				_v40 = _t31;
				exit(_t31); // executed
				_t32 = _v24;
				_t39 =  *((intOrPtr*)( *_t32));
				_v52 = _t39;
				_push(_t32);
				_push(_t39);
				L00418774();
				return _t32;
			}























                                  0x00418652
                                  0x00418655
                                  0x00418657
                                  0x0041865c
                                  0x00418667
                                  0x00418668
                                  0x00418675
                                  0x00418678
                                  0x0041867e
                                  0x00418685
                                  0x0041868c
                                  0x00418693
                                  0x00418699
                                  0x0041869f
                                  0x004186a1
                                  0x004186a7
                                  0x004186ad
                                  0x004186b6
                                  0x004186bb
                                  0x004186c7
                                  0x004186ce
                                  0x004186d4
                                  0x004186d5
                                  0x004186da
                                  0x004186df
                                  0x004186e4
                                  0x004186e9
                                  0x004186ee
                                  0x00418707
                                  0x0041870d
                                  0x00418712
                                  0x00418717
                                  0x00418725
                                  0x00418727
                                  0x0041872a
                                  0x0041872d
                                  0x00418730
                                  0x00418738
                                  0x0041873c
                                  0x00418742
                                  0x00418747
                                  0x00418749
                                  0x0041874c
                                  0x0041874d
                                  0x0041874e
                                  0x00418755

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 167530163-0
                                  • Opcode ID: 8bd55aef8ae6407b831ca382bc1c44806d127fe6c68c6ce340102dddd31168b3
                                  • Instruction ID: 7376d8799241ae7e44cc0f8e68098c419fba21525fe28e0a0cd3f10abc2e61be
                                  • Opcode Fuzzy Hash: 8bd55aef8ae6407b831ca382bc1c44806d127fe6c68c6ce340102dddd31168b3
                                  • Instruction Fuzzy Hash: 4E31DC75A40208EFD714AFA4EC49BDE7BB8FB0C721F60412EF521A22E1DB785541CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B24E Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 512COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 608 40b24e-40b2b8 call 4182c0 call 40bb9a call 407282 615 40b321-40b335 call 4051de 608->615 616 40b2ba-40b2dc call 401da7 call 407203 608->616 622 40b337-40b340 call 40b8ee 615->622 623 40b36c 615->623 625 40b2e1-40b2e3 616->625 626 40b36e-40b37a 622->626 623->626 628 40b342-40b352 _CxxThrowException 625->628 629 40b2e5-40b2ed 625->629 630 40b382-40b3ce 626->630 631 40b37c-40b37e 626->631 632 40b357-40b367 _CxxThrowException 628->632 629->632 633 40b2ef-40b31f call 412d31 call 405205 629->633 634 40b3d0-40b3e4 630->634 635 40b417-40b420 630->635 631->630 632->623 633->615 633->616 634->635 647 40b3e6-40b3ec 634->647 636 40b702-40b75c 635->636 637 40b426-40b44f call 401da7 call 407203 635->637 639 40b764-40b77f call 405858 call 401ca4 636->639 640 40b75e-40b760 636->640 658 40b792-40b7a2 _CxxThrowException 637->658 659 40b455-40b45d 637->659 661 40b781-40b78f 639->661 640->639 651 40b3f4-40b412 call 405858 call 401ca4 647->651 652 40b3ee-40b3f0 647->652 651->661 652->651 662 40b7a7-40b7b7 _CxxThrowException 658->662 659->662 663 40b463-40b49f call 401e63 659->663 665 40b7bc-40b7cb call 405205 662->665 663->665 677 40b4a5-40b4ee call 403bb3 call 40cd30 663->677 670 40b7d3-40b7d6 665->670 671 40b7cd-40b7cf 665->671 673 40b8cc-40b8e9 call 405858 call 401ca4 670->673 671->670 673->661 686 40b4f4-40b4f7 677->686 687 40b7db-40b7f9 call 403c87 call 405205 677->687 689 40b4fd-40b506 686->689 690 40b6cf-40b6f7 call 403c87 call 405205 686->690 707 40b801-40b804 687->707 708 40b7fb-40b7fd 687->708 693 40b571 689->693 694 40b508-40b520 call 403d01 689->694 690->637 715 40b6fd-40b700 690->715 696 40b573-40b596 693->696 697 40b59e-40b5c4 call 40247e 693->697 705 40b522-40b525 694->705 706 40b558-40b564 694->706 713 40b809-40b827 call 403c87 call 405205 696->713 714 40b59c 696->714 718 40b837-40b85e call 405205 call 403c87 call 405205 697->718 719 40b5ca-40b5cd 697->719 705->706 711 40b527-40b553 call 4059e1 705->711 706->694 712 40b566-40b56b 706->712 707->673 708->707 711->706 712->693 734 40b829-40b82b 713->734 735 40b82f-40b832 713->735 714->697 715->636 718->673 742 40b860-40b866 718->742 723 40b5e4-40b639 call 403c2b call 401e63 call 405205 call 403c2b 719->723 724 40b5cf-40b5de 719->724 747 40b641-40b669 call 40b017 723->747 748 40b63b 723->748 724->718 724->723 734->735 735->673 742->673 750 40b66e-40b67e call 405205 747->750 748->747 753 40b684-40b6c3 750->753 754 40b868-40b88f call 405205 call 403c87 call 405205 750->754 755 40b6c9-40b6ce call 405205 753->755 756 40b89b-40b8bf call 405205 call 403c87 call 405205 753->756 770 40b891-40b893 754->770 771 40b897-40b899 754->771 755->690 773 40b8c1-40b8c3 756->773 774 40b8c7 756->774 770->771 771->673 773->774 774->673
                                  C-Code - Quality: 83%
                                  			E0040B24E(signed int __edx, void* __eflags) {
				void* __edi;
				signed int _t289;
				void* _t292;
				intOrPtr _t301;
				signed int _t305;
				signed int _t312;
				signed char _t321;
				char _t333;
				signed int _t336;
				void* _t341;
				void* _t343;
				void* _t353;
				void* _t354;
				void* _t357;
				signed int _t360;
				void* _t361;
				intOrPtr _t368;
				signed int _t378;
				signed int _t393;
				signed int _t394;
				void* _t407;
				void* _t417;
				signed int _t418;
				signed int _t433;
				signed int _t441;
				intOrPtr* _t457;
				signed int _t491;
				signed int _t492;
				signed int _t498;
				signed int _t503;
				char* _t505;
				signed int _t507;
				signed int _t509;
				intOrPtr* _t511;
				intOrPtr _t512;
				signed int _t513;
				void* _t514;
				void* _t516;
				void* _t517;

				_t491 = __edx;
				E004182C0(E00419759, _t514);
				_t517 = _t516 - 0x150;
				_t505 =  *(_t514 + 0x28);
				_push( *(_t514 + 0x18));
				_t498 = 0;
				_t505[0x20] = 0;
				_t505[0x18] = 0;
				_t505[8] = 0;
				_t505[0x10] = 0;
				 *_t505 = 0;
				_t505[0x24] = 0;
				_t505[0x1c] = 0;
				_t505[0xc] = 0;
				_t505[0x14] = 0;
				_t505[4] = 0;
				E0040BB9A(_t514 - 0x15c);
				 *(_t514 - 4) = 0;
				 *(_t514 - 0x1c) = 0;
				 *((intOrPtr*)(_t514 - 0x18)) = 0;
				E00407282(_t514 - 0x80, 8);
				 *((intOrPtr*)(_t514 - 0x80)) = 0x41b664;
				_t417 =  *(_t514 + 0xc);
				 *(_t514 - 4) = 1;
				 *(_t514 + 0x18) = 0;
				if( *((intOrPtr*)(_t417 + 8)) <= 0) {
					L4:
					_push(0x108);
					_t289 = E004051DE();
					 *(_t514 + 0x18) = _t289;
					 *(_t514 - 4) = 3;
					if(_t289 == _t498) {
						L8:
						_t418 = 0;
						__eflags = 0;
						goto L9;
					} else {
						_t418 = E0040B8EE(_t289);
						L9:
						 *(_t514 - 4) = 1;
						 *(_t514 - 0xd4) = _t418;
						if(_t418 != _t498) {
							 *((intOrPtr*)( *_t418 + 4))(_t418);
						}
						 *(_t514 - 4) = 4;
						 *(_t418 + 0xf8) = _t498;
						 *(_t418 + 0xf0) = _t498;
						_t492 = _t491 & 0xffffff00 | ( *(_t514 + 0xc))[8] - 0x00000001 > 0x00000000;
						 *(_t418 + 0xe8) = _t498;
						 *(_t418 + 0xe0) = _t492;
						 *(_t418 + 0xfc) = _t498;
						 *(_t418 + 0xf4) = _t498;
						 *(_t418 + 0xec) = _t498;
						 *((intOrPtr*)(_t418 + 0x2c)) =  *((intOrPtr*)(_t514 - 0x158));
						 *((intOrPtr*)(_t418 + 0x30)) =  *((intOrPtr*)(_t514 - 0xf4));
						if(_t492 == 0) {
							L16:
							_t292 =  *(_t514 + 0xc);
							 *(_t514 + 0x18) = _t498;
							__eflags =  *((intOrPtr*)(_t292 + 8)) - _t498;
							if( *((intOrPtr*)(_t292 + 8)) <= _t498) {
								L41:
								__eflags = _t418 - _t498;
								_t505[0x18] =  *(_t418 + 0xe8);
								_t505[0x1c] =  *(_t418 + 0xec);
								_t505[0x20] =  *(_t418 + 0xf0);
								_t505[0x24] =  *(_t418 + 0xf4);
								_t505[8] =  *(_t418 + 0xf8);
								_t505[0xc] =  *(_t418 + 0xfc);
								 *(_t514 - 4) = 1;
								asm("cdq");
								 *_t505 = ( *(_t514 + 0xc))[8];
								_t505[4] = _t492;
								_t301 =  *((intOrPtr*)(_t418 + 0xc8));
								_t505[0x10] =  *(_t301 + 0x20);
								_t505[0x14] =  *(_t301 + 0x24);
								if(_t418 != _t498) {
									 *((intOrPtr*)( *_t418 + 8))(_t418);
								}
								 *(_t514 - 4) =  *(_t514 - 4) & 0x00000000;
								E00405858(_t514 - 0x80);
								 *(_t514 - 4) =  *(_t514 - 4) | 0xffffffff;
								E00401CA4(_t514 - 0x15c);
								_t305 = 0;
								__eflags = 0;
								goto L44;
							} else {
								goto L17;
							}
							while(1) {
								L17:
								_t507 =  *(( *(_t514 + 0xc))[0xc] +  *(_t514 + 0x18) * 4);
								 *(_t514 - 0x10) = _t507;
								E00401DA7(_t514 - 0x3c);
								_push(_t514 - 0x6c);
								_push( *_t507);
								 *(_t514 - 4) = 5;
								_t312 = E00407203(_t514 - 0x3c, _t492, _t498);
								__eflags = _t312;
								if(_t312 == 0) {
									break;
								}
								_t321 =  *(_t514 - 0x6c) >> 4;
								__eflags = _t321 & 0x00000001;
								if((_t321 & 0x00000001) != 0) {
									L46:
									_t314 = _t514 + 0xc;
									_push(0x41c200);
									_push(_t514 + 0xc);
									 *(_t514 + 0xc) = "there is no such archive";
									L004182FC();
									L47:
									E00405205(_t314,  *((intOrPtr*)(_t514 - 0x3c)));
									__eflags = _t418;
									 *(_t514 - 4) = 1;
									if(_t418 != 0) {
										 *((intOrPtr*)( *_t418 + 8))(_t418);
									}
									_t509 =  *(_t514 - 0x14);
									L64:
									 *(_t514 - 4) =  *(_t514 - 4) & 0x00000000;
									E00405858(_t514 - 0x80);
									 *(_t514 - 4) =  *(_t514 - 4) | 0xffffffff;
									E00401CA4(_t514 - 0x15c);
									_t305 = _t509;
									goto L44;
								}
								_t433 = 0xc;
								memcpy(_t514 - 0x134, _t514 - 0x6c, _t433 << 2);
								_t517 = _t517 + 0xc;
								E00401E63(_t514 - 0x104, _t514 - 0x3c);
								_t511 =  *((intOrPtr*)(_t514 + 0x1c));
								 *((intOrPtr*)( *_t511 + 0x18))();
								_t498 =  *(_t514 + 0x20);
								_t314 =  *((intOrPtr*)( *_t498 + 0x24))( *( *(_t514 - 0x10)));
								__eflags = _t314;
								 *(_t514 - 0x14) = _t314;
								if(_t314 != 0) {
									goto L47;
								}
								E00403BB3(_t514 - 0xd0);
								 *(_t514 - 4) = 6;
								 *(_t514 - 0x14) = E0040CD30(_t514 - 0xd0, __eflags,  *((intOrPtr*)(_t514 + 8)),  *(_t514 - 0x10), _t514 - 0xd0, _t511);
								_t333 =  *((intOrPtr*)( *_t511 + 0x14))();
								_t492 =  *_t498;
								 *((char*)(_t514 - 0x2c)) = _t333;
								_t336 =  *((intOrPtr*)(_t492 + 0x28))( *( *(_t514 - 0x10)),  *(_t514 - 0x14),  *((intOrPtr*)(_t514 - 0x2c)));
								_t441 = 0;
								 *(_t514 - 0x10) = _t336;
								__eflags = _t336;
								if(_t336 != 0) {
									 *(_t514 - 4) = 5;
									E00405205(E00403C87(_t514 - 0xd0),  *((intOrPtr*)(_t514 - 0x3c)));
									__eflags = _t418;
									 *(_t514 - 4) = 1;
									if(_t418 != 0) {
										 *((intOrPtr*)( *_t418 + 8))(_t418);
									}
									_t509 =  *(_t514 - 0x10);
									goto L64;
								}
								__eflags =  *(_t514 - 0x14);
								if( *(_t514 - 0x14) != 0) {
									L39:
									 *(_t514 - 4) = 5;
									_t341 = E00403C87(_t514 - 0xd0);
									 *(_t514 - 4) = 4;
									E00405205(_t341,  *((intOrPtr*)(_t514 - 0x3c)));
									 *(_t514 + 0x18) =  *(_t514 + 0x18) + 1;
									_t343 =  *(_t514 + 0xc);
									__eflags =  *(_t514 + 0x18) -  *((intOrPtr*)(_t343 + 8));
									if( *(_t514 + 0x18) <  *((intOrPtr*)(_t343 + 8))) {
										continue;
									}
									_t505 =  *(_t514 + 0x28);
									_t498 = 0;
									__eflags = 0;
									goto L41;
								}
								__eflags =  *(_t514 - 0xa0);
								 *(_t514 - 0x10) = 0;
								if(__eflags <= 0) {
									L28:
									if(__eflags == 0) {
										L31:
										 *((intOrPtr*)(_t514 - 0x28)) = _t441;
										 *((intOrPtr*)(_t514 - 0x24)) = _t441;
										 *((intOrPtr*)(_t514 - 0x20)) = _t441;
										E0040247E(_t514 - 0x28, 0xf);
										 *(_t514 - 4) = 7;
										_t346 =  *((intOrPtr*)( *_t511 + 0x10))(_t514 - 0x28);
										_t509 = _t346;
										__eflags = _t509;
										if(_t509 != 0) {
											L56:
											E00405205(_t346,  *((intOrPtr*)(_t514 - 0x28)));
											 *(_t514 - 4) = 5;
											E00405205(E00403C87(_t514 - 0xd0),  *((intOrPtr*)(_t514 - 0x3c)));
											__eflags = _t418;
											 *(_t514 - 4) = 1;
											if(_t418 != 0) {
												 *((intOrPtr*)( *_t418 + 8))(_t418);
											}
											goto L64;
										}
										__eflags =  *((intOrPtr*)(_t514 - 0x24)) - _t346;
										if( *((intOrPtr*)(_t514 - 0x24)) == _t346) {
											L34:
											_t353 = E00403C2B(_t514 - 0xd0, _t514 - 0xec);
											 *(_t514 - 4) = 8;
											_t354 = E00401E63(_t514 - 0x144, _t353);
											 *(_t514 - 4) = 7;
											E00405205(_t354,  *((intOrPtr*)(_t514 - 0xec)));
											_t357 = E00403C2B(_t514 - 0xd0, _t514 - 0xe0);
											__eflags =  *(_t514 - 0xcc);
											 *(_t514 - 4) = 9;
											_t457 = _t514 - 0xcc;
											if(__eflags == 0) {
												_t457 = _t514 - 0xd0;
											}
											_t512 =  *((intOrPtr*)(_t514 + 0x24));
											_push(_t512);
											_push(_t418);
											_push(_t498);
											_push(_t514 - 0x15c);
											_push( *((intOrPtr*)(_t514 + 0x14)));
											_push(_t357);
											asm("adc edx, [ebp-0x8c]");
											_push( *(_t514 - 0x48));
											_push( *((intOrPtr*)(_t514 - 0x4c)) +  *((intOrPtr*)(_t514 - 0x90)));
											_push( *_t457); // executed
											_t360 = E0040B017( *(_t514 - 0x48), __eflags); // executed
											_t503 = _t360;
											_t361 = E00405205(_t360,  *((intOrPtr*)(_t514 - 0xe0)));
											__eflags = _t503;
											if(_t503 != 0) {
												E00405205(_t361,  *((intOrPtr*)(_t514 - 0x28)));
												 *(_t514 - 4) = 5;
												E00405205(E00403C87(_t514 - 0xd0),  *((intOrPtr*)(_t514 - 0x3c)));
												__eflags = _t418;
												 *(_t514 - 4) = 1;
												if(_t418 != 0) {
													 *((intOrPtr*)( *_t418 + 8))(_t418);
												}
												_t509 = _t503;
												goto L64;
											} else {
												_t492 =  *((intOrPtr*)(_t514 - 0x4c)) +  *((intOrPtr*)(_t514 - 0x90));
												_t498 =  *(_t514 - 0x48);
												_t194 = _t418 + 0xc8; // 0xc8
												asm("adc edi, [ebp-0x8c]");
												 *((intOrPtr*)( *((intOrPtr*)(_t418 + 0xc8)) + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t418 + 0xc8)) + 0x20)) + _t492;
												asm("adc [eax+0x24], edi");
												_t368 =  *_t194;
												 *(_t368 + 0x28) =  *(_t418 + 0xf8);
												 *(_t368 + 0x2c) =  *(_t418 + 0xfc);
												__eflags =  *(_t512 + 4);
												_push( *((intOrPtr*)(_t514 - 0x28)));
												if( *(_t512 + 4) != 0) {
													E00405205(_t368);
													 *(_t514 - 4) = 5;
													E00405205(E00403C87(_t514 - 0xd0),  *((intOrPtr*)(_t514 - 0x3c)));
													__eflags = _t418;
													 *(_t514 - 4) = 1;
													if(_t418 != 0) {
														 *((intOrPtr*)( *_t418 + 8))(_t418);
													}
													_t509 = 0x80004005;
													goto L64;
												}
												E00405205(_t368);
												goto L39;
											}
										}
										_t509 =  *((intOrPtr*)( *_t498 + 0x34))(_t514 - 0x28);
										__eflags = _t509;
										if(_t509 != 0) {
											goto L56;
										}
										goto L34;
									}
									 *(_t514 - 0x1c) =  *(_t514 - 0x1c) +  *((intOrPtr*)(_t514 - 0x90));
									asm("adc [ebp-0x18], ecx");
									_t378 =  *((intOrPtr*)( *_t498 + 0xc))(_t498,  *(_t514 - 0x1c),  *((intOrPtr*)(_t514 - 0x18)));
									__eflags = _t378;
									 *(_t514 - 0x14) = _t378;
									if(_t378 != 0) {
										 *(_t514 - 4) = 5;
										E00405205(E00403C87(_t514 - 0xd0),  *((intOrPtr*)(_t514 - 0x3c)));
										__eflags = _t418;
										 *(_t514 - 4) = 1;
										if(_t418 != 0) {
											 *((intOrPtr*)( *_t418 + 8))(_t418);
										}
										_t509 =  *(_t514 - 0x14);
										goto L64;
									}
									_t441 = 0;
									__eflags = 0;
									goto L31;
								} else {
									goto L23;
								}
								do {
									L23:
									_t513 = E00403D01(_t492,  *((intOrPtr*)( *((intOrPtr*)(_t514 - 0x9c)) +  *(_t514 - 0x10) * 4)));
									__eflags = _t513;
									if(_t513 >= 0) {
										__eflags = _t513 -  *(_t514 + 0x18);
										if(_t513 >  *(_t514 + 0x18)) {
											 *((intOrPtr*)( *( *(_t514 + 0xc)) + 4))(_t513, 1);
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t514 + 0x10)))) + 4))(_t513, 1);
											_t144 = _t514 - 0x1c;
											 *_t144 =  *(_t514 - 0x1c) -  *((intOrPtr*)( *((intOrPtr*)(_t514 - 0x74)) + _t513 * 8));
											__eflags =  *_t144;
											asm("sbb [ebp-0x18], eax");
											E004059E1(_t514 - 0x80, _t513, 1);
										}
									}
									 *(_t514 - 0x10) =  *(_t514 - 0x10) + 1;
									__eflags =  *(_t514 - 0x10) -  *(_t514 - 0xa0);
								} while ( *(_t514 - 0x10) <  *(_t514 - 0xa0));
								_t511 =  *((intOrPtr*)(_t514 + 0x1c));
								_t441 = 0;
								__eflags =  *(_t514 - 0xa0);
								goto L28;
							}
							_push(0x41c200);
							_push(_t514 + 0xc);
							 *(_t514 + 0xc) = "there is no such archive";
							L004182FC();
							goto L46;
						} else {
							_t393 =  *(_t514 + 0x20);
							_t394 =  *((intOrPtr*)( *_t393 + 0xc))(_t393,  *(_t514 - 0x1c),  *((intOrPtr*)(_t514 - 0x18)));
							 *(_t514 + 0x18) = _t394;
							if(_t394 == _t498) {
								goto L16;
							}
							 *(_t514 - 4) = 1;
							if(_t418 != _t498) {
								 *((intOrPtr*)( *_t418 + 8))(_t418);
							}
							 *(_t514 - 4) =  *(_t514 - 4) & 0x00000000;
							E00405858(_t514 - 0x80);
							 *(_t514 - 4) =  *(_t514 - 4) | 0xffffffff;
							E00401CA4(_t514 - 0x15c);
							_t305 =  *(_t514 + 0x18);
							L44:
							 *[fs:0x0] =  *((intOrPtr*)(_t514 - 0xc));
							return _t305;
						}
					}
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t514 - 0x14) =  *( *((intOrPtr*)(_t417 + 0xc)) +  *(_t514 + 0x18) * 4);
					E00401DA7(_t514 - 0x3c);
					_push(_t514 - 0x6c);
					 *(_t514 - 4) = 2;
					_push( *( *(_t514 - 0x14))); // executed
					_t407 = E00407203(_t514 - 0x6c, _t491, _t498); // executed
					if(_t407 == 0) {
						break;
					}
					if(( *(_t514 - 0x6c) >> 0x00000004 & 0x00000001) != 0) {
						L7:
						_push(0x41c200);
						_push(_t514 + 0xc);
						 *(_t514 + 0xc) = "can\'t decompress folder";
						L004182FC();
						goto L8;
					}
					E00412D31(_t514 - 0x80, _t491,  *((intOrPtr*)(_t514 - 0x4c)),  *(_t514 - 0x48));
					 *(_t514 - 0x1c) =  *(_t514 - 0x1c) +  *((intOrPtr*)(_t514 - 0x4c));
					 *(_t514 - 4) = 1;
					asm("adc [ebp-0x18], ecx");
					E00405205( *((intOrPtr*)(_t514 - 0x4c)),  *((intOrPtr*)(_t514 - 0x3c)));
					 *(_t514 + 0x18) =  *(_t514 + 0x18) + 1;
					if( *(_t514 + 0x18) <  *((intOrPtr*)(_t417 + 8))) {
						continue;
					}
					goto L4;
				}
				_push(0x41c200);
				_push(_t514 + 0xc);
				 *(_t514 + 0xc) = "there is no such archive";
				L004182FC();
				goto L7;
			}










































                                  0x0040b24e
                                  0x0040b253
                                  0x0040b258
                                  0x0040b260
                                  0x0040b264
                                  0x0040b267
                                  0x0040b269
                                  0x0040b26c
                                  0x0040b26f
                                  0x0040b272
                                  0x0040b275
                                  0x0040b27d
                                  0x0040b280
                                  0x0040b283
                                  0x0040b286
                                  0x0040b289
                                  0x0040b28c
                                  0x0040b296
                                  0x0040b299
                                  0x0040b29c
                                  0x0040b29f
                                  0x0040b2a4
                                  0x0040b2ab
                                  0x0040b2ae
                                  0x0040b2b2
                                  0x0040b2b8
                                  0x0040b321
                                  0x0040b321
                                  0x0040b326
                                  0x0040b32c
                                  0x0040b331
                                  0x0040b335
                                  0x0040b36c
                                  0x0040b36c
                                  0x0040b36c
                                  0x00000000
                                  0x0040b337
                                  0x0040b33e
                                  0x0040b36e
                                  0x0040b370
                                  0x0040b374
                                  0x0040b37a
                                  0x0040b37f
                                  0x0040b37f
                                  0x0040b38b
                                  0x0040b399
                                  0x0040b39f
                                  0x0040b3a5
                                  0x0040b3a8
                                  0x0040b3ae
                                  0x0040b3b6
                                  0x0040b3bc
                                  0x0040b3c2
                                  0x0040b3c8
                                  0x0040b3cb
                                  0x0040b3ce
                                  0x0040b417
                                  0x0040b417
                                  0x0040b41a
                                  0x0040b41d
                                  0x0040b420
                                  0x0040b702
                                  0x0040b708
                                  0x0040b70a
                                  0x0040b713
                                  0x0040b71c
                                  0x0040b725
                                  0x0040b72e
                                  0x0040b737
                                  0x0040b73d
                                  0x0040b744
                                  0x0040b745
                                  0x0040b747
                                  0x0040b74a
                                  0x0040b753
                                  0x0040b759
                                  0x0040b75c
                                  0x0040b761
                                  0x0040b761
                                  0x0040b764
                                  0x0040b76b
                                  0x0040b770
                                  0x0040b77a
                                  0x0040b77f
                                  0x0040b77f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b426
                                  0x0040b426
                                  0x0040b42f
                                  0x0040b435
                                  0x0040b438
                                  0x0040b442
                                  0x0040b443
                                  0x0040b444
                                  0x0040b448
                                  0x0040b44d
                                  0x0040b44f
                                  0x00000000
                                  0x00000000
                                  0x0040b458
                                  0x0040b45b
                                  0x0040b45d
                                  0x0040b7a7
                                  0x0040b7a7
                                  0x0040b7aa
                                  0x0040b7af
                                  0x0040b7b0
                                  0x0040b7b7
                                  0x0040b7bc
                                  0x0040b7bf
                                  0x0040b7c4
                                  0x0040b7c7
                                  0x0040b7cb
                                  0x0040b7d0
                                  0x0040b7d0
                                  0x0040b7d3
                                  0x0040b8cc
                                  0x0040b8cc
                                  0x0040b8d3
                                  0x0040b8d8
                                  0x0040b8e2
                                  0x0040b8e7
                                  0x00000000
                                  0x0040b8e7
                                  0x0040b468
                                  0x0040b46f
                                  0x0040b46f
                                  0x0040b47b
                                  0x0040b480
                                  0x0040b487
                                  0x0040b48d
                                  0x0040b497
                                  0x0040b49a
                                  0x0040b49c
                                  0x0040b49f
                                  0x00000000
                                  0x00000000
                                  0x0040b4ab
                                  0x0040b4b8
                                  0x0040b4c7
                                  0x0040b4ce
                                  0x0040b4d1
                                  0x0040b4d3
                                  0x0040b4e4
                                  0x0040b4e7
                                  0x0040b4e9
                                  0x0040b4ec
                                  0x0040b4ee
                                  0x0040b7e1
                                  0x0040b7ed
                                  0x0040b7f2
                                  0x0040b7f5
                                  0x0040b7f9
                                  0x0040b7fe
                                  0x0040b7fe
                                  0x0040b801
                                  0x00000000
                                  0x0040b801
                                  0x0040b4f4
                                  0x0040b4f7
                                  0x0040b6cf
                                  0x0040b6d5
                                  0x0040b6d9
                                  0x0040b6e1
                                  0x0040b6e5
                                  0x0040b6ea
                                  0x0040b6ed
                                  0x0040b6f4
                                  0x0040b6f7
                                  0x00000000
                                  0x00000000
                                  0x0040b6fd
                                  0x0040b700
                                  0x0040b700
                                  0x00000000
                                  0x0040b700
                                  0x0040b4fd
                                  0x0040b503
                                  0x0040b506
                                  0x0040b571
                                  0x0040b571
                                  0x0040b59e
                                  0x0040b59e
                                  0x0040b5a1
                                  0x0040b5a4
                                  0x0040b5ac
                                  0x0040b5b9
                                  0x0040b5bd
                                  0x0040b5c0
                                  0x0040b5c2
                                  0x0040b5c4
                                  0x0040b837
                                  0x0040b83a
                                  0x0040b840
                                  0x0040b852
                                  0x0040b857
                                  0x0040b85a
                                  0x0040b85e
                                  0x0040b863
                                  0x0040b863
                                  0x00000000
                                  0x0040b85e
                                  0x0040b5ca
                                  0x0040b5cd
                                  0x0040b5e4
                                  0x0040b5f1
                                  0x0040b5fd
                                  0x0040b601
                                  0x0040b60c
                                  0x0040b610
                                  0x0040b623
                                  0x0040b628
                                  0x0040b62f
                                  0x0040b633
                                  0x0040b639
                                  0x0040b63b
                                  0x0040b63b
                                  0x0040b641
                                  0x0040b64a
                                  0x0040b64b
                                  0x0040b64c
                                  0x0040b64d
                                  0x0040b64e
                                  0x0040b656
                                  0x0040b660
                                  0x0040b666
                                  0x0040b667
                                  0x0040b668
                                  0x0040b669
                                  0x0040b674
                                  0x0040b676
                                  0x0040b67b
                                  0x0040b67e
                                  0x0040b86b
                                  0x0040b871
                                  0x0040b883
                                  0x0040b888
                                  0x0040b88b
                                  0x0040b88f
                                  0x0040b894
                                  0x0040b894
                                  0x0040b897
                                  0x00000000
                                  0x0040b684
                                  0x0040b68d
                                  0x0040b693
                                  0x0040b696
                                  0x0040b69c
                                  0x0040b6a2
                                  0x0040b6a5
                                  0x0040b6a8
                                  0x0040b6b0
                                  0x0040b6b9
                                  0x0040b6bc
                                  0x0040b6c0
                                  0x0040b6c3
                                  0x0040b89b
                                  0x0040b8a1
                                  0x0040b8b3
                                  0x0040b8b8
                                  0x0040b8bb
                                  0x0040b8bf
                                  0x0040b8c4
                                  0x0040b8c4
                                  0x0040b8c7
                                  0x00000000
                                  0x0040b8c7
                                  0x0040b6c9
                                  0x00000000
                                  0x0040b6ce
                                  0x0040b67e
                                  0x0040b5da
                                  0x0040b5dc
                                  0x0040b5de
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b5de
                                  0x0040b57f
                                  0x0040b584
                                  0x0040b58e
                                  0x0040b591
                                  0x0040b593
                                  0x0040b596
                                  0x0040b80f
                                  0x0040b81b
                                  0x0040b820
                                  0x0040b823
                                  0x0040b827
                                  0x0040b82c
                                  0x0040b82c
                                  0x0040b82f
                                  0x00000000
                                  0x0040b82f
                                  0x0040b59c
                                  0x0040b59c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b508
                                  0x0040b508
                                  0x0040b51c
                                  0x0040b51e
                                  0x0040b520
                                  0x0040b522
                                  0x0040b525
                                  0x0040b52f
                                  0x0040b53a
                                  0x0040b54a
                                  0x0040b54a
                                  0x0040b54a
                                  0x0040b550
                                  0x0040b553
                                  0x0040b553
                                  0x0040b525
                                  0x0040b558
                                  0x0040b55e
                                  0x0040b55e
                                  0x0040b566
                                  0x0040b569
                                  0x0040b56b
                                  0x00000000
                                  0x0040b56b
                                  0x0040b795
                                  0x0040b79a
                                  0x0040b79b
                                  0x0040b7a2
                                  0x00000000
                                  0x0040b3d0
                                  0x0040b3d3
                                  0x0040b3dc
                                  0x0040b3e1
                                  0x0040b3e4
                                  0x00000000
                                  0x00000000
                                  0x0040b3e8
                                  0x0040b3ec
                                  0x0040b3f1
                                  0x0040b3f1
                                  0x0040b3f4
                                  0x0040b3fb
                                  0x0040b400
                                  0x0040b40a
                                  0x0040b40f
                                  0x0040b781
                                  0x0040b787
                                  0x0040b78f
                                  0x0040b78f
                                  0x0040b3ce
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b2ba
                                  0x0040b2ba
                                  0x0040b2c6
                                  0x0040b2c9
                                  0x0040b2d4
                                  0x0040b2d5
                                  0x0040b2db
                                  0x0040b2dc
                                  0x0040b2e3
                                  0x00000000
                                  0x00000000
                                  0x0040b2ed
                                  0x0040b357
                                  0x0040b35a
                                  0x0040b35f
                                  0x0040b360
                                  0x0040b367
                                  0x00000000
                                  0x0040b367
                                  0x0040b2f8
                                  0x0040b303
                                  0x0040b309
                                  0x0040b30d
                                  0x0040b310
                                  0x0040b315
                                  0x0040b31f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b31f
                                  0x0040b345
                                  0x0040b34a
                                  0x0040b34b
                                  0x0040b352
                                  0x00000000

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040B253
                                    • Part of subcall function 0040BB9A: __EH_prolog.LIBCMT ref: 0040BB9F
                                    • Part of subcall function 00407203: __EH_prolog.LIBCMT ref: 00407208
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 0040B352
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 0040B7A2
                                  • _CxxThrowException.MSVCRT(00420F38,0041C200), ref: 0040B7B7
                                    • Part of subcall function 00403C87: __EH_prolog.LIBCMT ref: 00403C8C
                                  • _CxxThrowException.MSVCRT(00420F38,0041C200), ref: 0040B367
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionH_prologThrow$free
                                  • String ID: U @
                                  • API String ID: 2114536809-1986941051
                                  • Opcode ID: 72903765298f6e4fab3ae6e760855d1d2a2c6a446ab3892a8bf1328f389923a9
                                  • Instruction ID: 20101f7e668d88ac95dc1006f7e718e23f745da2571773568b53466cc56a6fbc
                                  • Opcode Fuzzy Hash: 72903765298f6e4fab3ae6e760855d1d2a2c6a446ab3892a8bf1328f389923a9
                                  • Instruction Fuzzy Hash: F6323C71900219DFCB14DF99C884B9EBBB4FF58314F1480AEE859B7292CB749A44CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401238 Relevance: 9.4, APIs: 4, Strings: 2, Instructions: 369COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 775 401238-401254 call 404d1e 779 401a18-401a38 call 40100a call 404968 call 405205 775->779 780 40125a-40126b call 404d1e 775->780 799 401a3f-401a53 call 405898 call 405858 779->799 780->779 786 401271-401277 780->786 788 401279-40127c 786->788 789 40127e-401284 786->789 791 4012a6-40131c call 401000 call 401f25 call 401136 call 404d1e call 401efe call 405668 call 405205 788->791 792 401286 call 401b73 789->792 793 40128b-40129f call 40101b 789->793 820 40132c-401358 call 404d1e call 40247e 791->820 821 40131e-401327 call 401ea1 791->821 792->793 793->791 801 4012a1 call 401b73 793->801 811 401a55-401a63 799->811 801->791 827 401374-40137a call 401da7 820->827 828 40135a-40136f call 404d1e call 401e63 820->828 821->820 831 40137f-40138d call 407203 827->831 828->827 835 401392-401394 831->835 836 4013b2-4013bd 835->836 837 401396-4013ad _CxxThrowException 835->837 838 4013db-401401 call 40247e call 404d1e 836->838 839 4013bf-4013d6 _CxxThrowException 836->839 837->836 844 401403-401421 call 404d1e call 401e63 call 4075b6 838->844 845 401426-40148f call 402463 * 2 call 401cfc * 2 call 4051de 838->845 839->838 844->845 861 401491-4014a5 call 401fd9 845->861 862 4014a7-4014aa 845->862 863 4014ac-4014b8 861->863 862->863 866 4014c0-4014cd call 40adb1 863->866 867 4014ba-4014bc 863->867 870 4014e6-4014ea 866->870 871 4014cf-4014e1 _CxxThrowException 866->871 867->866 872 4014f0-401503 call 4051de 870->872 873 4018d9-401908 call 403303 870->873 871->870 880 401505-40150c call 401bbe 872->880 881 40150e 872->881 878 401913-401941 call 405400 call 40541c call 4054d0 873->878 879 40190a-40190d 873->879 906 401943-401945 878->906 907 401949-4019d9 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 401f40 call 404968 call 405205 878->907 879->878 883 4019f9-4019fb 879->883 882 401510-401519 880->882 881->882 886 401521-4015e4 call 401e63 call 401b44 call 401e63 call 401ac4 call 401e63 call 40247e 882->886 887 40151b-40151d 882->887 889 401a01-401a13 _CxxThrowException 883->889 890 4016c9-4016cf 883->890 927 4015e9-40161b call 40b24e 886->927 887->886 889->779 893 4016d1-4016d3 890->893 894 4016d7-401787 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 405898 call 405858 call 404968 call 405205 890->894 893->894 894->799 906->907 1004 4019e0-4019f7 call 405898 call 405858 907->1004 933 401620-401626 927->933 936 401628-401651 call 405400 call 40541c call 405434 933->936 937 40165a-401664 933->937 936->937 986 401653 936->986 942 40166a-401670 937->942 943 40178c-401790 937->943 942->943 949 401676-40167b 942->949 945 4017c0-4017ca 943->945 946 401792-4017bb call 405400 call 40541c call 4054d0 call 405400 943->946 954 4017fa-401824 call 405205 call 401ca4 call 405205 945->954 955 4017cc-4017f5 call 405400 call 40541c call 4054d0 call 405400 945->955 946->945 957 401694-4016be call 405205 call 401ca4 call 405205 949->957 958 40167d-40168f _CxxThrowException 949->958 1002 401826-401828 954->1002 1003 40182c-401835 954->1003 955->954 999 4016c0-4016c2 957->999 1000 4016c6 957->1000 958->957 986->937 999->1000 1000->890 1002->1003 1005 401837-401839 1003->1005 1006 40183d-4018d4 call 405898 call 405858 call 405898 call 405858 call 405205 * 3 call 401f40 call 404968 call 405205 1003->1006 1004->811 1005->1006 1006->1004
                                  C-Code - Quality: 86%
                                  			E00401238(signed int __edx) {
				signed int _t271;
				void* _t272;
				intOrPtr* _t277;
				intOrPtr* _t280;
				void* _t288;
				intOrPtr _t303;
				signed int _t309;
				intOrPtr _t342;
				intOrPtr _t347;
				signed int _t351;
				intOrPtr _t365;
				signed int _t375;
				intOrPtr _t421;
				intOrPtr _t423;
				signed int _t478;
				signed int _t485;
				signed int _t486;
				intOrPtr _t498;
				intOrPtr _t502;
				intOrPtr _t509;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t524;
				intOrPtr _t526;
				signed int _t527;
				signed int _t528;
				void* _t529;

				_t518 = __edx;
				 *(_t529 - 4) = 3;
				if( *((intOrPtr*)(E00404D1E(_t529 - 0xb4, 0))) != 0) {
					L62:
					E0040100A();
					 *(_t529 - 4) = 2;
					E00405205(E00404968(_t529 - 0xb4),  *((intOrPtr*)(_t529 - 0x64)));
					 *((intOrPtr*)(_t529 - 0x58)) = 0x41b38c;
					 *(_t529 - 4) = 6;
					goto L63;
				} else {
					_t524 = 1;
					if( *((intOrPtr*)(E00404D1E(_t529 - 0xb4, _t524))) != 0) {
						goto L62;
					}
					if( *((intOrPtr*)(_t529 - 0xa4)) != 0) {
						__eflags =  *((intOrPtr*)(_t529 - 0xa4)) - _t524;
						if( *((intOrPtr*)(_t529 - 0xa4)) > _t524) {
							E00401B73();
						}
						_push(_t529 - 0x24);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t529 - 0xa0)))));
						_t271 = E0040101B(0x41b38c);
						__eflags = _t271;
						if(_t271 == 0) {
							E00401B73();
						}
					} else {
						 *((intOrPtr*)(_t529 - 0x24)) = _t524;
					}
					_t272 = E00401000(_t529 - 0x24);
					E00401F25(_t529 - 0xdc);
					_push(0);
					_push(_t272);
					_push(_t529 - 0xac);
					 *(_t529 - 4) = 7;
					_push(_t529 - 0xdc);
					E00401136();
					_t277 = E00404D1E(_t529 - 0xb4, 3);
					_t526 =  *0x420064; // 0x42020c
					 *((char*)(_t529 - 0x12)) =  *_t277;
					_t280 = E00401EFE(_t529 - 0x64, _t529 - 0x30, 4);
					 *(_t529 - 4) = 8;
					 *((char*)(_t529 - 0x19)) = E00405668( *_t280, _t526) != 0;
					 *(_t529 - 4) = 7;
					E00405205(_t281,  *((intOrPtr*)(_t529 - 0x30)));
					if( *((intOrPtr*)(_t529 - 0x19)) != 0) {
						E00401EA1(_t529 - 0x64, _t518,  *0x420064);
					}
					 *((char*)(_t529 - 0x11)) =  *((intOrPtr*)(E00404D1E(_t529 - 0xb4, 4)));
					 *((intOrPtr*)(_t529 - 0x44)) = 0;
					 *((intOrPtr*)(_t529 - 0x40)) = 0;
					 *((intOrPtr*)(_t529 - 0x3c)) = 0;
					E0040247E(_t529 - 0x44, 0xf);
					 *(_t529 - 4) = 9;
					if( *((intOrPtr*)(_t529 - 0x11)) != 0) {
						E00401E63(_t529 - 0x44,  *((intOrPtr*)( *((intOrPtr*)(E00404D1E(_t529 - 0xb4, 4) + 0x10)))));
					}
					E00401DA7(_t529 - 0x10c);
					 *(_t529 - 4) = 0xa;
					_push(_t529 - 0x13c);
					_push( *((intOrPtr*)(_t529 - 0x64)));
					_t288 = E00407203(_t529 - 0x10c, _t518, 0x41b38c); // executed
					if(_t288 == 0) {
						_t423 =  *0x420078; // 0x42007c
						_push(0x41be20);
						 *((intOrPtr*)(_t529 - 0xbc)) = _t423;
						_push(_t529 - 0xbc);
						L004182FC();
					}
					if(( *(_t529 - 0x13c) >> 0x00000004 & 0x00000001) != 0) {
						_t421 =  *0x420078; // 0x42007c
						_push(0x41be20);
						 *((intOrPtr*)(_t529 - 0xb8)) = _t421;
						_push(_t529 - 0xb8);
						L004182FC();
					}
					 *((intOrPtr*)(_t529 - 0x70)) = 0;
					 *((intOrPtr*)(_t529 - 0x6c)) = 0;
					 *((intOrPtr*)(_t529 - 0x68)) = 0;
					E0040247E(_t529 - 0x70, 0xf);
					 *(_t529 - 4) = 0xb;
					if( *((intOrPtr*)(E00404D1E(_t529 - 0xb4, 5))) != 0) {
						E00401E63(_t529 - 0x70,  *((intOrPtr*)( *((intOrPtr*)(E00404D1E(_t529 - 0xb4, 5) + 0x10)))));
						E004075B6(_t529 - 0x70);
					}
					E00402463(_t529 - 0x98);
					 *((intOrPtr*)(_t529 - 0x98)) = 0x41b38c;
					 *(_t529 - 4) = 0xc;
					E00402463(_t529 - 0x84);
					 *((intOrPtr*)(_t529 - 0x84)) = 0x41b38c;
					_push(_t529 - 0x64);
					 *(_t529 - 4) = 0xd;
					E00401CFC(_t529 - 0x98, _t518);
					_push(_t529 - 0x64);
					E00401CFC(_t529 - 0x84, _t518);
					_push(0x1c);
					 *((intOrPtr*)(_t529 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t529 - 0xd0)))) + 0xc;
					_t527 = E004051DE();
					 *(_t529 - 0x18) = _t527;
					 *(_t529 - 4) = 0xe;
					if(_t527 == 0) {
						 *(_t529 - 0x18) = 0;
						_t527 = 0;
					} else {
						_t70 = _t527 + 8; // 0x8
						 *((intOrPtr*)(_t527 + 4)) = 0;
						E00401FD9(_t70);
						 *_t527 = 0x41b380;
						 *(_t529 - 0x18) = _t527;
					}
					 *(_t529 - 4) = 0xd;
					 *(_t529 - 0xfc) = _t527;
					if(_t527 != 0) {
						 *((intOrPtr*)( *_t527 + 4))(_t527);
					}
					 *(_t529 - 4) = 0xf;
					_t303 = E0040ADB1(_t527, _t518);
					if(_t303 != 0) {
						 *((intOrPtr*)(_t529 - 0xc4)) = _t303;
						_push(0x41be10);
						_push(_t529 - 0xc4);
						L004182FC();
					}
					if( *((intOrPtr*)(_t529 - 0x24)) == 2) {
						 *(_t529 - 0x38) = 0;
						 *(_t529 - 0x34) = 0;
						_t309 = E00403303(_t518, __eflags, _t527, _t529 - 0x98, _t529 - 0x84,  *((intOrPtr*)(_t529 - 0x20)), 1, 0, _t529 - 0x11, _t529 - 0x44, _t529 - 0x38);
						__eflags =  *(_t529 - 0x34);
						if(__eflags > 0) {
							L56:
							E004054D0(E0040541C(E00405400(0x421290, E0040540E), "Errors: "), _t518, __eflags,  *(_t529 - 0x38),  *(_t529 - 0x34));
							__eflags = _t527;
							 *(_t529 - 4) = 0xd;
							if(_t527 != 0) {
								 *((intOrPtr*)( *_t527 + 8))(_t527);
							}
							 *((intOrPtr*)(_t529 - 0x84)) = 0x41b38c;
							 *(_t529 - 4) = 0x18;
							E00405898();
							 *(_t529 - 4) = 0xc;
							E00405858(_t529 - 0x84);
							 *((intOrPtr*)(_t529 - 0x98)) = 0x41b38c;
							 *(_t529 - 4) = 0x19;
							E00405898();
							 *(_t529 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t529 - 0x98),  *((intOrPtr*)(_t529 - 0x70))),  *((intOrPtr*)(_t529 - 0x10c))),  *((intOrPtr*)(_t529 - 0x44)));
							 *(_t529 - 4) = 3;
							E00401F40(_t529 - 0xdc);
							 *(_t529 - 4) = 2;
							E00405205(E00404968(_t529 - 0xb4),  *((intOrPtr*)(_t529 - 0x64)));
							 *((intOrPtr*)(_t529 - 0x58)) = 0x41b38c;
							 *(_t529 - 4) = 0x1a;
							goto L59;
						}
						__eflags =  *(_t529 - 0x38);
						if(__eflags <= 0) {
							__eflags = _t309;
							if(_t309 == 0) {
								goto L42;
							}
							 *(_t529 - 0xc8) = _t309;
							_push(0x41be10);
							_push(_t529 - 0xc8);
							L004182FC();
							goto L62;
						}
						goto L56;
					} else {
						_push(0x48);
						_t478 = E004051DE();
						 *(_t529 - 0x34) = _t478;
						 *(_t529 - 4) = 0x10;
						if(_t478 == 0) {
							_t528 = 0;
							__eflags = 0;
						} else {
							_t528 = E00401BBE(_t478);
						}
						 *(_t529 - 4) = 0xf;
						 *(_t529 - 0x34) = _t528;
						if(_t528 != 0) {
							 *((intOrPtr*)( *_t528 + 4))(_t528);
						}
						_t342 =  *0x421270; // 0x421290
						_t86 = _t528 + 0x10; // 0x10
						 *((intOrPtr*)(_t528 + 0x40)) = _t342;
						 *((char*)(_t528 + 0xc)) =  *((intOrPtr*)(_t529 - 0x11));
						 *(_t529 - 4) = 0x11;
						E00401E63(_t86, _t529 - 0x44);
						 *((intOrPtr*)(_t528 + 0x20)) = 0;
						 *(_t528 + 0x28) = 0;
						 *(_t528 + 0x30) = 0;
						 *((intOrPtr*)(_t528 + 0x38)) = 0;
						 *((intOrPtr*)(_t528 + 0x24)) = 0;
						 *(_t528 + 0x2c) = 0;
						 *(_t528 + 0x34) = 0;
						 *((intOrPtr*)(_t528 + 0x3c)) = 0;
						E00401B44(_t529 - 0xf8);
						_t347 =  *0x421270; // 0x421290
						 *((intOrPtr*)(_t529 - 0xf4)) = _t347;
						 *((char*)(_t529 - 0xf0)) =  *((intOrPtr*)(_t529 - 0x11));
						 *(_t529 - 4) = 0x12;
						E00401E63(_t529 - 0xec, _t529 - 0x44);
						_t351 = E00401AC4(_t529 - 0x1ac);
						 *(_t529 - 4) = 0x13;
						 *((char*)(_t529 - 0x1ac)) = 0;
						 *((char*)(_t529 - 0x1ab)) = _t351 & 0xffffff00 |  *((intOrPtr*)(_t529 - 0x24)) == 0x00000000;
						 *((intOrPtr*)(_t529 - 0x1a8)) = 0;
						 *(_t529 - 0x144) = 0 |  *((intOrPtr*)(_t529 - 0x12)) != 0x00000000;
						E00401E63(_t529 - 0x1a4, _t529 - 0x70);
						 *((char*)(_t529 - 0x198)) =  *((intOrPtr*)(_t529 - 0x12));
						 *((intOrPtr*)(_t529 - 0x30)) = 0;
						 *((intOrPtr*)(_t529 - 0x2c)) = 0;
						 *((intOrPtr*)(_t529 - 0x28)) = 0;
						E0040247E(_t529 - 0x30, 0xf);
						 *(_t529 - 4) = 0x14;
						_t365 = E0040B24E(_t518,  *((intOrPtr*)(_t529 - 0x12)),  *(_t529 - 0x18), _t529 - 0x98, _t529 - 0x84,  *((intOrPtr*)(_t529 - 0x20)), _t529 - 0x1ac, _t529 - 0xf8, _t528, _t529 - 0x30, _t529 - 0x1d4); // executed
						 *((intOrPtr*)(_t529 - 0x20)) = _t365;
						if( *((intOrPtr*)(_t529 - 0x2c)) != 0) {
							_push( *((intOrPtr*)(_t529 - 0x30)));
							_t509 =  *0x421270; // 0x421290
							E00405434(E0040541C(E00405400(_t509, E0040540E), "Error: "), 0x41b38c);
							if( *((intOrPtr*)(_t529 - 0x20)) == 0) {
								 *((intOrPtr*)(_t529 - 0x20)) = 0x80004005;
							}
						}
						_t485 =  *(_t528 + 0x28);
						_t519 =  *(_t528 + 0x2c);
						if((_t485 | _t519) != 0 || ( *(_t528 + 0x30) |  *(_t528 + 0x34)) != 0) {
							__eflags = _t485 | _t519;
							if(__eflags != 0) {
								_t502 =  *0x421270; // 0x421290
								E00405400(E004054D0(E0040541C(E00405400(_t502, E0040540E), "Archive Errors: "), _t519, __eflags, _t485, _t519), E0040540E);
							}
							_t486 =  *(_t528 + 0x30);
							_t520 =  *(_t528 + 0x34);
							_t371 = _t486 | _t520;
							__eflags = _t486 | _t520;
							if(__eflags != 0) {
								_t498 =  *0x421270; // 0x421290
								_t371 = E00405400(E004054D0(E0040541C(E00405400(_t498, E0040540E), "Sub items Errors: "), _t520, __eflags, _t486, _t520), E0040540E);
							}
							E00405205(_t371,  *((intOrPtr*)(_t529 - 0x30)));
							 *(_t529 - 4) = 0x12;
							E00405205(E00401CA4(_t529 - 0x1ac),  *((intOrPtr*)(_t529 - 0xec)));
							__eflags = _t528;
							 *(_t529 - 4) = 0xf;
							if(_t528 != 0) {
								 *((intOrPtr*)( *_t528 + 8))(_t528);
							}
							_t375 =  *(_t529 - 0x18);
							 *(_t529 - 4) = 0xd;
							__eflags = _t375;
							if(_t375 != 0) {
								 *((intOrPtr*)( *_t375 + 8))(_t375);
							}
							 *((intOrPtr*)(_t529 - 0x84)) = 0x41b38c;
							 *(_t529 - 4) = 0x15;
							E00405898();
							 *(_t529 - 4) = 0xc;
							E00405858(_t529 - 0x84);
							 *((intOrPtr*)(_t529 - 0x98)) = 0x41b38c;
							 *(_t529 - 4) = 0x16;
							E00405898();
							 *(_t529 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t529 - 0x98),  *((intOrPtr*)(_t529 - 0x70))),  *((intOrPtr*)(_t529 - 0x10c))),  *((intOrPtr*)(_t529 - 0x44)));
							 *(_t529 - 4) = 3;
							E00401F40(_t529 - 0xdc);
							 *(_t529 - 4) = 2;
							E00405205(E00404968(_t529 - 0xb4),  *((intOrPtr*)(_t529 - 0x64)));
							 *((intOrPtr*)(_t529 - 0x58)) = 0x41b38c;
							 *(_t529 - 4) = 0x17;
							L59:
							E00405898();
							 *(_t529 - 4) =  *(_t529 - 4) | 0xffffffff;
							E00405858(_t529 - 0x58);
							_push(2);
							_pop(0);
							goto L64;
						} else {
							_t400 =  *((intOrPtr*)(_t529 - 0x20));
							if(_t400 != 0) {
								 *((intOrPtr*)(_t529 - 0xc0)) = _t400;
								_t400 = _t529 - 0xc0;
								_push(0x41be10);
								_push(_t529 - 0xc0);
								L004182FC();
							}
							E00405205(_t400,  *((intOrPtr*)(_t529 - 0x30)));
							 *(_t529 - 4) = 0x12;
							E00405205(E00401CA4(_t529 - 0x1ac),  *((intOrPtr*)(_t529 - 0xec)));
							 *(_t529 - 4) = 0xf;
							if(_t528 != 0) {
								 *((intOrPtr*)( *_t528 + 8))(_t528);
							}
							_t527 =  *(_t529 - 0x18);
							L42:
							 *(_t529 - 4) = 0xd;
							if(_t527 != 0) {
								 *((intOrPtr*)( *_t527 + 8))(_t527);
							}
							 *((intOrPtr*)(_t529 - 0x84)) = 0x41b38c;
							 *(_t529 - 4) = 0x1b;
							E00405898();
							 *(_t529 - 4) = 0xc;
							E00405858(_t529 - 0x84);
							 *((intOrPtr*)(_t529 - 0x98)) = 0x41b38c;
							 *(_t529 - 4) = 0x1c;
							E00405898();
							 *(_t529 - 4) = 0xb;
							E00405205(E00405205(E00405205(E00405858(_t529 - 0x98),  *((intOrPtr*)(_t529 - 0x70))),  *((intOrPtr*)(_t529 - 0x10c))),  *((intOrPtr*)(_t529 - 0x44)));
							 *((intOrPtr*)(_t529 - 0xdc)) = 0x41b378;
							 *(_t529 - 4) = 0x1d;
							E00405898();
							 *(_t529 - 4) = 3;
							E00405858(_t529 - 0xdc);
							 *(_t529 - 4) = 2;
							E00405205(E00404968(_t529 - 0xb4),  *((intOrPtr*)(_t529 - 0x64)));
							 *((intOrPtr*)(_t529 - 0x58)) = 0x41b38c;
							 *(_t529 - 4) = 0x1e;
							L63:
							E00405898();
							 *(_t529 - 4) =  *(_t529 - 4) | 0xffffffff;
							E00405858(_t529 - 0x58);
							L64:
							 *[fs:0x0] =  *((intOrPtr*)(_t529 - 0xc));
							return 0;
						}
					}
				}
			}































                                  0x00401238
                                  0x00401246
                                  0x00401254
                                  0x00401a18
                                  0x00401a18
                                  0x00401a23
                                  0x00401a2f
                                  0x00401a35
                                  0x00401a38
                                  0x00000000
                                  0x0040125a
                                  0x00401262
                                  0x0040126b
                                  0x00000000
                                  0x00000000
                                  0x00401277
                                  0x0040127e
                                  0x00401284
                                  0x00401286
                                  0x00401286
                                  0x00401294
                                  0x00401297
                                  0x00401298
                                  0x0040129d
                                  0x0040129f
                                  0x004012a1
                                  0x004012a1
                                  0x00401279
                                  0x00401279
                                  0x00401279
                                  0x004012a9
                                  0x004012b6
                                  0x004012bb
                                  0x004012c2
                                  0x004012c3
                                  0x004012ca
                                  0x004012ce
                                  0x004012cf
                                  0x004012dc
                                  0x004012e3
                                  0x004012e9
                                  0x004012f5
                                  0x004012fb
                                  0x0040130b
                                  0x0040130f
                                  0x00401313
                                  0x0040131c
                                  0x00401327
                                  0x00401327
                                  0x00401340
                                  0x00401343
                                  0x00401346
                                  0x00401349
                                  0x0040134c
                                  0x00401354
                                  0x00401358
                                  0x0040136f
                                  0x0040136f
                                  0x0040137a
                                  0x00401385
                                  0x00401389
                                  0x0040138a
                                  0x0040138d
                                  0x00401394
                                  0x00401396
                                  0x0040139b
                                  0x004013a0
                                  0x004013ac
                                  0x004013ad
                                  0x004013ad
                                  0x004013bd
                                  0x004013bf
                                  0x004013c4
                                  0x004013c9
                                  0x004013d5
                                  0x004013d6
                                  0x004013d6
                                  0x004013e0
                                  0x004013e3
                                  0x004013e6
                                  0x004013e9
                                  0x004013f6
                                  0x00401401
                                  0x00401418
                                  0x00401421
                                  0x00401421
                                  0x0040142c
                                  0x00401431
                                  0x0040143d
                                  0x00401441
                                  0x00401446
                                  0x00401455
                                  0x00401456
                                  0x0040145a
                                  0x00401468
                                  0x00401469
                                  0x00401474
                                  0x0040147b
                                  0x00401483
                                  0x00401486
                                  0x0040148b
                                  0x0040148f
                                  0x004014a7
                                  0x004014aa
                                  0x00401491
                                  0x00401491
                                  0x00401494
                                  0x00401497
                                  0x0040149c
                                  0x004014a2
                                  0x004014a2
                                  0x004014ae
                                  0x004014b2
                                  0x004014b8
                                  0x004014bd
                                  0x004014bd
                                  0x004014c2
                                  0x004014c6
                                  0x004014cd
                                  0x004014cf
                                  0x004014db
                                  0x004014e0
                                  0x004014e1
                                  0x004014e1
                                  0x004014ea
                                  0x004018dc
                                  0x004018f4
                                  0x00401900
                                  0x00401905
                                  0x00401908
                                  0x00401913
                                  0x00401936
                                  0x0040193b
                                  0x0040193d
                                  0x00401941
                                  0x00401946
                                  0x00401946
                                  0x00401949
                                  0x00401955
                                  0x00401959
                                  0x00401964
                                  0x00401968
                                  0x0040196d
                                  0x00401979
                                  0x0040197d
                                  0x00401988
                                  0x004019a7
                                  0x004019b5
                                  0x004019b9
                                  0x004019c4
                                  0x004019d0
                                  0x004019d6
                                  0x004019d9
                                  0x00000000
                                  0x004019d9
                                  0x0040190a
                                  0x0040190d
                                  0x004019f9
                                  0x004019fb
                                  0x00000000
                                  0x00000000
                                  0x00401a01
                                  0x00401a0d
                                  0x00401a12
                                  0x00401a13
                                  0x00000000
                                  0x00401a13
                                  0x00000000
                                  0x004014f0
                                  0x004014f0
                                  0x004014f8
                                  0x004014fa
                                  0x004014ff
                                  0x00401503
                                  0x0040150e
                                  0x0040150e
                                  0x00401505
                                  0x0040150a
                                  0x0040150a
                                  0x00401512
                                  0x00401516
                                  0x00401519
                                  0x0040151e
                                  0x0040151e
                                  0x00401521
                                  0x00401526
                                  0x00401529
                                  0x0040152f
                                  0x00401536
                                  0x0040153a
                                  0x0040153f
                                  0x00401542
                                  0x00401545
                                  0x00401548
                                  0x00401551
                                  0x00401554
                                  0x00401557
                                  0x0040155a
                                  0x0040155d
                                  0x00401562
                                  0x0040156d
                                  0x00401576
                                  0x00401580
                                  0x00401584
                                  0x0040158f
                                  0x0040159d
                                  0x004015a1
                                  0x004015aa
                                  0x004015b5
                                  0x004015be
                                  0x004015c8
                                  0x004015d5
                                  0x004015db
                                  0x004015de
                                  0x004015e1
                                  0x004015e4
                                  0x004015ef
                                  0x0040161b
                                  0x00401623
                                  0x00401626
                                  0x00401628
                                  0x0040162b
                                  0x00401649
                                  0x00401651
                                  0x00401653
                                  0x00401653
                                  0x00401651
                                  0x0040165a
                                  0x0040165d
                                  0x00401664
                                  0x0040178e
                                  0x00401790
                                  0x0040179a
                                  0x004017bb
                                  0x004017bb
                                  0x004017c0
                                  0x004017c3
                                  0x004017c8
                                  0x004017c8
                                  0x004017ca
                                  0x004017d4
                                  0x004017f5
                                  0x004017f5
                                  0x004017fd
                                  0x00401803
                                  0x00401818
                                  0x0040181d
                                  0x00401820
                                  0x00401824
                                  0x00401829
                                  0x00401829
                                  0x0040182c
                                  0x0040182f
                                  0x00401833
                                  0x00401835
                                  0x0040183a
                                  0x0040183a
                                  0x0040183d
                                  0x00401849
                                  0x0040184d
                                  0x00401858
                                  0x0040185c
                                  0x00401861
                                  0x0040186d
                                  0x00401871
                                  0x0040187c
                                  0x0040189b
                                  0x004018a9
                                  0x004018ad
                                  0x004018b8
                                  0x004018c4
                                  0x004018ca
                                  0x004018cd
                                  0x004019e0
                                  0x004019e3
                                  0x004019e8
                                  0x004019ef
                                  0x004019f4
                                  0x004019f6
                                  0x00000000
                                  0x00401676
                                  0x00401676
                                  0x0040167b
                                  0x0040167d
                                  0x00401683
                                  0x00401689
                                  0x0040168e
                                  0x0040168f
                                  0x0040168f
                                  0x00401697
                                  0x0040169d
                                  0x004016b2
                                  0x004016ba
                                  0x004016be
                                  0x004016c3
                                  0x004016c3
                                  0x004016c6
                                  0x004016c9
                                  0x004016cb
                                  0x004016cf
                                  0x004016d4
                                  0x004016d4
                                  0x004016d7
                                  0x004016e3
                                  0x004016e7
                                  0x004016f2
                                  0x004016f6
                                  0x004016fb
                                  0x00401707
                                  0x0040170b
                                  0x00401716
                                  0x00401735
                                  0x0040173d
                                  0x0040174d
                                  0x00401751
                                  0x0040175c
                                  0x00401760
                                  0x0040176b
                                  0x00401777
                                  0x0040177d
                                  0x00401780
                                  0x00401a3f
                                  0x00401a42
                                  0x00401a47
                                  0x00401a4e
                                  0x00401a55
                                  0x00401a5a
                                  0x00401a63
                                  0x00401a63
                                  0x00401664
                                  0x004014ea

                                  APIs
                                  • _CxxThrowException.MSVCRT(?,0041BE20), ref: 004013AD
                                  • _CxxThrowException.MSVCRT(?,0041BE20), ref: 004013D6
                                  • _CxxThrowException.MSVCRT(?,0041BE10), ref: 004014E1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow
                                  • String ID: Error: $U @
                                  • API String ID: 432778473-1343386477
                                  • Opcode ID: 715186eb1aa14c702e7d5c0b390ac7178c22af146ec791a9a53bf5ba198a0b2d
                                  • Instruction ID: 659b8e5c06201f9c643ba93239dfec5fbda9ce19f11592a70b43d2ec8e346237
                                  • Opcode Fuzzy Hash: 715186eb1aa14c702e7d5c0b390ac7178c22af146ec791a9a53bf5ba198a0b2d
                                  • Instruction Fuzzy Hash: D7F16A70D01258DEDB21EFA5C981BDEBBB0AF15304F1440EEE549B72A2DB385A44CF69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041114E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1031 41114e-411176 call 4182c0 call 40904a 1036 4112d6-4112e4 1031->1036 1037 41117c-411180 1031->1037 1038 411182-411185 1037->1038 1039 41118a-411192 call 4112e7 1037->1039 1038->1036 1042 411194-411196 1039->1042 1043 41119b-4111db call 408ffb memcpy 1039->1043 1042->1036 1046 4111de-4111e3 1043->1046 1047 411202-411224 call 407d9b 1046->1047 1048 4111e5-4111f2 1046->1048 1055 4112c2 1047->1055 1056 41122a-411238 1047->1056 1049 4111f8 1048->1049 1050 41128c-41128f 1048->1050 1049->1047 1052 4111fa-4111fc 1049->1052 1051 4112c4-4112d4 call 405205 1050->1051 1051->1036 1052->1047 1052->1050 1055->1051 1056->1050 1058 41123a-411246 1056->1058 1059 411271-411287 memmove 1058->1059 1060 411248-411258 call 4112e7 1058->1060 1059->1046 1063 411291-4112bf memcpy call 407dda 1060->1063 1064 41125a-411269 1060->1064 1063->1055 1064->1060 1065 41126b-41126e 1064->1065 1065->1059
                                  C-Code - Quality: 95%
                                  			E0041114E(void* __ecx, void* __eflags) {
				intOrPtr _t55;
				intOrPtr* _t56;
				void* _t58;
				int _t62;
				int _t67;
				intOrPtr* _t71;
				intOrPtr* _t76;
				void* _t79;
				int _t84;
				intOrPtr _t89;
				void* _t92;
				intOrPtr* _t97;
				intOrPtr _t105;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t112;
				void* _t113;
				void* _t115;
				void* _t116;
				void* _t118;

				E004182C0(E0041A35C, _t113);
				_t116 = _t115 - 0x20;
				_t79 = __ecx;
				_t103 = __ecx + 0x28;
				_t55 = E0040904A( *((intOrPtr*)(_t113 + 8)), __ecx + 0x28, 0x20, _t113 - 0x18); // executed
				if(_t55 == 0) {
					if( *((intOrPtr*)(_t113 - 0x18)) == 0x20) {
						_t56 = E004112E7(_t103);
						__eflags = _t56;
						if(_t56 == 0) {
							 *((intOrPtr*)(_t113 - 0x28)) = 0;
							 *(_t113 - 0x24) = 0;
							 *((intOrPtr*)(_t113 - 0x2c)) = 0x41b7b4;
							 *((intOrPtr*)(_t113 - 4)) = 0;
							E00408FFB(_t113 - 0x2c, 0x10000);
							_t58 =  *(_t113 - 0x24);
							_t84 = 0x1f;
							 *(_t113 - 0x14) = _t58;
							 *(_t113 - 0x10) = _t84;
							memcpy(_t58, _t79 + 0x29, _t84);
							_t105 =  *((intOrPtr*)(_t79 + 0x24));
							_t118 = _t116 + 0xc;
							_t110 =  *((intOrPtr*)(_t79 + 0x20)) + 1;
							asm("adc edi, 0x0");
							while(1) {
								_t97 =  *((intOrPtr*)(_t113 + 0xc));
								__eflags = _t97;
								if(_t97 == 0) {
									goto L10;
								}
								_t64 = _t105;
								_t92 = _t110 -  *((intOrPtr*)(_t79 + 0x20));
								asm("sbb eax, [ebx+0x24]");
								__eflags = _t105 -  *((intOrPtr*)(_t97 + 4));
								if(__eflags > 0) {
									L17:
									_t111 = 1;
								} else {
									if(__eflags < 0) {
										goto L10;
									} else {
										__eflags = _t92 -  *_t97;
										if(_t92 >  *_t97) {
											goto L17;
										} else {
											goto L10;
										}
									}
								}
								L20:
								 *((intOrPtr*)(_t113 - 0x2c)) = 0x41b7b4;
								E00405205(_t64,  *(_t113 - 0x24));
								_t55 = _t111;
								goto L21;
								L10:
								_t62 =  *(_t113 - 0x10);
								_t64 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t113 + 8)))) + 0xc))( *((intOrPtr*)(_t113 + 8)),  *(_t113 - 0x14) + _t62, 0x10000 - _t62, _t113 - 0x18);
								__eflags = _t64;
								if(_t64 != 0) {
									L19:
									_t111 = _t64;
								} else {
									_t64 =  *((intOrPtr*)(_t113 - 0x18)) +  *(_t113 - 0x10);
									__eflags = _t64 - 0x20;
									 *((intOrPtr*)(_t113 - 0x20)) = _t64;
									if(_t64 < 0x20) {
										goto L17;
									} else {
										 *(_t113 - 0x10) =  *(_t113 - 0x10) & 0x00000000;
										_t30 = _t64 - 0x1f; // 0x1
										_t89 = _t30;
										__eflags = _t89;
										 *((intOrPtr*)(_t113 - 0x1c)) = _t89;
										if(_t89 <= 0) {
											L16:
											_t67 = _t64 - _t89;
											 *(_t113 - 0x10) = _t67;
											memmove( *(_t113 - 0x14), _t89 +  *(_t113 - 0x14), _t67);
											_t118 = _t118 + 0xc;
											continue;
										} else {
											while(1) {
												_t71 = E004112E7( *(_t113 - 0x14) +  *(_t113 - 0x10));
												__eflags = _t71;
												if(_t71 != 0) {
													break;
												}
												 *(_t113 - 0x10) =  *(_t113 - 0x10) + 1;
												_t110 = _t110 + 1;
												asm("adc edi, 0x0");
												__eflags =  *(_t113 - 0x10) -  *((intOrPtr*)(_t113 - 0x1c));
												if( *(_t113 - 0x10) <  *((intOrPtr*)(_t113 - 0x1c))) {
													continue;
												} else {
													_t64 =  *((intOrPtr*)(_t113 - 0x20));
													_t89 =  *((intOrPtr*)(_t113 - 0x1c));
													goto L16;
												}
												goto L20;
											}
											memcpy(_t79 + 0x28,  *(_t113 - 0x14) +  *(_t113 - 0x10), 0x20);
											_t76 =  *((intOrPtr*)(_t113 + 8));
											 *((intOrPtr*)(_t79 + 0x20)) = _t110;
											_t112 = _t110 + 0x20;
											__eflags = _t112;
											 *((intOrPtr*)(_t79 + 0x24)) = _t105;
											asm("adc edi, ecx");
											_t64 =  *((intOrPtr*)( *_t76 + 0x10))(_t76, _t112, _t105, 0, 0);
											goto L19;
										}
									}
								}
								goto L20;
							}
						} else {
							_t55 = 0;
						}
					} else {
						_t55 = 1;
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t113 - 0xc));
				return _t55;
			}























                                  0x00411153
                                  0x00411158
                                  0x0041115c
                                  0x00411163
                                  0x0041116d
                                  0x00411176
                                  0x00411180
                                  0x0041118b
                                  0x00411190
                                  0x00411192
                                  0x0041119b
                                  0x0041119e
                                  0x004111a1
                                  0x004111b0
                                  0x004111b3
                                  0x004111b8
                                  0x004111bd
                                  0x004111be
                                  0x004111c1
                                  0x004111ca
                                  0x004111d2
                                  0x004111d5
                                  0x004111d8
                                  0x004111db
                                  0x004111de
                                  0x004111de
                                  0x004111e1
                                  0x004111e3
                                  0x00000000
                                  0x00000000
                                  0x004111e7
                                  0x004111e9
                                  0x004111ec
                                  0x004111ef
                                  0x004111f2
                                  0x0041128c
                                  0x0041128e
                                  0x004111f8
                                  0x004111f8
                                  0x00000000
                                  0x004111fa
                                  0x004111fa
                                  0x004111fc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004111fc
                                  0x004111f8
                                  0x004112c4
                                  0x004112c7
                                  0x004112ce
                                  0x004112d4
                                  0x00000000
                                  0x00411202
                                  0x00411210
                                  0x0041121f
                                  0x00411222
                                  0x00411224
                                  0x004112c2
                                  0x004112c2
                                  0x0041122a
                                  0x00411230
                                  0x00411232
                                  0x00411235
                                  0x00411238
                                  0x00000000
                                  0x0041123a
                                  0x0041123a
                                  0x0041123e
                                  0x0041123e
                                  0x00411241
                                  0x00411243
                                  0x00411246
                                  0x00411271
                                  0x00411271
                                  0x00411273
                                  0x0041127e
                                  0x00411284
                                  0x00000000
                                  0x00411248
                                  0x00411248
                                  0x00411251
                                  0x00411256
                                  0x00411258
                                  0x00000000
                                  0x00000000
                                  0x0041125a
                                  0x0041125d
                                  0x00411263
                                  0x00411266
                                  0x00411269
                                  0x00000000
                                  0x0041126b
                                  0x0041126b
                                  0x0041126e
                                  0x00000000
                                  0x0041126e
                                  0x00000000
                                  0x00411269
                                  0x004112a0
                                  0x004112a5
                                  0x004112ab
                                  0x004112b0
                                  0x004112b0
                                  0x004112b3
                                  0x004112b9
                                  0x004112bf
                                  0x00000000
                                  0x004112bf
                                  0x00411246
                                  0x00411238
                                  0x00000000
                                  0x00411224
                                  0x00411194
                                  0x00411194
                                  0x00411194
                                  0x00411182
                                  0x00411184
                                  0x00411184
                                  0x00411180
                                  0x004112d6
                                  0x004112dc
                                  0x004112e4

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-3916222277
                                  • Opcode ID: ab17ba4a3acbaf74129302c57cfe3781e5994c70153bea884e1b6cca9fdba658
                                  • Instruction ID: 782f23c6c8573d13de89a57e9b24df410f869e22da568fa7924df49d59f04b4b
                                  • Opcode Fuzzy Hash: ab17ba4a3acbaf74129302c57cfe3781e5994c70153bea884e1b6cca9fdba658
                                  • Instruction Fuzzy Hash: BD516BB1A00119AFDF14CF99C885AFEB7B5FF48304F10416AE905FB251D778A981CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409572 Relevance: 7.9, APIs: 1, Strings: 3, Instructions: 929COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E00409572() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t406;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t419;
				intOrPtr* _t424;
				void* _t440;
				signed int _t441;
				signed int _t457;
				signed int _t458;
				signed int _t462;
				signed int _t463;
				signed int _t472;
				void* _t473;
				void* _t477;
				void* _t480;
				void* _t492;
				intOrPtr* _t493;
				void* _t496;
				intOrPtr _t497;
				void* _t498;
				void* _t500;
				signed int _t503;
				void* _t517;
				void* _t519;
				signed int _t522;
				signed int _t539;
				void* _t551;
				void* _t553;
				signed int _t556;
				void* _t565;
				void* _t566;
				void* _t570;
				void* _t574;
				void* _t594;
				void* _t601;
				void* _t603;
				void* _t609;
				signed int _t612;
				signed int _t616;
				signed int _t621;
				signed int _t643;
				void* _t710;
				void* _t714;
				void* _t716;
				signed int _t718;
				signed int _t721;
				intOrPtr* _t730;
				signed int _t734;
				signed int _t735;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				intOrPtr _t743;
				signed int _t744;
				intOrPtr* _t746;
				signed int _t747;
				intOrPtr* _t748;
				intOrPtr* _t749;
				intOrPtr* _t750;
				intOrPtr* _t751;
				signed int _t753;
				void* _t754;
				void* _t756;

				E004182C0(E004194A3, _t754);
				_t743 =  *((intOrPtr*)(_t754 + 8));
				_t621 = 0;
				_t730 = _t743 + 0x94;
				 *( *(_t754 + 0x10)) = 0;
				 *((intOrPtr*)(_t754 - 0x10)) = _t756 - 0xb0;
				 *((intOrPtr*)(_t754 - 4)) = 0;
				_t406 =  *_t730;
				if(_t406 != 0) {
					 *((intOrPtr*)( *_t406 + 8))(_t406);
					 *_t730 = 0;
				}
				 *(_t743 + 0x88) = _t621;
				 *(_t743 + 0x5c) = _t621;
				 *(_t743 + 0x48) = _t621;
				 *(_t743 + 0x8c) = _t621;
				 *(_t754 - 0x50) = _t621;
				 *(_t754 - 0x4c) = _t621;
				 *(_t754 - 0x48) = _t621;
				E0040247E(_t754 - 0x50, 0xf);
				_push(_t754 - 0x50);
				 *((char*)(_t754 - 4)) = 1;
				_t409 = E0040C14E( *((intOrPtr*)(_t743 + 0x10)),  *(_t754 + 0xc), _t743 + 0xac);
				if(_t409 != _t621) {
					L35:
					_t744 = _t409;
					L140:
					E00405205(_t409,  *(_t754 - 0x50));
					_t411 = _t744;
					L145:
					 *[fs:0x0] =  *((intOrPtr*)(_t754 - 0xc));
					return _t411;
				}
				_t409 = E0040C1F5( *((intOrPtr*)(_t743 + 0x10)),  *(_t754 + 0xc), _t743 + 0x7f);
				if(_t409 != _t621) {
					goto L35;
				}
				E00401E63(_t743 + 0x34, _t754 - 0x50);
				 *(_t754 - 0x44) = _t621;
				 *(_t754 - 0x42) = _t621;
				_t415 =  *((intOrPtr*)(_t743 + 0x10));
				_push(_t754 - 0x44);
				_push(0x1d);
				_push( *(_t754 + 0xc));
				 *((char*)(_t754 - 4)) = 2;
				_push(_t415);
				if( *((intOrPtr*)( *_t415 + 0x18))() == _t621) {
					if( *(_t754 - 0x44) == _t621) {
						L10:
						 *((char*)(_t754 - 4)) = 1;
						E004076D9(_t754 - 0x44);
						_push(_t743 + 0x5c);
						_push(0xf);
						_push( *(_t754 + 0xc));
						_push( *((intOrPtr*)(_t743 + 0x10)));
						_t409 = E0040C17B();
						if(_t409 != _t621) {
							goto L35;
						}
						 *(_t754 - 0x44) = _t621;
						 *(_t754 - 0x42) = _t621;
						_t419 =  *((intOrPtr*)(_t743 + 0x10));
						_t721 = _t754 - 0x44;
						_push(_t721);
						_push(7);
						_push( *(_t754 + 0xc));
						 *((char*)(_t754 - 4)) = 3;
						_push(_t419);
						if( *((intOrPtr*)( *_t419 + 0x18))() == _t621) {
							 *(_t754 - 0x25) =  *(_t754 - 0x44) != _t621;
							if( *(_t754 - 0x25) != _t621) {
								_t616 = E00407A07(_t754 - 0x44);
								_t718 = _t721;
								 *(_t743 + 0x88) = _t616;
								 *(_t754 - 0x7c) = _t616;
								 *(_t754 - 0x78) = _t718;
								 *(_t743 + 0x8c) = _t718;
							}
							 *((char*)(_t754 - 4)) = 1;
							E004076D9(_t754 - 0x44);
							if( *(_t754 + 0x14) != _t621) {
								_t422 =  *(_t754 + 0x10);
								 *( *(_t754 + 0x10)) = _t621;
								goto L144;
							} else {
								if( *((intOrPtr*)(_t743 + 0xc4)) == _t621) {
									 *(_t754 - 0x44) = _t621;
									 *(_t754 - 0x42) = _t621;
									_t424 =  *((intOrPtr*)(_t743 + 0x10));
									_t722 = _t754 - 0x44;
									 *((char*)(_t754 - 4)) = 4;
									_t734 =  *((intOrPtr*)( *_t424 + 0x18))(_t424,  *(_t754 + 0xc), 9, _t754 - 0x44);
									if(_t734 == _t621) {
										if( *(_t754 - 0x44) != _t621) {
											if( *(_t754 - 0x44) == 0x13) {
												 *(_t743 + 0x80) = 1;
												 *((intOrPtr*)(_t743 + 0x78)) =  *((intOrPtr*)(_t754 - 0x3c));
												L34:
												 *((char*)(_t754 - 4)) = 1;
												E004076D9(_t754 - 0x44);
												_t735 =  *(_t754 + 0xc);
												_push(_t743 + 0x7c);
												_push(_t743 + 0x60);
												_push(0xa);
												_push(_t735);
												_t409 = E004094E5(_t743);
												if(_t409 == _t621) {
													_push(_t743 + 0x7d);
													_push(_t743 + 0x68);
													_push(0xc);
													_push(_t735);
													_t409 = E004094E5(_t743);
													if(_t409 != _t621) {
														goto L35;
													}
													_push(_t743 + 0x7e);
													_push(_t743 + 0x70);
													_push(0xb);
													_push(_t735);
													_t409 = E004094E5(_t743);
													if(_t409 != _t621) {
														goto L35;
													}
													_push(_t754 + 0xb);
													_push(0x15);
													_push(_t735);
													_push( *((intOrPtr*)(_t743 + 0x10)));
													 *(_t754 + 0xb) = _t621;
													_t409 = E0040C17B();
													if(_t409 != _t621) {
														goto L35;
													}
													E00402463(_t754 - 0x24);
													_t736 = 0x41b38c;
													 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
													 *((char*)(_t754 - 4)) = 5;
													_push(_t754 - 0x24);
													_push(_t754 - 0x50);
													E00405A9D(_t722);
													_t723 =  *((intOrPtr*)(_t754 - 0x1c));
													if(_t723 != _t621) {
														_t643 = 0;
														_t440 =  *((intOrPtr*)(_t743 + 0x2c)) - 1;
														if(_t440 == 0) {
															_t441 =  *(_t743 + 0xa0);
															 *(_t754 + 0xc) = _t441;
															if(_t723 > _t441) {
																_t737 = 0;
																while(_t737 <  *(_t754 + 0xc)) {
																	if(E00405668( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t743 + 0xa4)) + _t737 * 4)))),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t754 - 0x18)) + _t737 * 4))))) == _t621) {
																		_t737 = _t737 + 1;
																		continue;
																	}
																	 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																	 *((char*)(_t754 - 4)) = 8;
																	L41:
																	E00405898();
																	 *((char*)(_t754 - 4)) = 1;
																	_t409 = E00405858(_t754 - 0x24);
																	_t744 = 0x80004005;
																	goto L140;
																}
																_t643 =  *(_t754 + 0xc);
																_t736 = 0x41b38c;
																L53:
																E00401D43(_t621, _t754 - 0x24, _t743, _t621, _t643);
																_push(_t754 - 0x24);
																E0040BD70(_t754 - 0x24, _t723);
																_push(_t754 - 0x24);
																_push(_t754 - 0x5c);
																E0040A22E(_t723);
																 *((char*)(_t754 - 4)) = 9;
																if( *(_t754 + 0xb) != _t621) {
																	L72:
																	_push(_t754 - 0x5c);
																	_push(_t743 + 0x20);
																	_push(_t754 - 0x34); // executed
																	E00406F88(_t723); // executed
																	 *((char*)(_t754 - 4)) = 0xb;
																	if( *((intOrPtr*)(_t743 + 0x7f)) == _t621) {
																		if( *(_t743 + 0x48) != _t621) {
																			L114:
																			if( *(_t754 + 0xb) != _t621) {
																				L142:
																				E00405205(E00405205(E00401E63(_t743 + 0x4c, _t754 - 0x34),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																				 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																				 *((char*)(_t754 - 4)) = 0x2c;
																				L81:
																				E00405898();
																				 *((char*)(_t754 - 4)) = 1;
																				_t422 = E00405858(_t754 - 0x24);
																				L144:
																				E00405205(_t422,  *(_t754 - 0x50));
																				_t411 = 0;
																				goto L145;
																			}
																			_push(0x18);
																			_t457 = E004051DE();
																			if(_t457 == _t621) {
																				_t738 = 0;
																			} else {
																				 *(_t457 + 4) = _t621;
																				 *(_t457 + 8) =  *(_t457 + 8) | 0xffffffff;
																				 *_t457 = 0x41b5cc;
																				_t738 = _t457;
																			}
																			 *(_t743 + 0x90) = _t738;
																			 *(_t754 + 0x14) = _t738;
																			if(_t738 != _t621) {
																				 *((intOrPtr*)( *_t738 + 4))(_t738);
																			}
																			_t458 =  *(_t743 + 0x90);
																			 *((char*)(_t754 - 4)) = 0x27;
																			asm("sbb edx, edx");
																			 *(_t458 + 0x10) = _t621;
																			 *(_t458 + 0x14) = _t621;
																			_t728 = ( ~( *(_t743 + 0x48)) & 0x00000002) + 2;
																			if(E004074FE( *((intOrPtr*)(_t754 - 0x34)), ( ~( *(_t743 + 0x48)) & 0x00000002) + 2) != _t621) {
																				if( *(_t743 + 0x48) == _t621) {
																					L141:
																					E00408D12(_t743 + 0x94, _t738);
																					 *((char*)(_t754 - 4)) = 0xb;
																					 *( *(_t754 + 0x10)) = _t738;
																					_t736 = 0x41b38c;
																					goto L142;
																				}
																				_t462 =  *(_t743 + 0x90);
																				_t463 =  *((intOrPtr*)( *_t462 + 0x10))(_t462,  *((intOrPtr*)(_t743 + 0x40)),  *((intOrPtr*)(_t743 + 0x44)), _t621, _t621);
																				 *(_t754 + 0xc) = _t463;
																				if(_t463 == _t621) {
																					goto L141;
																				}
																				 *((char*)(_t754 - 4)) = 0xb;
																				if(_t738 != _t621) {
																					_t463 =  *((intOrPtr*)( *_t738 + 8))(_t738);
																				}
																				E00405205(E00405205(_t463,  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																				 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																				 *((char*)(_t754 - 4)) = 0x2b;
																				E00405898();
																				 *((char*)(_t754 - 4)) = 1;
																				_t409 = E00405858(_t754 - 0x24);
																				_t744 =  *(_t754 + 0xc);
																				goto L140;
																			} else {
																				E0040A4CA(_t728);
																				_t746 =  *((intOrPtr*)(_t743 + 0x14));
																				 *((char*)(_t754 - 4)) = 0x28;
																				_t472 =  *((intOrPtr*)( *_t746 + 0x1c))(_t746,  *((intOrPtr*)(_t754 - 0x74)), _t754 - 0x74, L"can not open output file ", _t754 - 0x34);
																				_push( *((intOrPtr*)(_t754 - 0x74)));
																				_t747 = _t472;
																				if(_t747 == _t621) {
																					_t473 = E00405205(_t472);
																					 *((char*)(_t754 - 4)) = 0xb;
																					if(_t738 != _t621) {
																						_t473 =  *((intOrPtr*)( *_t738 + 8))(_t738);
																					}
																					E00405205(E00405205(_t473,  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																					 *((char*)(_t754 - 4)) = 0x2a;
																					L133:
																					E00405898();
																					 *((char*)(_t754 - 4)) = 1;
																					_t477 = E00405858(_t754 - 0x24);
																					L134:
																					E00405205(_t477,  *(_t754 - 0x50));
																					_t411 = _t621;
																					goto L145;
																				}
																				_t480 = E00405205(_t472);
																				 *((char*)(_t754 - 4)) = 0xb;
																				if(_t738 != _t621) {
																					_t480 =  *((intOrPtr*)( *_t738 + 8))(_t738);
																				}
																				E00405205(E00405205(_t480,  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																				 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																				 *((char*)(_t754 - 4)) = 0x29;
																				L120:
																				E00405898();
																				 *((char*)(_t754 - 4)) = 1;
																				_t477 = E00405858(_t754 - 0x24);
																				_t621 = _t747;
																				goto L134;
																			}
																		}
																		E00401DA7(_t754 - 0x8c);
																		 *((char*)(_t754 - 4)) = 0xd;
																		_push(_t754 - 0xbc);
																		_push( *((intOrPtr*)(_t754 - 0x34)));
																		_t489 = E00407203(_t754 - 0x8c, _t723, _t736); // executed
																		if(_t489 == _t621) {
																			L113:
																			 *((char*)(_t754 - 4)) = 0xb;
																			E00405205(_t489,  *((intOrPtr*)(_t754 - 0x8c)));
																			goto L114;
																		}
																		_t492 =  *((intOrPtr*)(_t743 + 0x30)) - _t621;
																		if(_t492 == 0) {
																			asm("sbb ecx, ecx");
																			_t493 =  *((intOrPtr*)(_t743 + 0x14));
																			asm("sbb ecx, ecx");
																			_t723 =  *_t493;
																			_t741 =  *((intOrPtr*)( *_t493 + 0x14))(_t493,  *((intOrPtr*)(_t754 - 0x34)), _t754 - 0xa8, _t754 - 0x9c,  *(_t754 - 0x50),  ~( *(_t743 + 0x7d)) & _t743 + 0x00000068,  ~( *(_t754 - 0x25)) & _t754 - 0x0000007c, _t754 + 0xc);
																			if(_t741 == _t621) {
																				_t496 =  *(_t754 + 0xc) - _t621;
																				if(_t496 == 0) {
																					L96:
																					_t736 = 0x41b38c;
																					L97:
																					_t497 =  *((intOrPtr*)(_t743 + 0x30));
																					if(_t497 != 3) {
																						if(_t497 != 4) {
																							if(E00406BFC(_t621, _t736,  *((intOrPtr*)(_t754 - 0x34))) != _t621) {
																								goto L113;
																							}
																							_t498 = E00401DBF(_t754 - 0x40,  *0x420da4);
																							 *((char*)(_t754 - 4)) = 0x22;
																							_t500 = E00406F88(_t723);
																							 *((char*)(_t754 - 4)) = 0x24;
																							E00405205(_t500,  *((intOrPtr*)(_t754 - 0x40)));
																							_t748 =  *((intOrPtr*)(_t743 + 0x14));
																							_t503 =  *((intOrPtr*)( *_t748 + 0x1c))(_t748,  *((intOrPtr*)(_t754 - 0x74)), _t754 - 0x74, _t498, _t754 - 0x34);
																							_push( *((intOrPtr*)(_t754 - 0x74)));
																							_t747 = _t503;
																							if(_t747 == _t621) {
																								E00405205(E00405205(E00405205(E00405205(_t503),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																								 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																								 *((char*)(_t754 - 4)) = 0x26;
																								goto L133;
																							}
																							E00405205(E00405205(E00405205(E00405205(_t503),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																							 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																							 *((char*)(_t754 - 4)) = 0x25;
																							goto L120;
																						}
																						E00401E20(_t754 - 0x68, _t754 - 0x34);
																						 *((char*)(_t754 - 4)) = 0x19;
																						_push(_t754 - 0x68);
																						if(E00407B92() != _t621) {
																							_push( *(_t754 - 0x68));
																							_push( *((intOrPtr*)(_t754 - 0x34)));
																							if(E00406904(_t621, _t736, _t743) != _t621) {
																								_t489 = E00405205(_t516,  *(_t754 - 0x68));
																								goto L113;
																							}
																							_t517 = E00401DBF(_t754 - 0x40,  *0x420da0);
																							 *((char*)(_t754 - 4)) = 0x1d;
																							_t519 = E00406F88(_t723);
																							 *((char*)(_t754 - 4)) = 0x1f;
																							E00405205(_t519,  *((intOrPtr*)(_t754 - 0x40)));
																							_t749 =  *((intOrPtr*)(_t743 + 0x14));
																							_t522 =  *((intOrPtr*)( *_t749 + 0x1c))(_t749,  *((intOrPtr*)(_t754 - 0x74)), _t754 - 0x74, _t517, _t754 - 0x34);
																							_push( *((intOrPtr*)(_t754 - 0x74)));
																							_t744 = _t522;
																							if(_t744 == _t621) {
																								E00405205(E00405205(E00405205(E00405205(E00405205(_t522),  *(_t754 - 0x68)),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																								 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																								 *((char*)(_t754 - 4)) = 0x21;
																								goto L41;
																							}
																							E00405205(E00405205(E00405205(E00405205(E00405205(_t522),  *(_t754 - 0x68)),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																							 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																							 *((char*)(_t754 - 4)) = 0x20;
																							L110:
																							E00405898();
																							 *((char*)(_t754 - 4)) = 1;
																							_t409 = E00405858(_t754 - 0x24);
																							goto L140;
																						}
																						E0040A4CA(_t723);
																						_t750 =  *((intOrPtr*)(_t743 + 0x14));
																						 *((char*)(_t754 - 4)) = 0x1a;
																						_t539 =  *((intOrPtr*)( *_t750 + 0x1c))(_t750,  *((intOrPtr*)(_t754 - 0x74)), _t754 - 0x74,  *0x420d9c, _t754 - 0x34);
																						_push( *((intOrPtr*)(_t754 - 0x74)));
																						_t744 = _t539;
																						if(_t744 == _t621) {
																							E00405205(E00405205(E00405205(E00405205(E00405205(_t539),  *(_t754 - 0x68)),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																							 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																							 *((char*)(_t754 - 4)) = 0x1c;
																							goto L41;
																						}
																						E00405205(E00405205(E00405205(E00405205(E00405205(_t539),  *(_t754 - 0x68)),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																						 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																						 *((char*)(_t754 - 4)) = 0x1b;
																						goto L110;
																					}
																					_push(_t754 - 0x34);
																					if(E00407B92() != _t621) {
																						goto L113;
																					}
																					_t551 = E00401DBF(_t754 - 0x74,  *0x420d9c);
																					 *((char*)(_t754 - 4)) = 0x14;
																					_t553 = E00406F88(_t723);
																					 *((char*)(_t754 - 4)) = 0x16;
																					E00405205(_t553,  *((intOrPtr*)(_t754 - 0x74)));
																					_t751 =  *((intOrPtr*)(_t743 + 0x14));
																					_t556 =  *((intOrPtr*)( *_t751 + 0x1c))(_t751,  *(_t754 - 0x68), _t754 - 0x68, _t551, _t754 - 0x34);
																					_push( *(_t754 - 0x68));
																					_t744 = _t556;
																					if(_t744 == _t621) {
																						E00405205(E00405205(E00405205(E00405205(_t556),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																						 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																						 *((char*)(_t754 - 4)) = 0x18;
																						goto L41;
																					}
																					E00405205(E00405205(E00405205(E00405205(_t556),  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																					 *((char*)(_t754 - 4)) = 0x17;
																					goto L110;
																				}
																				_t565 = _t496 - 1;
																				if(_t565 == 0) {
																					 *((intOrPtr*)(_t743 + 0x30)) = 1;
																					goto L96;
																				}
																				_t566 = _t565 - 1;
																				if(_t566 == 0) {
																					E00405205(E00405205(E00405205(_t566,  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																					 *((char*)(_t754 - 4)) = 0x11;
																					goto L133;
																				}
																				_t570 = _t566 - 1;
																				if(_t570 == 0) {
																					 *((intOrPtr*)(_t743 + 0x30)) = 2;
																					E00405205(E00405205(E00405205(_t570,  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																					 *((char*)(_t754 - 4)) = 0x12;
																					goto L133;
																				}
																				_t574 = _t570 - 1;
																				if(_t574 == 0) {
																					 *((intOrPtr*)(_t743 + 0x30)) = 3;
																					goto L96;
																				}
																				_push( *((intOrPtr*)(_t754 - 0x8c)));
																				_t575 = _t574 == 1;
																				if(_t574 == 1) {
																					E00405205(E00405205(E00405205(_t575),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																					 *((char*)(_t754 - 4)) = 0x10;
																					E00405898();
																					 *((char*)(_t754 - 4)) = 1;
																					_t477 = E00405858(_t754 - 0x24);
																					_t621 = 0x80004004;
																				} else {
																					E00405205(E00405205(E00405205(_t575),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																					 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																					 *((char*)(_t754 - 4)) = 0x13;
																					E00405898();
																					 *((char*)(_t754 - 4)) = 1;
																					_t477 = E00405858(_t754 - 0x24);
																					_t621 = 0x80004005;
																				}
																				goto L134;
																			}
																			E00405205(E00405205(E00405205(_t494,  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																			 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
																			 *((char*)(_t754 - 4)) = 0xf;
																			E00405898();
																			 *((char*)(_t754 - 4)) = 1;
																			_t477 = E00405858(_t754 - 0x24);
																			_t621 = _t741;
																			goto L134;
																		}
																		_t589 = _t492 != 0;
																		if(_t492 != 0) {
																			goto L97;
																		}
																		E00405205(E00405205(E00405205(_t589,  *((intOrPtr*)(_t754 - 0x8c))),  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																		 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																		 *((char*)(_t754 - 4)) = 0xe;
																		goto L81;
																	}
																	_t752 = _t743 + 0x4c;
																	_t594 = E00401E63(_t743 + 0x4c, _t754 - 0x34);
																	if( *(_t754 + 0xb) != _t621) {
																		_t594 = E004068BF(_t736,  *_t752);
																	}
																	E00405205(E00405205(_t594,  *((intOrPtr*)(_t754 - 0x34))),  *((intOrPtr*)(_t754 - 0x5c)));
																	 *((intOrPtr*)(_t754 - 0x24)) = _t736;
																	 *((char*)(_t754 - 4)) = 0xc;
																	E00405898();
																	 *((char*)(_t754 - 4)) = 1;
																	_t409 = E00405858(_t754 - 0x24);
																	L23:
																	_t744 = 0;
																	goto L140;
																}
																if( *((intOrPtr*)(_t743 + 0x7f)) != _t621) {
																	L57:
																	if( *((intOrPtr*)(_t754 - 0x1c)) == _t621) {
																		goto L72;
																	}
																	 *(_t754 - 0x68) = _t621;
																	 *(_t754 - 0x64) = _t621;
																	 *(_t754 - 0x60) = _t621;
																	E0040247E(_t754 - 0x68, 0xf);
																	_push(_t754 - 0x68);
																	 *((char*)(_t754 - 4)) = 0xa;
																	_t601 = E0040949B(_t743, _t723, _t754 - 0x24);
																	if( *((intOrPtr*)(_t743 + 0x7f)) == _t621) {
																		L71:
																		 *((char*)(_t754 - 4)) = 9;
																		E00405205(_t601,  *(_t754 - 0x68));
																		goto L72;
																	}
																	if( *((intOrPtr*)(_t743 + 0x59)) == _t621) {
																		L61:
																		_t723 = _t743 + 0xb8;
																		L62:
																		if( *((intOrPtr*)(_t743 + 0x5b)) == _t621 ||  *((intOrPtr*)(_t743 + 0x7e)) == _t621) {
																			_t710 = 0;
																		} else {
																			_t710 = _t743 + 0x70;
																		}
																		if( *((intOrPtr*)(_t743 + 0x5a)) == _t621 ||  *((intOrPtr*)(_t743 + 0x7c)) == _t621) {
																			_t603 = 0;
																		} else {
																			_t603 = _t743 + 0x60;
																		}
																		_t601 = E00406784( *(_t754 - 0x68), _t603, _t710, _t723);
																		goto L71;
																	}
																	_t723 = _t743 + 0x68;
																	if( *(_t743 + 0x7d) != _t621) {
																		goto L62;
																	}
																	goto L61;
																}
																if( *((intOrPtr*)(_t754 - 0x1c)) == _t621) {
																	goto L72;
																}
																E004058A0(_t754 - 0x24);
																goto L57;
															}
															 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
															 *((char*)(_t754 - 4)) = 7;
															goto L41;
														}
														if(_t440 == 1) {
															_t643 = _t723 - 1;
														}
														goto L53;
													}
													 *((intOrPtr*)(_t754 - 0x24)) = 0x41b38c;
													 *((char*)(_t754 - 4)) = 6;
													goto L41;
												}
												goto L35;
											}
											 *((char*)(_t754 - 4)) = 1;
											_t714 = _t754 - 0x44;
											L31:
											_t609 = E004076D9(_t714);
											_t734 = 0x80004005;
											L32:
											E00405205(_t609,  *(_t754 - 0x50));
											_t411 = _t734;
											goto L145;
										}
										 *(_t743 + 0x80) = _t621;
										 *((intOrPtr*)(_t743 + 0x78)) =  *((intOrPtr*)(_t743 + 0xc0));
										goto L34;
									}
									 *((char*)(_t754 - 4)) = 1;
									_t716 = _t754 - 0x44;
									L26:
									_t609 = E004076D9(_t716);
									goto L32;
								}
								_push(8);
								_t612 = E004051DE();
								if(_t612 == _t621) {
									_t753 = 0;
								} else {
									 *(_t612 + 4) = _t621;
									 *_t612 = 0x41b5e8;
									_t753 = _t612;
								}
								if(_t753 != _t621) {
									 *((intOrPtr*)( *_t753 + 4))(_t753);
								}
								_t409 =  *(_t754 + 0x10);
								 *( *(_t754 + 0x10)) = _t753;
								goto L23;
							}
						}
						 *((char*)(_t754 - 4)) = 1;
						_t716 = _t754 - 0x44;
						goto L26;
					}
					if( *(_t754 - 0x44) == 0x15) {
						 *(_t743 + 0x48) = 1;
						 *((intOrPtr*)(_t743 + 0x40)) =  *((intOrPtr*)(_t754 - 0x3c));
						 *((intOrPtr*)(_t743 + 0x44)) =  *((intOrPtr*)(_t754 - 0x38));
						goto L10;
					}
					 *((char*)(_t754 - 4)) = 1;
					_t714 = _t754 - 0x44;
					goto L31;
				}
				 *((char*)(_t754 - 4)) = 1;
				_t716 = _t754 - 0x44;
				goto L26;
			}





































































                                  0x00409577
                                  0x00409587
                                  0x0040958b
                                  0x0040958d
                                  0x00409593
                                  0x00409595
                                  0x00409598
                                  0x0040959b
                                  0x0040959f
                                  0x004095a4
                                  0x004095a7
                                  0x004095a7
                                  0x004095a9
                                  0x004095b4
                                  0x004095b7
                                  0x004095ba
                                  0x004095c0
                                  0x004095c3
                                  0x004095c6
                                  0x004095c9
                                  0x004095d4
                                  0x004095dc
                                  0x004095e4
                                  0x004095eb
                                  0x004097df
                                  0x004097df
                                  0x0040a0e6
                                  0x0040a0e9
                                  0x0040a0ef
                                  0x0040a154
                                  0x0040a159
                                  0x0040a162
                                  0x0040a162
                                  0x004095fc
                                  0x00409603
                                  0x00000000
                                  0x00000000
                                  0x00409610
                                  0x00409615
                                  0x00409619
                                  0x0040961d
                                  0x00409623
                                  0x00409624
                                  0x00409626
                                  0x0040962b
                                  0x0040962f
                                  0x00409637
                                  0x00409649
                                  0x0040966e
                                  0x00409671
                                  0x00409675
                                  0x00409680
                                  0x00409681
                                  0x00409683
                                  0x00409686
                                  0x00409687
                                  0x0040968e
                                  0x00000000
                                  0x00000000
                                  0x00409694
                                  0x00409698
                                  0x0040969c
                                  0x0040969f
                                  0x004096a2
                                  0x004096a3
                                  0x004096a5
                                  0x004096aa
                                  0x004096ae
                                  0x004096b6
                                  0x004096c8
                                  0x004096cf
                                  0x004096d5
                                  0x004096da
                                  0x004096dc
                                  0x004096e2
                                  0x004096e5
                                  0x004096e8
                                  0x004096e8
                                  0x004096f1
                                  0x004096f5
                                  0x004096fd
                                  0x0040a137
                                  0x0040a13a
                                  0x00000000
                                  0x00409703
                                  0x00409709
                                  0x0040973c
                                  0x00409740
                                  0x00409744
                                  0x00409747
                                  0x00409752
                                  0x0040975a
                                  0x0040975e
                                  0x00409772
                                  0x0040978a
                                  0x004097b0
                                  0x004097b7
                                  0x004097ba
                                  0x004097bd
                                  0x004097c1
                                  0x004097c6
                                  0x004097cc
                                  0x004097d0
                                  0x004097d1
                                  0x004097d3
                                  0x004097d6
                                  0x004097dd
                                  0x004097eb
                                  0x004097ef
                                  0x004097f0
                                  0x004097f2
                                  0x004097f3
                                  0x004097fa
                                  0x00000000
                                  0x00000000
                                  0x00409801
                                  0x00409805
                                  0x00409806
                                  0x00409808
                                  0x00409809
                                  0x00409810
                                  0x00000000
                                  0x00000000
                                  0x00409818
                                  0x00409819
                                  0x0040981b
                                  0x0040981c
                                  0x0040981d
                                  0x00409820
                                  0x00409827
                                  0x00000000
                                  0x00000000
                                  0x0040982c
                                  0x00409831
                                  0x00409836
                                  0x0040983c
                                  0x00409840
                                  0x00409844
                                  0x00409845
                                  0x0040984a
                                  0x0040984f
                                  0x00409879
                                  0x0040987b
                                  0x0040987c
                                  0x00409886
                                  0x0040988e
                                  0x00409891
                                  0x0040989c
                                  0x0040989e
                                  0x004098bd
                                  0x004098cc
                                  0x00000000
                                  0x004098cc
                                  0x004098bf
                                  0x004098c6
                                  0x00409858
                                  0x0040985b
                                  0x00409863
                                  0x00409867
                                  0x0040986c
                                  0x00000000
                                  0x0040986c
                                  0x004098cf
                                  0x004098d2
                                  0x004098d7
                                  0x004098dc
                                  0x004098e4
                                  0x004098e5
                                  0x004098ed
                                  0x004098f1
                                  0x004098f2
                                  0x004098fa
                                  0x004098fe
                                  0x00409997
                                  0x0040999a
                                  0x0040999e
                                  0x004099a2
                                  0x004099a3
                                  0x004099ab
                                  0x004099af
                                  0x00409a00
                                  0x00409e99
                                  0x00409e9c
                                  0x0040a10d
                                  0x0040a124
                                  0x0040a12a
                                  0x0040a12e
                                  0x00409a60
                                  0x00409a63
                                  0x00409a6b
                                  0x00409a6f
                                  0x0040a13c
                                  0x0040a13f
                                  0x0040a145
                                  0x00000000
                                  0x0040a145
                                  0x00409ea2
                                  0x00409ea4
                                  0x00409eac
                                  0x00409f88
                                  0x00409eb2
                                  0x00409eb2
                                  0x00409eb5
                                  0x00409eb9
                                  0x00409ebf
                                  0x00409ebf
                                  0x00409f8c
                                  0x00409f92
                                  0x00409f95
                                  0x00409f9a
                                  0x00409f9a
                                  0x00409fa5
                                  0x00409fab
                                  0x00409faf
                                  0x00409fb4
                                  0x00409fb8
                                  0x00409fbb
                                  0x00409fc8
                                  0x0040a087
                                  0x0040a0f3
                                  0x0040a0fa
                                  0x0040a102
                                  0x0040a106
                                  0x0040a108
                                  0x00000000
                                  0x0040a108
                                  0x0040a089
                                  0x0040a09a
                                  0x0040a09f
                                  0x0040a0a2
                                  0x00000000
                                  0x00000000
                                  0x0040a0a6
                                  0x0040a0aa
                                  0x0040a0af
                                  0x0040a0af
                                  0x0040a0bd
                                  0x0040a0c3
                                  0x0040a0ce
                                  0x0040a0d2
                                  0x0040a0da
                                  0x0040a0de
                                  0x0040a0e3
                                  0x00000000
                                  0x00409fce
                                  0x00409fdb
                                  0x00409fe0
                                  0x00409fe6
                                  0x00409fed
                                  0x00409ff0
                                  0x00409ff3
                                  0x00409ff7
                                  0x0040a02f
                                  0x0040a037
                                  0x0040a03b
                                  0x0040a040
                                  0x0040a040
                                  0x0040a04e
                                  0x0040a054
                                  0x0040a05c
                                  0x0040a060
                                  0x0040a063
                                  0x0040a06b
                                  0x0040a06f
                                  0x0040a074
                                  0x0040a077
                                  0x0040a07d
                                  0x00000000
                                  0x0040a07d
                                  0x00409ff9
                                  0x0040a001
                                  0x0040a005
                                  0x0040a00a
                                  0x0040a00a
                                  0x0040a018
                                  0x0040a01e
                                  0x0040a026
                                  0x00409f3e
                                  0x00409f41
                                  0x00409f49
                                  0x00409f4d
                                  0x00409f52
                                  0x00000000
                                  0x00409f52
                                  0x00409fc8
                                  0x00409a0c
                                  0x00409a17
                                  0x00409a1b
                                  0x00409a1c
                                  0x00409a1f
                                  0x00409a26
                                  0x00409e89
                                  0x00409e8f
                                  0x00409e93
                                  0x00000000
                                  0x00409e98
                                  0x00409a2f
                                  0x00409a31
                                  0x00409a85
                                  0x00409a87
                                  0x00409a95
                                  0x00409a97
                                  0x00409ab4
                                  0x00409ab8
                                  0x00409b01
                                  0x00409b03
                                  0x00409c23
                                  0x00409c23
                                  0x00409c28
                                  0x00409c28
                                  0x00409c2e
                                  0x00409ce8
                                  0x00409ed0
                                  0x00000000
                                  0x00000000
                                  0x00409edb
                                  0x00409ee3
                                  0x00409eed
                                  0x00409ef5
                                  0x00409ef9
                                  0x00409efe
                                  0x00409f08
                                  0x00409f0b
                                  0x00409f0e
                                  0x00409f12
                                  0x00409f74
                                  0x00409f7c
                                  0x00409f7f
                                  0x00000000
                                  0x00409f7f
                                  0x00409f2f
                                  0x00409f37
                                  0x00409f3a
                                  0x00000000
                                  0x00409f3a
                                  0x00409cf5
                                  0x00409cfd
                                  0x00409d01
                                  0x00409d09
                                  0x00409da9
                                  0x00409dac
                                  0x00409db6
                                  0x00409e83
                                  0x00000000
                                  0x00409e88
                                  0x00409dc5
                                  0x00409dcd
                                  0x00409dd7
                                  0x00409ddf
                                  0x00409de3
                                  0x00409de8
                                  0x00409df2
                                  0x00409df5
                                  0x00409df8
                                  0x00409dfc
                                  0x00409e6c
                                  0x00409e74
                                  0x00409e77
                                  0x00000000
                                  0x00409e77
                                  0x00409e21
                                  0x00409e29
                                  0x00409e2c
                                  0x00409e30
                                  0x00409e33
                                  0x00409e3b
                                  0x00409e3f
                                  0x00000000
                                  0x00409e3f
                                  0x00409d1d
                                  0x00409d22
                                  0x00409d28
                                  0x00409d2f
                                  0x00409d32
                                  0x00409d35
                                  0x00409d39
                                  0x00409d95
                                  0x00409d9d
                                  0x00409da0
                                  0x00000000
                                  0x00409da0
                                  0x00409d5e
                                  0x00409d66
                                  0x00409d69
                                  0x00000000
                                  0x00409d69
                                  0x00409c37
                                  0x00409c3f
                                  0x00000000
                                  0x00000000
                                  0x00409c4e
                                  0x00409c56
                                  0x00409c60
                                  0x00409c68
                                  0x00409c6c
                                  0x00409c71
                                  0x00409c7b
                                  0x00409c7e
                                  0x00409c81
                                  0x00409c85
                                  0x00409cd1
                                  0x00409cd9
                                  0x00409cdc
                                  0x00000000
                                  0x00409cdc
                                  0x00409ca2
                                  0x00409caa
                                  0x00409cad
                                  0x00000000
                                  0x00409cad
                                  0x00409b09
                                  0x00409b0a
                                  0x00409c1c
                                  0x00000000
                                  0x00409c1c
                                  0x00409b10
                                  0x00409b11
                                  0x00409c04
                                  0x00409c0c
                                  0x00409c13
                                  0x00000000
                                  0x00409c13
                                  0x00409b17
                                  0x00409b18
                                  0x00409bbf
                                  0x00409bd6
                                  0x00409bde
                                  0x00409be5
                                  0x00000000
                                  0x00409be5
                                  0x00409b1e
                                  0x00409b1f
                                  0x00409bb0
                                  0x00000000
                                  0x00409bb0
                                  0x00409b25
                                  0x00409b2b
                                  0x00409b2c
                                  0x00409b7f
                                  0x00409b87
                                  0x00409b91
                                  0x00409b95
                                  0x00409b9d
                                  0x00409ba1
                                  0x00409ba6
                                  0x00409b2e
                                  0x00409b3e
                                  0x00409b46
                                  0x00409b50
                                  0x00409b54
                                  0x00409b5c
                                  0x00409b60
                                  0x00409b65
                                  0x00409b65
                                  0x00000000
                                  0x00409b2c
                                  0x00409ad0
                                  0x00409ad8
                                  0x00409ae2
                                  0x00409ae6
                                  0x00409aee
                                  0x00409af2
                                  0x00409af7
                                  0x00000000
                                  0x00409af7
                                  0x00409a34
                                  0x00409a35
                                  0x00000000
                                  0x00000000
                                  0x00409a51
                                  0x00409a59
                                  0x00409a5c
                                  0x00000000
                                  0x00409a5c
                                  0x004099b1
                                  0x004099ba
                                  0x004099c2
                                  0x004099c6
                                  0x004099c6
                                  0x004099d6
                                  0x004099dc
                                  0x004099e3
                                  0x004099e7
                                  0x004099ef
                                  0x004099f3
                                  0x00409735
                                  0x00409735
                                  0x00000000
                                  0x00409735
                                  0x00409907
                                  0x0040991a
                                  0x0040991d
                                  0x00000000
                                  0x00000000
                                  0x00409924
                                  0x00409927
                                  0x0040992a
                                  0x0040992d
                                  0x00409937
                                  0x0040993c
                                  0x00409940
                                  0x00409948
                                  0x0040998a
                                  0x0040998d
                                  0x00409991
                                  0x00000000
                                  0x00409996
                                  0x0040994d
                                  0x00409957
                                  0x00409957
                                  0x0040995d
                                  0x00409960
                                  0x0040996c
                                  0x00409967
                                  0x00409967
                                  0x00409967
                                  0x00409971
                                  0x0040997d
                                  0x00409978
                                  0x00409978
                                  0x00409978
                                  0x00409985
                                  0x00000000
                                  0x00409985
                                  0x00409952
                                  0x00409955
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00409955
                                  0x0040990c
                                  0x00000000
                                  0x00000000
                                  0x00409915
                                  0x00000000
                                  0x00409915
                                  0x00409893
                                  0x00409896
                                  0x00000000
                                  0x00409896
                                  0x0040987f
                                  0x00409881
                                  0x00409881
                                  0x00000000
                                  0x0040987f
                                  0x00409851
                                  0x00409854
                                  0x00000000
                                  0x00409854
                                  0x00000000
                                  0x004097dd
                                  0x0040978c
                                  0x00409790
                                  0x00409793
                                  0x00409793
                                  0x00409798
                                  0x0040979d
                                  0x004097a0
                                  0x004097a6
                                  0x00000000
                                  0x004097a6
                                  0x0040977a
                                  0x00409780
                                  0x00000000
                                  0x00409780
                                  0x00409760
                                  0x00409764
                                  0x00409767
                                  0x00409767
                                  0x00000000
                                  0x00409767
                                  0x0040970b
                                  0x0040970d
                                  0x00409715
                                  0x00409724
                                  0x00409717
                                  0x00409717
                                  0x0040971a
                                  0x00409720
                                  0x00409720
                                  0x00409728
                                  0x0040972d
                                  0x0040972d
                                  0x00409730
                                  0x00409733
                                  0x00000000
                                  0x00409733
                                  0x004096fd
                                  0x004096b8
                                  0x004096bc
                                  0x00000000
                                  0x004096bc
                                  0x00409650
                                  0x00409661
                                  0x00409665
                                  0x0040966b
                                  0x00000000
                                  0x0040966b
                                  0x00409652
                                  0x00409656
                                  0x00000000
                                  0x00409656
                                  0x00409639
                                  0x0040963d
                                  0x00000000

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00409577
                                    • Part of subcall function 004094E5: __EH_prolog.LIBCMT ref: 004094EA
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID: ,$U @$can not open output file
                                  • API String ID: 2654054672-298863829
                                  • Opcode ID: ed27b3a56be1cf328c70db2a0a296ff2820c489118e678ede9e60f418ab381f4
                                  • Instruction ID: 66d8f1ccb3a28c4567276d96726d5c68659b2de4eea642c99b521473d2523778
                                  • Opcode Fuzzy Hash: ed27b3a56be1cf328c70db2a0a296ff2820c489118e678ede9e60f418ab381f4
                                  • Instruction Fuzzy Hash: 94829D71901648EECF11EFA5C945AEEBBB1EF04304F2440AEE45577292EB395E04DF2A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B017 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 192COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1509 40b017-40b04c call 4182c0 call 407282 1515 40b055-40b05e 1509->1515 1516 40b04e-40b050 1509->1516 1518 40b060-40b08a call 40247e call 40c14e 1515->1518 1519 40b0d8-40b0db 1515->1519 1517 40b22f-40b24b call 405858 1516->1517 1533 40b0ec-40b0f7 call 405205 1518->1533 1534 40b08c-40b09b call 40c1f5 1518->1534 1521 40b0fc-40b151 call 402463 call 401e20 call 401dbf call 40bc1d call 405205 1519->1521 1522 40b0dd-40b0e7 1519->1522 1552 40b1c0-40b1fc call 4091ba 1521->1552 1553 40b153-40b156 call 4069d7 1521->1553 1522->1517 1533->1517 1534->1533 1541 40b09d-40b0b3 call 406014 1534->1541 1547 40b0c0-40b0d6 call 405205 1541->1547 1548 40b0b5-40b0bb call 40dcd2 1541->1548 1547->1518 1547->1519 1548->1547 1582 40b1fd call 40faa0 1552->1582 1583 40b1fd call 40f3f3 1552->1583 1558 40b15b-40b15d 1553->1558 1558->1552 1559 40b15f-40b169 GetLastError 1558->1559 1560 40b170-40b1be call 401dbf call 406f88 call 401e63 call 405205 * 3 1559->1560 1561 40b16b 1559->1561 1571 40b21b-40b22a call 405898 call 405858 1560->1571 1561->1560 1562 40b200-40b204 1584 40b206 call 40541c 1562->1584 1585 40b206 call 40548e 1562->1585 1565 40b209-40b217 call 405205 1565->1571 1571->1517 1582->1562 1583->1562 1584->1565 1585->1565
                                  C-Code - Quality: 93%
                                  			E0040B017(void* __edx, void* __eflags) {
				signed int _t97;
				void* _t103;
				signed int _t119;
				void* _t121;
				void* _t123;
				signed int _t133;
				signed int _t138;
				void* _t141;
				intOrPtr* _t142;
				void* _t169;
				void* _t171;
				void* _t175;
				intOrPtr* _t176;
				signed int _t177;
				void* _t179;

				_t169 = __edx;
				E004182C0(E004196EC, _t179);
				E00407282(_t179 - 0x58, 4);
				 *((intOrPtr*)(_t179 - 0x58)) = 0x41b65c;
				_t142 =  *((intOrPtr*)(_t179 + 8));
				 *(_t179 - 4) = 0;
				_t97 =  *((intOrPtr*)( *_t142 + 0x14))(_t142, _t179 - 0x14, _t171, _t175, _t141);
				if(_t97 == 0) {
					__eflags =  *(_t179 - 0x14);
					_t176 =  *((intOrPtr*)(_t179 + 0x1c));
					 *((intOrPtr*)(_t179 - 0x10)) = 0;
					if( *(_t179 - 0x14) <= 0) {
						L8:
						__eflags =  *(_t179 - 0x50);
						if( *(_t179 - 0x50) != 0) {
							E00402463(_t179 - 0x6c);
							 *((intOrPtr*)(_t179 - 0x6c)) = 0x41b38c;
							 *(_t179 - 4) = 2;
							E00401E20(_t179 - 0x2c, _t176 + 8);
							 *(_t179 - 4) = 3;
							E00401DBF(_t179 - 0x20, 0x4201e0);
							 *(_t179 - 4) = 4;
							_t103 = E0040BC1D(_t179 - 0x2c, _t179 - 0x20,  *((intOrPtr*)(_t179 + 0x14)));
							 *(_t179 - 4) = 3;
							E00405205(_t103,  *((intOrPtr*)(_t179 - 0x20)));
							__eflags =  *(_t179 - 0x28);
							if( *(_t179 - 0x28) == 0) {
								L16:
								E004091BA( *((intOrPtr*)(_t179 + 0x24)), _t142,  *((intOrPtr*)(_t179 + 0x20)),  *_t176, _t179 - 0x2c, _t179 - 0x6c, _t176 + 0x18, _t176 + 0x3c,  *((intOrPtr*)(_t176 + 0x28)),  *((intOrPtr*)(_t179 + 0xc)),  *((intOrPtr*)(_t179 + 0x10)));
								__eflags =  *(_t176 + 1);
								_t76 =  *(_t176 + 1) != 0;
								__eflags = _t76;
								_t177 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x20)))) + 0x30))( *((intOrPtr*)( *_t142 + 0x1c))(_t142,  *((intOrPtr*)(_t179 - 0x4c)),  *(_t179 - 0x50), 0 | _t76,  *((intOrPtr*)(_t179 + 0x24))));
								E00405205(_t113,  *((intOrPtr*)(_t179 - 0x2c)));
								 *((intOrPtr*)(_t179 - 0x6c)) = 0x41b38c;
								 *(_t179 - 4) = 8;
							} else {
								_push( *((intOrPtr*)(_t179 - 0x2c)));
								_t119 = E004069D7(); // executed
								__eflags = _t119;
								if(_t119 != 0) {
									goto L16;
								} else {
									_t177 = GetLastError();
									__eflags = _t177;
									if(_t177 == 0) {
										_t177 = 0x80004005;
									}
									_t121 = E00401DBF(_t179 - 0x44, L"Can not create output directory ");
									 *(_t179 - 4) = 5;
									_push(_t179 - 0x2c);
									_push(_t121);
									_push(_t179 - 0x38);
									_t123 = E00406F88(_t169);
									 *(_t179 - 4) = 6;
									E00405205(E00405205(E00405205(E00401E63( *((intOrPtr*)(_t179 + 0x28)), _t123),  *((intOrPtr*)(_t179 - 0x38))),  *((intOrPtr*)(_t179 - 0x44))),  *((intOrPtr*)(_t179 - 0x2c)));
									 *((intOrPtr*)(_t179 - 0x6c)) = 0x41b38c;
									 *(_t179 - 4) = 7;
								}
							}
							E00405898();
							_t86 = _t179 - 4;
							 *_t86 =  *(_t179 - 4) & 0x00000000;
							__eflags =  *_t86;
							E00405858(_t179 - 0x6c);
						} else {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t179 + 0x20)))) + 0x2c))();
							_t177 = 0;
						}
					} else {
						while(1) {
							 *((intOrPtr*)(_t179 - 0x20)) = 0;
							 *((intOrPtr*)(_t179 - 0x1c)) = 0;
							 *((intOrPtr*)(_t179 - 0x18)) = 0;
							E0040247E(_t179 - 0x20, 0xf);
							 *(_t179 - 4) = 1;
							_push(_t179 - 0x20);
							_t133 = E0040C14E(_t142,  *((intOrPtr*)(_t179 - 0x10)), _t176 + 0x18);
							__eflags = _t133;
							if(_t133 != 0) {
								break;
							}
							_t133 = E0040C1F5(_t142,  *((intOrPtr*)(_t179 - 0x10)), _t179 + 0xb);
							__eflags = _t133;
							if(_t133 != 0) {
								break;
							} else {
								__eflags =  *((char*)(_t179 + 0xb));
								_t138 = E00406014( *((char*)(_t179 + 0xb)), _t179 - 0x20, _t133 & 0xffffff00 |  *((char*)(_t179 + 0xb)) == 0x00000000);
								__eflags = _t138;
								if(_t138 != 0) {
									_t138 = E0040DCD2(_t179 - 0x58, _t169,  *((intOrPtr*)(_t179 - 0x10)));
								}
								 *(_t179 - 4) =  *(_t179 - 4) & 0x00000000;
								E00405205(_t138,  *((intOrPtr*)(_t179 - 0x20)));
								 *((intOrPtr*)(_t179 - 0x10)) =  *((intOrPtr*)(_t179 - 0x10)) + 1;
								__eflags =  *((intOrPtr*)(_t179 - 0x10)) -  *(_t179 - 0x14);
								if( *((intOrPtr*)(_t179 - 0x10)) <  *(_t179 - 0x14)) {
									continue;
								} else {
									goto L8;
								}
							}
							goto L18;
						}
						_t177 = _t133;
						E00405205(_t133,  *((intOrPtr*)(_t179 - 0x20)));
					}
				} else {
					_t177 = _t97;
				}
				L18:
				 *(_t179 - 4) =  *(_t179 - 4) | 0xffffffff;
				E00405858(_t179 - 0x58);
				 *[fs:0x0] =  *((intOrPtr*)(_t179 - 0xc));
				return _t177;
			}


















                                  0x0040b017
                                  0x0040b01c
                                  0x0040b02c
                                  0x0040b031
                                  0x0040b038
                                  0x0040b044
                                  0x0040b047
                                  0x0040b04c
                                  0x0040b055
                                  0x0040b058
                                  0x0040b05b
                                  0x0040b05e
                                  0x0040b0d8
                                  0x0040b0d8
                                  0x0040b0db
                                  0x0040b0ff
                                  0x0040b109
                                  0x0040b113
                                  0x0040b117
                                  0x0040b124
                                  0x0040b128
                                  0x0040b136
                                  0x0040b13b
                                  0x0040b143
                                  0x0040b147
                                  0x0040b14c
                                  0x0040b151
                                  0x0040b1c0
                                  0x0040b1e3
                                  0x0040b1ed
                                  0x0040b1f2
                                  0x0040b1f2
                                  0x0040b20c
                                  0x0040b20e
                                  0x0040b214
                                  0x0040b217
                                  0x0040b153
                                  0x0040b153
                                  0x0040b156
                                  0x0040b15b
                                  0x0040b15d
                                  0x00000000
                                  0x0040b15f
                                  0x0040b165
                                  0x0040b167
                                  0x0040b169
                                  0x0040b16b
                                  0x0040b16b
                                  0x0040b178
                                  0x0040b180
                                  0x0040b184
                                  0x0040b185
                                  0x0040b189
                                  0x0040b18a
                                  0x0040b193
                                  0x0040b1af
                                  0x0040b1b7
                                  0x0040b1ba
                                  0x0040b1ba
                                  0x0040b15d
                                  0x0040b21e
                                  0x0040b223
                                  0x0040b223
                                  0x0040b223
                                  0x0040b22a
                                  0x0040b0dd
                                  0x0040b0e2
                                  0x0040b0e5
                                  0x0040b0e5
                                  0x0040b060
                                  0x0040b060
                                  0x0040b065
                                  0x0040b068
                                  0x0040b06b
                                  0x0040b06e
                                  0x0040b076
                                  0x0040b07a
                                  0x0040b083
                                  0x0040b088
                                  0x0040b08a
                                  0x00000000
                                  0x00000000
                                  0x0040b094
                                  0x0040b099
                                  0x0040b09b
                                  0x00000000
                                  0x0040b09d
                                  0x0040b09d
                                  0x0040b0ac
                                  0x0040b0b1
                                  0x0040b0b3
                                  0x0040b0bb
                                  0x0040b0bb
                                  0x0040b0c3
                                  0x0040b0c7
                                  0x0040b0cc
                                  0x0040b0d3
                                  0x0040b0d6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040b0d6
                                  0x00000000
                                  0x0040b09b
                                  0x0040b0ef
                                  0x0040b0f1
                                  0x0040b0f6
                                  0x0040b04e
                                  0x0040b04e
                                  0x0040b04e
                                  0x0040b22f
                                  0x0040b22f
                                  0x0040b236
                                  0x0040b243
                                  0x0040b24b

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: Can not create output directory $U @
                                  • API String ID: 3519838083-3914445023
                                  • Opcode ID: bb66e5949e5e285bb15bfd567494d4d2f21961e5de96b5491b4112546ca7e401
                                  • Instruction ID: e85bbdc87938e79b6fd0cf9faa80ef1b5cc6d2e358f7ab7fd1a3ab43ad598d75
                                  • Opcode Fuzzy Hash: bb66e5949e5e285bb15bfd567494d4d2f21961e5de96b5491b4112546ca7e401
                                  • Instruction Fuzzy Hash: 60715F71D00249EBCF11EFA5C845AEEBBB9EF18304F14416EE815B7191DB389A04DF69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004069D7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1609 4069d7-4069fe call 4182c0 call 401dbf 1614 406a00-406a03 1609->1614 1615 406a46-406a55 call 401e20 1609->1615 1616 406a07-406a0a 1614->1616 1621 406a59-406a63 call 406990 1615->1621 1618 406a14-406a18 1616->1618 1619 406a0c-406a0e 1616->1619 1624 406a1d-406a1f 1618->1624 1622 406a10-406a12 1619->1622 1623 406a1a 1619->1623 1629 406a69-406a74 GetLastError 1621->1629 1630 406b3f-406b46 call 401e63 1621->1630 1622->1616 1623->1624 1624->1615 1626 406a21-406a26 1624->1626 1626->1615 1628 406a28-406a2b 1626->1628 1631 406a3b-406a41 call 405047 1628->1631 1632 406a2d-406a32 1628->1632 1633 406ae6-406af9 call 401da7 call 407203 1629->1633 1634 406a76-406a7b 1629->1634 1641 406b4b-406b4e 1630->1641 1631->1615 1632->1631 1636 406a34-406a36 1632->1636 1658 406afe-406b00 1633->1658 1638 406a81-406a84 1634->1638 1639 406baf 1634->1639 1642 406bbd-406bc3 call 405205 1636->1642 1643 406a88-406a8b 1638->1643 1645 406bb1-406bbc call 405205 1639->1645 1646 406b54-406b57 1641->1646 1647 406bd7-406bd9 1641->1647 1655 406bc4-406bd4 1642->1655 1649 406a95-406a9b 1643->1649 1650 406a8d-406a8f 1643->1650 1645->1642 1653 406b5b-406b61 1646->1653 1647->1645 1659 406aa0-406aa2 1649->1659 1656 406a91-406a93 1650->1656 1657 406a9d 1650->1657 1661 406b63-406b66 1653->1661 1662 406b6c-406b72 1653->1662 1656->1643 1657->1659 1663 406b02-406b04 1658->1663 1664 406b06-406b0e 1658->1664 1659->1639 1665 406aa8 1659->1665 1666 406b74 1661->1666 1667 406b68-406b6a 1661->1667 1668 406b77-406b79 1662->1668 1671 406b12-406b2d call 405205 * 3 1663->1671 1672 406b10 1664->1672 1673 406b32-406b3e call 405205 1664->1673 1665->1639 1674 406aae-406ab4 1665->1674 1666->1668 1667->1653 1669 406b7b 1668->1669 1670 406b7e-406bad call 404e3b call 406990 call 405205 1668->1670 1669->1670 1670->1639 1670->1641 1671->1655 1672->1671 1673->1630 1674->1639 1678 406aba-406ae1 call 404e3b call 401e63 call 405205 1674->1678 1678->1621
                                  C-Code - Quality: 97%
                                  			E004069D7() {
				void* __edi;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				intOrPtr* _t71;
				intOrPtr* _t75;
				signed char _t76;
				long _t78;
				signed char _t81;
				void* _t89;
				void* _t90;
				signed int _t93;
				signed int _t98;
				signed int _t104;
				signed int _t110;
				intOrPtr _t115;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				void* _t124;
				signed int _t127;
				void* _t130;

				E004182C0(E00419138, _t130);
				E00401DBF(_t130 - 0x18,  *((intOrPtr*)(_t130 + 8)));
				_t104 =  *(_t130 - 0x14);
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				_t124 = 0x5c;
				if(_t104 == 0) {
					L13:
					E00401E20(_t130 - 0x24, _t130 - 0x18);
					_t127 =  *(_t130 - 0x14);
					 *(_t130 - 4) = 1;
					while(1) {
						L14:
						_t65 = E00406990(_t124,  *((intOrPtr*)(_t130 - 0x18))); // executed
						__eflags = _t65;
						if(_t65 != 0) {
							break;
						}
						_t78 = GetLastError();
						__eflags = _t78 - 0xb7;
						if(_t78 == 0xb7) {
							E00401DA7(_t130 - 0x40);
							 *(_t130 - 4) = 2;
							_push(_t130 - 0x70);
							_push( *((intOrPtr*)(_t130 - 0x18)));
							_t81 = E00407203(_t130 - 0x40, _t120, _t124); // executed
							__eflags = _t81;
							if(_t81 != 0) {
								_t81 =  *(_t130 - 0x70) >> 4;
								__eflags = _t81 & 0x00000001;
								if((_t81 & 0x00000001) != 0) {
									 *(_t130 - 4) = 1;
									E00405205(_t81,  *((intOrPtr*)(_t130 - 0x40)));
									break;
								} else {
									_t98 = 0;
									__eflags = 0;
									goto L31;
								}
							} else {
								_t98 = 1;
								L31:
								E00405205(E00405205(E00405205(_t81,  *((intOrPtr*)(_t130 - 0x40))),  *((intOrPtr*)(_t130 - 0x24))),  *((intOrPtr*)(_t130 - 0x18)));
							}
						} else {
							_t67 =  *(_t130 - 0x14);
							__eflags = _t67;
							if(_t67 == 0) {
								L44:
								_t98 = 0;
								__eflags = 0;
								L45:
								_t68 = E00405205(_t67,  *((intOrPtr*)(_t130 - 0x24)));
								_t121 =  *((intOrPtr*)(_t130 - 0x18));
								goto L46;
							} else {
								_t115 =  *((intOrPtr*)(_t130 - 0x18));
								_t67 = _t115 + _t67 * 2 - 2;
								while(1) {
									__eflags =  *_t67 - _t124;
									if( *_t67 == _t124) {
										break;
									}
									__eflags = _t67 - _t115;
									if(_t67 == _t115) {
										_t127 = _t127 | 0xffffffff;
										__eflags = _t127;
									} else {
										_t67 = _t67;
										continue;
									}
									L23:
									__eflags = _t127;
									if(__eflags < 0 || __eflags == 0) {
										goto L44;
									} else {
										__eflags =  *((short*)(_t115 + _t127 * 2 - 2)) - 0x3a;
										if( *((short*)(_t115 + _t127 * 2 - 2)) == 0x3a) {
											goto L44;
										} else {
											_t89 = E00404E3B(_t130 - 0x18, _t130 - 0x30, _t127);
											 *(_t130 - 4) = 3;
											_t90 = E00401E63(_t130 - 0x18, _t89);
											 *(_t130 - 4) = 1;
											E00405205(_t90,  *((intOrPtr*)(_t130 - 0x30)));
											goto L14;
										}
									}
									goto L47;
								}
								_t127 = _t67;
								goto L23;
							}
						}
						goto L47;
					}
					_t67 = E00401E63(_t130 - 0x18, _t130 - 0x24);
					while(1) {
						L34:
						__eflags = _t127 -  *(_t130 - 0x14);
						if(_t127 >=  *(_t130 - 0x14)) {
							break;
						}
						_t122 =  *((intOrPtr*)(_t130 - 0x18));
						_t71 = _t122 + 2 + _t127 * 2;
						while(1) {
							_t110 =  *_t71;
							__eflags = _t110 - _t124;
							if(_t110 == _t124) {
								break;
							}
							__eflags = _t110;
							if(_t110 == 0) {
								_t127 = _t127 | 0xffffffff;
								__eflags = _t127;
							} else {
								_t71 = _t71 + 2;
								continue;
							}
							L41:
							__eflags = _t127;
							if(_t127 < 0) {
								_t127 =  *(_t130 - 0x14);
							}
							_t75 = E00404E3B(_t130 - 0x18, _t130 - 0x30, _t127);
							 *(_t130 - 4) = 4;
							_t76 = E00406990(_t124,  *_t75);
							asm("sbb bl, bl");
							 *(_t130 - 4) = 1;
							_t67 = E00405205(_t76,  *((intOrPtr*)(_t130 - 0x30)));
							__eflags =  ~_t76 + 1;
							if( ~_t76 + 1 == 0) {
								goto L34;
							} else {
								goto L44;
							}
							goto L45;
						}
						_t127 = _t71 - _t122 >> 1;
						goto L41;
					}
					_t98 = 1;
					goto L45;
				} else {
					_t120 =  *((intOrPtr*)(_t130 - 0x18));
					_t93 = _t120 + _t104 * 2 - 2;
					while( *_t93 != _t124) {
						if(_t93 == _t120) {
							_t68 = _t93 | 0xffffffff;
							__eflags = _t68;
						} else {
							_t93 = _t93;
							continue;
						}
						L7:
						__eflags = _t68;
						if(_t68 <= 0) {
							goto L13;
						} else {
							__eflags = _t68 - _t104 - 1;
							if(_t68 != _t104 - 1) {
								goto L13;
							} else {
								__eflags = _t104 - 3;
								if(_t104 != 3) {
									L12:
									E00405047(_t130 - 0x18, _t68, 1);
									goto L13;
								} else {
									__eflags =  *((short*)(_t120 + 2)) - 0x3a;
									if( *((short*)(_t120 + 2)) != 0x3a) {
										goto L12;
									} else {
										_t98 = 1;
										L46:
										E00405205(_t68, _t121);
									}
								}
							}
						}
						goto L47;
					}
					_t68 = _t93 - _t120 >> 1;
					goto L7;
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t130 - 0xc));
				return _t98;
			}

























                                  0x004069dc
                                  0x004069ed
                                  0x004069f2
                                  0x004069f5
                                  0x004069fd
                                  0x004069fe
                                  0x00406a46
                                  0x00406a4d
                                  0x00406a52
                                  0x00406a55
                                  0x00406a59
                                  0x00406a59
                                  0x00406a5c
                                  0x00406a61
                                  0x00406a63
                                  0x00000000
                                  0x00000000
                                  0x00406a69
                                  0x00406a6f
                                  0x00406a74
                                  0x00406ae9
                                  0x00406af1
                                  0x00406af5
                                  0x00406af6
                                  0x00406af9
                                  0x00406afe
                                  0x00406b00
                                  0x00406b09
                                  0x00406b0c
                                  0x00406b0e
                                  0x00406b35
                                  0x00406b39
                                  0x00000000
                                  0x00406b10
                                  0x00406b10
                                  0x00406b10
                                  0x00000000
                                  0x00406b10
                                  0x00406b02
                                  0x00406b02
                                  0x00406b12
                                  0x00406b25
                                  0x00406b2a
                                  0x00406a76
                                  0x00406a76
                                  0x00406a79
                                  0x00406a7b
                                  0x00406baf
                                  0x00406baf
                                  0x00406baf
                                  0x00406bb1
                                  0x00406bb4
                                  0x00406bb9
                                  0x00000000
                                  0x00406a81
                                  0x00406a81
                                  0x00406a84
                                  0x00406a88
                                  0x00406a88
                                  0x00406a8b
                                  0x00000000
                                  0x00000000
                                  0x00406a8d
                                  0x00406a8f
                                  0x00406a9d
                                  0x00406a9d
                                  0x00406a91
                                  0x00406a92
                                  0x00000000
                                  0x00406a92
                                  0x00406aa0
                                  0x00406aa0
                                  0x00406aa2
                                  0x00000000
                                  0x00406aae
                                  0x00406aae
                                  0x00406ab4
                                  0x00000000
                                  0x00406aba
                                  0x00406ac2
                                  0x00406acb
                                  0x00406acf
                                  0x00406ad7
                                  0x00406adb
                                  0x00000000
                                  0x00406ae0
                                  0x00406ab4
                                  0x00000000
                                  0x00406aa2
                                  0x00406a99
                                  0x00000000
                                  0x00406a99
                                  0x00406a7b
                                  0x00000000
                                  0x00406a74
                                  0x00406b46
                                  0x00406b4b
                                  0x00406b4b
                                  0x00406b4b
                                  0x00406b4e
                                  0x00000000
                                  0x00000000
                                  0x00406b54
                                  0x00406b57
                                  0x00406b5b
                                  0x00406b5b
                                  0x00406b5e
                                  0x00406b61
                                  0x00000000
                                  0x00000000
                                  0x00406b63
                                  0x00406b66
                                  0x00406b74
                                  0x00406b74
                                  0x00406b68
                                  0x00406b69
                                  0x00000000
                                  0x00406b69
                                  0x00406b77
                                  0x00406b77
                                  0x00406b79
                                  0x00406b7b
                                  0x00406b7b
                                  0x00406b86
                                  0x00406b8d
                                  0x00406b91
                                  0x00406b9d
                                  0x00406b9f
                                  0x00406ba5
                                  0x00406baa
                                  0x00406bad
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00406bad
                                  0x00406b70
                                  0x00000000
                                  0x00406b70
                                  0x00406bd7
                                  0x00000000
                                  0x00406a00
                                  0x00406a00
                                  0x00406a03
                                  0x00406a07
                                  0x00406a0e
                                  0x00406a1a
                                  0x00406a1a
                                  0x00406a10
                                  0x00406a11
                                  0x00000000
                                  0x00406a11
                                  0x00406a1d
                                  0x00406a1d
                                  0x00406a1f
                                  0x00000000
                                  0x00406a21
                                  0x00406a24
                                  0x00406a26
                                  0x00000000
                                  0x00406a28
                                  0x00406a28
                                  0x00406a2b
                                  0x00406a3b
                                  0x00406a41
                                  0x00000000
                                  0x00406a2d
                                  0x00406a2d
                                  0x00406a32
                                  0x00000000
                                  0x00406a34
                                  0x00406a34
                                  0x00406bbd
                                  0x00406bbe
                                  0x00406bc3
                                  0x00406a32
                                  0x00406a2b
                                  0x00406a26
                                  0x00000000
                                  0x00406a1f
                                  0x00406a16
                                  0x00000000
                                  0x00406a16
                                  0x00406bc4
                                  0x00406bcc
                                  0x00406bd4

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004069DC
                                  • GetLastError.KERNEL32(?,?,00000001,U @,?,00000001), ref: 00406A69
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ErrorH_prologLast
                                  • String ID: U @
                                  • API String ID: 1057991267-1986941051
                                  • Opcode ID: 4ca6079aed5239229c7e9b09f9cb44c1e7245de5cc6467a0798978d625f8f89f
                                  • Instruction ID: b2f7df54a7dfd3e7a038ad71309c8b723bfc7f2857ca45d9feee85253594be7b
                                  • Opcode Fuzzy Hash: 4ca6079aed5239229c7e9b09f9cb44c1e7245de5cc6467a0798978d625f8f89f
                                  • Instruction Fuzzy Hash: 6D51E371A0111A9ACF11EBA4C941AFFB774EF12314F12417BE802B31D1D7396E56CE99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004072DD Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1696 4072dd-4072f6 call 4182c0 1699 407351-40735a call 40738f 1696->1699 1700 4072f8-40734f call 401dbf AreFileApisANSI call 4057a5 call 4072a4 call 405205 * 2 1696->1700 1705 40735c-40737d CreateFileW 1699->1705 1706 40737f-40738c 1699->1706 1700->1706 1705->1706
                                  C-Code - Quality: 94%
                                  			E004072DD(void** __ecx, void* __edi) {
				signed int _t23;
				void* _t24;
				signed int _t26;
				intOrPtr* _t31;
				signed int _t33;
				void** _t51;
				void* _t53;
				intOrPtr _t58;

				E004182C0(E00419218, _t53);
				_t58 =  *0x421274; // 0x1
				_t51 = __ecx;
				if(_t58 != 0) {
					_t23 = E0040738F(__ecx);
					__eflags = _t23;
					if(_t23 != 0) {
						_t24 = CreateFileW( *(_t53 + 8),  *(_t53 + 0xc),  *(_t53 + 0x10), 0,  *(_t53 + 0x14),  *(_t53 + 0x18), 0); // executed
						__eflags = _t24 - 0xffffffff;
						_t19 = _t24 != 0xffffffff;
						__eflags = _t19;
						 *_t51 = _t24;
						_t23 = 0 | _t19;
					}
				} else {
					E00401DBF(_t53 - 0x18,  *(_t53 + 8));
					 *((intOrPtr*)(_t53 - 4)) = 0;
					_t26 = AreFileApisANSI();
					asm("sbb eax, eax");
					_t31 = E004057A5(__edi, _t53 - 0x24, _t53 - 0x18,  ~_t26 + 1);
					 *((char*)(_t53 - 4)) = 1;
					_t33 = E004072A4(_t51, _t58,  *_t31,  *(_t53 + 0xc),  *(_t53 + 0x10),  *(_t53 + 0x14),  *(_t53 + 0x18));
					E00405205(E00405205(_t33,  *((intOrPtr*)(_t53 - 0x24))),  *((intOrPtr*)(_t53 - 0x18)));
					_t23 = _t33;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t23;
			}











                                  0x004072e2
                                  0x004072ed
                                  0x004072f4
                                  0x004072f6
                                  0x00407353
                                  0x00407358
                                  0x0040735a
                                  0x0040736d
                                  0x00407375
                                  0x00407378
                                  0x00407378
                                  0x0040737b
                                  0x0040737d
                                  0x0040737d
                                  0x004072f8
                                  0x004072fe
                                  0x00407303
                                  0x00407306
                                  0x0040730e
                                  0x0040731a
                                  0x00407326
                                  0x00407334
                                  0x00407346
                                  0x0040734c
                                  0x0040734e
                                  0x00407384
                                  0x0040738c

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004072E2
                                  • AreFileApisANSI.KERNEL32(?,00000000,00000000,00407D98,?,0040C52E,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 00407306
                                    • Part of subcall function 004057A5: __EH_prolog.LIBCMT ref: 004057AA
                                    • Part of subcall function 004057A5: WideCharToMultiByte.KERNEL32(?,00000000,?,00000003,?,?,0000005F,00000000,U @,0000000F,?,00000000,?,?,?,?), ref: 00405807
                                    • Part of subcall function 004057A5: _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405822
                                    • Part of subcall function 004072A4: CreateFileA.KERNEL32(?,?,?,00000000,?,?,00000000,?,?,00407339,?,?,?,?,?,00000002), ref: 004072C6
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,00000000,00000000,00407D98,?,0040C52E,?,?,?,?), ref: 0040736D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: File$CreateH_prolog$ApisByteCharExceptionMultiThrowWidefree
                                  • String ID:
                                  • API String ID: 1766565663-0
                                  • Opcode ID: 2414447cf4f4b437d6ccd6b3e580a37bbfa0e28d52cfab1e514c58bd4bcb63bc
                                  • Instruction ID: bd572c89488c41989729d617cb0539a3afc396b5c6eedd06e492ef4d07c913f4
                                  • Opcode Fuzzy Hash: 2414447cf4f4b437d6ccd6b3e580a37bbfa0e28d52cfab1e514c58bd4bcb63bc
                                  • Instruction Fuzzy Hash: 99118176900109AFCF01AFA4DC41DEE7B65EF19344F00416AF911B21A1D7398965EF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040898A Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1715 40898a-4089be call 4182c0 EnterCriticalSection call 407dda 1719 4089c0-4089ce call 407d9b 1715->1719 1720 4089d1-4089e9 LeaveCriticalSection 1715->1720 1719->1720
                                  C-Code - Quality: 100%
                                  			E0040898A(intOrPtr* __ecx) {
				intOrPtr* _t15;
				void* _t16;
				void* _t22;
				struct _CRITICAL_SECTION* _t23;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t29;
				void* _t30;

				E004182C0(E004192E8, _t30);
				_t26 = __ecx;
				_t23 = __ecx + 4;
				 *(_t30 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t15 =  *_t26;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t16 =  *((intOrPtr*)( *_t15 + 0x10))(_t15,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), 0, 0, _t22, _t25, __ecx);
				if(_t16 == 0) {
					_t29 =  *_t26;
					_t16 =  *((intOrPtr*)( *_t29 + 0xc))(_t29,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}











                                  0x0040898f
                                  0x00408996
                                  0x00408999
                                  0x0040899d
                                  0x004089a0
                                  0x004089a6
                                  0x004089ac
                                  0x004089b9
                                  0x004089be
                                  0x004089c3
                                  0x004089ce
                                  0x004089ce
                                  0x004089d4
                                  0x004089e1
                                  0x004089e9

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040898F
                                  • EnterCriticalSection.KERNEL32(00000000,?,?,?,00408A19,?,?,?,?,?), ref: 004089A0
                                  • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00408A19,?,?,?,?,?), ref: 004089D4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterH_prologLeave
                                  • String ID:
                                  • API String ID: 367238759-0
                                  • Opcode ID: c721647335bdc12edf22dd040c5dd7afb320820bbb65d85dfb4771f017f52200
                                  • Instruction ID: 294ec74cb3a1cfa67195ca6f2380591a5a81100b61c139b3415a42435f7ffb7b
                                  • Opcode Fuzzy Hash: c721647335bdc12edf22dd040c5dd7afb320820bbb65d85dfb4771f017f52200
                                  • Instruction Fuzzy Hash: 0D011D76A00214AFCB119F94CC08BAABBB5FF49721F10845AFD51A7250C7B4A950DFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411E4E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 261COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1723 411e4e-411f73 call 4182c0 call 407282 * 3 call 402463 call 407282 * 4 call 411c25 call 40e1e9 1746 4120d1-4120db call 40fc32 1723->1746 1747 411f79-411fd7 call 412e21 call 405205 call 40fb33 1723->1747 1751 4120e0-412121 call 405858 * 4 1746->1751 1761 411fd9-411fdb 1747->1761 1762 411fdd call 410efb 1747->1762 1771 412123-412171 call 405898 call 405858 * 4 1751->1771 1761->1762 1763 411fe2-411ff8 call 408ffb call 4051de 1761->1763 1762->1763 1774 412005-41200d 1763->1774 1775 411ffa-412003 1763->1775 1777 412015-41204d call 40e298 1774->1777 1778 41200f-412011 1774->1778 1775->1774 1783 412052-412057 1777->1783 1778->1777 1785 412174-41217a 1783->1785 1786 41205d-412064 1783->1786 1787 412182-4121d5 call 40fc32 call 405858 * 4 1785->1787 1788 41217c-41217e 1785->1788 1790 412081-412090 1786->1790 1791 412066-41207a call 418290 1786->1791 1787->1771 1788->1787 1794 412092 1790->1794 1795 4120b4-4120ba 1790->1795 1791->1790 1804 41207c call 410efb 1791->1804 1799 412095-4120b2 1794->1799 1800 4120c2-4120cb 1795->1800 1801 4120bc-4120be 1795->1801 1799->1795 1799->1799 1800->1746 1800->1747 1801->1800 1804->1790
                                  C-Code - Quality: 92%
                                  			E00411E4E(intOrPtr __ecx, signed int __edx, void* __eflags) {
				void* _t194;
				intOrPtr _t196;
				intOrPtr* _t202;
				intOrPtr _t208;
				intOrPtr _t218;
				void* _t227;
				intOrPtr _t233;
				intOrPtr _t273;
				signed int _t276;
				void* _t280;
				intOrPtr* _t284;
				intOrPtr* _t285;
				intOrPtr* _t289;
				void* _t290;
				void* _t295;

				_t295 = __eflags;
				_t276 = __edx;
				E004182C0(E0041A45E, _t290);
				 *((intOrPtr*)(_t290 - 0x18)) = __ecx;
				E00407282(_t290 - 0x58, 8);
				 *((intOrPtr*)(_t290 - 0x58)) = 0x41b664;
				 *(_t290 - 4) =  *(_t290 - 4) & 0x00000000;
				E00407282(_t290 - 0xd4, 1);
				 *((intOrPtr*)(_t290 - 0xd4)) = 0x41b828;
				 *(_t290 - 4) = 1;
				E00407282(_t290 - 0xc0, 4);
				 *((intOrPtr*)(_t290 - 0xc0)) = 0x41b65c;
				 *(_t290 - 4) = 2;
				E00402463(_t290 - 0x34);
				 *((intOrPtr*)(_t290 - 0x34)) = 0x41b8b8;
				 *(_t290 - 4) = 3;
				E00407282(_t290 - 0x80, 4);
				 *((intOrPtr*)(_t290 - 0x80)) = 0x41b65c;
				 *(_t290 - 4) = 4;
				E00407282(_t290 - 0xa8, 8);
				 *((intOrPtr*)(_t290 - 0xa8)) = 0x41b664;
				 *(_t290 - 4) = 5;
				E00407282(_t290 - 0x6c, 1);
				 *((intOrPtr*)(_t290 - 0x6c)) = 0x41b828;
				 *(_t290 - 4) = 6;
				E00407282(_t290 - 0x94, 4);
				 *((intOrPtr*)(_t290 - 0x94)) = 0x41b65c;
				_t284 =  *((intOrPtr*)(_t290 + 0x10));
				 *(_t290 - 4) = 7;
				E00411C25( *((intOrPtr*)(_t290 - 0x18)), __edx, 0, _t284, _t290 - 0x58, _t290 - 0xd4, _t290 - 0xc0, _t290 - 0x34, _t290 - 0x80, _t290 - 0xa8, _t290 - 0x6c, _t290 - 0x94);
				 *(_t290 - 0x14) =  *(_t290 - 0x14) & 0x00000000;
				E0040E1E9(_t290 - 0x160, _t295, 1);
				_t280 =  *_t284 +  *((intOrPtr*)(_t290 + 8));
				_t233 =  *((intOrPtr*)(_t284 + 4));
				asm("adc ebx, [ebp+0xc]");
				 *(_t290 + 0xc) =  *(_t290 + 0xc) & 0x00000000;
				if( *((intOrPtr*)(_t290 - 0x2c)) <= 0) {
					L18:
					 *(_t290 - 4) = 7;
					E0040FC32(_t290 - 0x160, _t307); // executed
					 *(_t290 - 4) = 6;
					E00405858(_t290 - 0x94);
					 *(_t290 - 4) = 5;
					E00405858(_t290 - 0x6c);
					 *(_t290 - 4) = 4;
					E00405858(_t290 - 0xa8);
					 *(_t290 - 4) = 3;
					E00405858(_t290 - 0x80);
					 *((intOrPtr*)(_t290 - 0x34)) = 0x41b8b8;
					 *(_t290 - 4) = 0xc;
					_t285 = 0;
					L19:
					E00405898();
					 *(_t290 - 4) = 2;
					E00405858(_t290 - 0x34);
					 *(_t290 - 4) = 1;
					E00405858(_t290 - 0xc0);
					 *(_t290 - 4) =  *(_t290 - 4) & 0x00000000;
					E00405858(_t290 - 0xd4);
					 *(_t290 - 4) =  *(_t290 - 4) | 0xffffffff;
					E00405858(_t290 - 0x58);
					 *[fs:0x0] =  *((intOrPtr*)(_t290 - 0xc));
					return _t285;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t290 - 0x3c) =  *(_t290 - 0x3c) & 0x00000000;
					 *(_t290 - 0x38) =  *(_t290 - 0x38) & 0x00000000;
					 *((intOrPtr*)(_t290 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t290 - 0x28)) +  *(_t290 + 0xc) * 4));
					 *((intOrPtr*)(_t290 - 0x40)) = 0x41b7b4;
					_push(_t290 - 0x40);
					 *(_t290 - 4) = 9;
					_t194 = E00412E21( *((intOrPtr*)(_t290 + 0x14)), _t276);
					 *(_t290 - 4) = 8;
					 *((intOrPtr*)(_t290 - 0x40)) = 0x41b7b4;
					E00405205(_t194,  *(_t290 - 0x38));
					_t196 =  *((intOrPtr*)(_t290 + 0x14));
					_t288 =  *( *((intOrPtr*)(_t196 + 0xc)) +  *(_t196 + 8) * 4 - 4);
					 *(_t290 - 0x10) =  *( *((intOrPtr*)(_t196 + 0xc)) +  *(_t196 + 8) * 4 - 4);
					 *(_t290 - 0x20) = E0040FB33( *((intOrPtr*)(_t290 + 0x10)));
					_t262 =  *(_t290 - 0x20);
					if( *(_t290 - 0x20) !=  *(_t290 - 0x20) || 0 != _t276) {
						E00410EFB(_t262);
					}
					E00408FFB(_t288,  *(_t290 - 0x20));
					_push(0x14);
					_t202 = E004051DE();
					_t289 = 0;
					if(_t202 != 0) {
						 *((intOrPtr*)(_t202 + 4)) = 0;
						 *_t202 = 0x41b8e0;
						_t289 = _t202;
					}
					_t300 = _t289;
					 *((intOrPtr*)(_t290 - 0xac)) = _t289;
					if(_t289 != 0) {
						 *((intOrPtr*)( *_t289 + 4))(_t289);
					}
					_t276 =  *(_t290 - 0x14);
					 *(_t290 - 4) = 0xa;
					 *(_t289 + 0x10) =  *(_t289 + 0x10) & 0x00000000;
					 *((intOrPtr*)(_t289 + 8)) =  *((intOrPtr*)( *(_t290 - 0x10) + 8));
					 *(_t289 + 0xc) =  *(_t290 - 0x20);
					_t208 = E0040E298(_t290 - 0x160, _t276, _t300,  *((intOrPtr*)( *((intOrPtr*)(_t290 - 0x18)))), _t280, _t233,  *((intOrPtr*)(_t290 - 0x4c)) + _t276 * 8,  *((intOrPtr*)(_t290 + 0x10)), _t289, 0,  *((intOrPtr*)(_t290 + 0x18))); // executed
					 *((intOrPtr*)(_t290 - 0x44)) = _t208;
					if(_t208 != 0) {
						break;
					}
					if( *((char*)( *((intOrPtr*)(_t290 + 0x10)) + 0x54)) != 0) {
						_t276 =  *(_t290 - 0x20);
						_t227 = E00418290( *((intOrPtr*)( *(_t290 - 0x10) + 8)), _t276);
						_t275 =  *((intOrPtr*)(_t290 + 0x10));
						if(_t227 !=  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x10)) + 0x50))) {
							E00410EFB(_t275);
						}
					}
					 *(_t290 - 0x10) =  *(_t290 - 0x10) & 0x00000000;
					_t218 =  *((intOrPtr*)( *((intOrPtr*)(_t290 + 0x10)) + 0x30));
					 *((intOrPtr*)(_t290 + 0x10)) = _t218;
					if(_t218 <= 0) {
						L15:
						 *(_t290 - 4) = 8;
						if(_t289 != 0) {
							 *((intOrPtr*)( *_t289 + 8))(_t289);
						}
						 *(_t290 + 0xc) =  *(_t290 + 0xc) + 1;
						_t307 =  *(_t290 + 0xc) -  *((intOrPtr*)(_t290 - 0x2c));
						if( *(_t290 + 0xc) <  *((intOrPtr*)(_t290 - 0x2c))) {
							continue;
						} else {
							goto L18;
						}
					} else {
						_t273 =  *((intOrPtr*)(_t290 - 0x4c));
						do {
							 *(_t290 - 0x14) =  *(_t290 - 0x14) + 1;
							_t276 =  *(( *(_t290 - 0x14) << 3) + _t273);
							_t280 = _t280 + _t276;
							asm("adc ebx, eax");
							 *(_t290 - 0x10) =  *(_t290 - 0x10) + 1;
						} while ( *(_t290 - 0x10) <  *((intOrPtr*)(_t290 + 0x10)));
						goto L15;
					}
				}
				__eflags = _t289;
				 *(_t290 - 4) = 8;
				if(__eflags != 0) {
					 *((intOrPtr*)( *_t289 + 8))(_t289);
				}
				 *(_t290 - 4) = 7;
				E0040FC32(_t290 - 0x160, __eflags);
				 *(_t290 - 4) = 6;
				E00405858(_t290 - 0x94);
				 *(_t290 - 4) = 5;
				E00405858(_t290 - 0x6c);
				 *(_t290 - 4) = 4;
				E00405858(_t290 - 0xa8);
				 *(_t290 - 4) = 3;
				E00405858(_t290 - 0x80);
				 *((intOrPtr*)(_t290 - 0x34)) = 0x41b8b8;
				_t285 =  *((intOrPtr*)(_t290 - 0x44));
				 *(_t290 - 4) = 0xb;
				goto L19;
			}


















                                  0x00411e4e
                                  0x00411e4e
                                  0x00411e53
                                  0x00411e60
                                  0x00411e69
                                  0x00411e73
                                  0x00411e76
                                  0x00411e82
                                  0x00411e8c
                                  0x00411e9a
                                  0x00411e9e
                                  0x00411ea8
                                  0x00411eb1
                                  0x00411eb5
                                  0x00411eba
                                  0x00411ec6
                                  0x00411eca
                                  0x00411ecf
                                  0x00411eda
                                  0x00411ede
                                  0x00411ee3
                                  0x00411eee
                                  0x00411ef2
                                  0x00411ef7
                                  0x00411f02
                                  0x00411f06
                                  0x00411f0b
                                  0x00411f17
                                  0x00411f3e
                                  0x00411f4a
                                  0x00411f4f
                                  0x00411f5b
                                  0x00411f62
                                  0x00411f65
                                  0x00411f68
                                  0x00411f6b
                                  0x00411f73
                                  0x004120d1
                                  0x004120d7
                                  0x004120db
                                  0x004120e6
                                  0x004120ea
                                  0x004120f2
                                  0x004120f6
                                  0x00412101
                                  0x00412105
                                  0x0041210d
                                  0x00412111
                                  0x00412116
                                  0x0041211d
                                  0x00412121
                                  0x00412123
                                  0x00412126
                                  0x0041212e
                                  0x00412132
                                  0x0041213d
                                  0x00412141
                                  0x00412146
                                  0x00412150
                                  0x00412155
                                  0x0041215c
                                  0x00412169
                                  0x00412171
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411f79
                                  0x00411f79
                                  0x00411f7f
                                  0x00411f83
                                  0x00411f8f
                                  0x00411f92
                                  0x00411f9b
                                  0x00411f9c
                                  0x00411fa0
                                  0x00411fa8
                                  0x00411fac
                                  0x00411faf
                                  0x00411fb4
                                  0x00411fbe
                                  0x00411fc5
                                  0x00411fcd
                                  0x00411fd2
                                  0x00411fd7
                                  0x00411fdd
                                  0x00411fdd
                                  0x00411fe7
                                  0x00411fec
                                  0x00411fee
                                  0x00411ff3
                                  0x00411ff8
                                  0x00411ffa
                                  0x00411ffd
                                  0x00412003
                                  0x00412003
                                  0x00412005
                                  0x00412007
                                  0x0041200d
                                  0x00412012
                                  0x00412012
                                  0x0041201b
                                  0x0041201e
                                  0x00412025
                                  0x00412029
                                  0x0041202f
                                  0x0041204d
                                  0x00412054
                                  0x00412057
                                  0x00000000
                                  0x00000000
                                  0x00412064
                                  0x00412069
                                  0x0041206f
                                  0x00412074
                                  0x0041207a
                                  0x0041207c
                                  0x0041207c
                                  0x0041207a
                                  0x00412084
                                  0x00412088
                                  0x0041208d
                                  0x00412090
                                  0x004120b4
                                  0x004120b6
                                  0x004120ba
                                  0x004120bf
                                  0x004120bf
                                  0x004120c2
                                  0x004120c8
                                  0x004120cb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412092
                                  0x00412092
                                  0x00412095
                                  0x0041209b
                                  0x0041209e
                                  0x004120a5
                                  0x004120a7
                                  0x004120a9
                                  0x004120af
                                  0x00000000
                                  0x00412095
                                  0x00412090
                                  0x00412174
                                  0x00412176
                                  0x0041217a
                                  0x0041217f
                                  0x0041217f
                                  0x00412188
                                  0x0041218c
                                  0x00412197
                                  0x0041219b
                                  0x004121a3
                                  0x004121a7
                                  0x004121b2
                                  0x004121b6
                                  0x004121be
                                  0x004121c2
                                  0x004121c7
                                  0x004121ce
                                  0x004121d1
                                  0x00000000

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00411E53
                                    • Part of subcall function 00412E21: __EH_prolog.LIBCMT ref: 00412E26
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID: *0A
                                  • API String ID: 2654054672-335961553
                                  • Opcode ID: 483b97768c32cc5d4209274ad1bff59b1aba8a217790bf3e0a072470888cdeb9
                                  • Instruction ID: 1be6f6386906eb0039ea5947bf8aa9945d6aee2dca3b482c5cfa62c2f4a2333a
                                  • Opcode Fuzzy Hash: 483b97768c32cc5d4209274ad1bff59b1aba8a217790bf3e0a072470888cdeb9
                                  • Instruction Fuzzy Hash: 71C14731901298DFDB11EF94C985BDEBBB4FF15308F14809EE905A7282CB786A44CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C58B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1814 40c58b-40c5b8 call 4182c0 call 40c4d4 1819 40c81a-40c828 1814->1819 1820 40c5be-40c5d9 1814->1820 1822 40c80a 1820->1822 1823 40c5df-40c5e1 1820->1823 1825 40c80e-40c810 1822->1825 1823->1822 1824 40c5e7-40c5fb 1823->1824 1829 40c7f1-40c7f9 1824->1829 1830 40c601-40c61b 1824->1830 1826 40c812-40c814 1825->1826 1827 40c818 1825->1827 1826->1827 1827->1819 1831 40c801-40c808 1829->1831 1832 40c7fb-40c7fd 1829->1832 1834 40c7e0-40c7e9 1830->1834 1835 40c621-40c624 1830->1835 1831->1825 1832->1831 1834->1829 1837 40c7eb-40c7ed 1834->1837 1835->1829 1836 40c62a-40c63b 1835->1836 1839 40c677-40c67b 1836->1839 1840 40c63d-40c646 1836->1840 1837->1829 1839->1834 1843 40c681-40c6a8 call 40247e call 40c0d0 1839->1843 1841 40c648-40c64a 1840->1841 1842 40c64e-40c656 1840->1842 1841->1842 1845 40c658-40c65a 1842->1845 1846 40c65e-40c667 1842->1846 1852 40c6aa-40c6bc call 405205 1843->1852 1853 40c6ec-40c6ef 1843->1853 1845->1846 1848 40c669-40c66b 1846->1848 1849 40c66f-40c672 1846->1849 1848->1849 1849->1819 1862 40c6c4-40c6cc 1852->1862 1863 40c6be-40c6c0 1852->1863 1854 40c6f1-40c71e call 40c82b call 401e63 call 405668 1853->1854 1855 40c762-40c784 call 405b48 call 401e63 call 405205 1853->1855 1876 40c720-40c755 call 401efe call 405668 call 405205 1854->1876 1877 40c785-40c7a2 1854->1877 1855->1877 1866 40c6d4-40c6dd 1862->1866 1867 40c6ce-40c6d0 1862->1867 1863->1862 1870 40c6e5-40c6e7 1866->1870 1871 40c6df-40c6e1 1866->1871 1867->1866 1870->1819 1871->1870 1876->1877 1892 40c757-40c760 call 401ea1 1876->1892 1882 40c7a4-40c7a9 1877->1882 1883 40c7ad-40c7cf call 40c20b 1877->1883 1882->1883 1888 40c7d1-40c7d3 1883->1888 1889 40c7d7-40c7df call 405205 1883->1889 1888->1889 1889->1834 1892->1877
                                  C-Code - Quality: 67%
                                  			E0040C58B() {
				intOrPtr _t106;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;
				signed int* _t112;
				signed int* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t119;
				void* _t125;
				intOrPtr* _t130;
				intOrPtr* _t133;
				intOrPtr* _t142;
				intOrPtr* _t147;
				signed int* _t148;
				intOrPtr* _t149;
				intOrPtr* _t153;
				signed int* _t154;
				intOrPtr* _t155;
				intOrPtr* _t198;
				intOrPtr _t200;
				intOrPtr* _t201;
				void* _t203;

				E004182C0(E004199E8, _t203);
				_t198 =  *((intOrPtr*)(_t203 + 0x10));
				_push( *((intOrPtr*)(_t203 + 0x28)));
				_t195 =  *(_t203 + 0x18);
				_push( *((intOrPtr*)(_t203 + 0x20)));
				_push( *(_t203 + 0x18));
				_push(_t198);
				_push( *((intOrPtr*)(_t203 + 0xc)));
				_push( *((intOrPtr*)(_t203 + 8)));
				_t106 = E0040C4D4(); // executed
				if(_t106 != 0) {
					L42:
					 *[fs:0x0] =  *((intOrPtr*)(_t203 - 0xc));
					return _t106;
				}
				 *((intOrPtr*)(_t203 + 0x10)) = 0;
				_t107 =  *_t198;
				 *(_t203 - 4) = 0;
				_t108 =  *((intOrPtr*)( *_t107))(_t107, 0x41b268, _t203 + 0x10);
				_t109 =  *((intOrPtr*)(_t203 + 0x10));
				if(_t108 != 0 || _t109 == 0) {
					 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
					goto L39;
				} else {
					 *(_t203 + 0x18) = 0;
					_push(_t203 + 0x18);
					_push(0);
					_push(_t109);
					 *(_t203 - 4) = 1;
					if( *((intOrPtr*)( *_t109 + 0xc))() != 0) {
						L35:
						_t112 =  *(_t203 + 0x18);
						 *(_t203 - 4) = 0;
						if(_t112 != 0) {
							 *((intOrPtr*)( *_t112 + 8))(_t112);
						}
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						_t109 =  *((intOrPtr*)(_t203 + 0x10));
						L39:
						if(_t109 != 0) {
							 *((intOrPtr*)( *_t109 + 8))(_t109);
						}
						_t106 = 0;
						goto L42;
					}
					 *((intOrPtr*)(_t203 + 0xc)) = 0;
					_t114 =  *(_t203 + 0x18);
					_push(_t203 + 0xc);
					_push(0x41b338);
					_push(_t114);
					 *(_t203 - 4) = 2;
					if( *( *_t114)() != 0) {
						L33:
						_t116 =  *((intOrPtr*)(_t203 + 0xc));
						 *(_t203 - 4) = 1;
						if(_t116 != 0) {
							 *((intOrPtr*)( *_t116 + 8))(_t116);
						}
						goto L35;
					}
					if( *((intOrPtr*)(_t203 + 0xc)) == 0) {
						goto L35;
					}
					_t118 =  *_t198;
					_t193 = _t203 - 0x18;
					_t119 =  *((intOrPtr*)( *_t118 + 0x14))(_t118, _t203 - 0x18);
					 *((intOrPtr*)(_t203 - 0x14)) = _t119;
					if(_t119 == 0) {
						if( *((intOrPtr*)(_t203 - 0x18)) < 1) {
							goto L33;
						}
						_t170 = _t203 - 0x24;
						 *((intOrPtr*)(_t203 - 0x24)) = 0;
						 *((intOrPtr*)(_t203 - 0x20)) = 0;
						 *((intOrPtr*)(_t203 - 0x1c)) = 0;
						E0040247E(_t203 - 0x24, 0xf);
						 *(_t203 - 4) = 3;
						_push(_t203 - 0x24);
						_push(0);
						_push( *_t198);
						_t200 = E0040C0D0();
						if(_t200 == 0) {
							if( *((intOrPtr*)(_t203 - 0x20)) != 0) {
								_t125 = E00405B48(_t170, _t203 - 0x30, _t203 - 0x24);
								 *(_t203 - 4) = 5;
								E00405205(E00401E63(_t203 - 0x24, _t125),  *((intOrPtr*)(_t203 - 0x30)));
							} else {
								_push( *((intOrPtr*)(_t203 + 0x20)));
								E0040C82B();
								E00401E63(_t203 - 0x24,  *((intOrPtr*)(_t203 + 0x20)));
								if(E00405668( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t203 + 8)) + 0x14)) +  *_t195 * 4)) + 0xc)), 0x420fa0) == 0) {
									_t142 = E00401EFE(_t203 - 0x24, _t203 - 0x30, 3);
									 *(_t203 - 4) = 4;
									 *((char*)(_t203 + 0x23)) = E00405668( *_t142, 0x420f98) != 0;
									 *(_t203 - 4) = 3;
									E00405205(_t143,  *((intOrPtr*)(_t203 - 0x30)));
									if( *((intOrPtr*)(_t203 + 0x23)) != 0) {
										E00401EA1(_t203 - 0x24, _t193, 0x420f98);
									}
								}
							}
							 *((intOrPtr*)(_t203 - 0x10)) = 0;
							_t201 =  *((intOrPtr*)(_t203 + 0x28));
							 *(_t203 - 4) = 6;
							 *((intOrPtr*)( *_t201))(_t201, 0x41b258, _t203 - 0x10);
							_t130 =  *((intOrPtr*)(_t203 - 0x10));
							if(_t130 != 0) {
								 *((intOrPtr*)( *_t130 + 0xc))(_t130,  *((intOrPtr*)(_t203 - 0x24)));
							}
							_push(_t201);
							_push( *((intOrPtr*)(_t203 + 0x24)));
							_push( *((intOrPtr*)(_t203 + 0x1c)));
							_push( *((intOrPtr*)(_t203 + 0x14)));
							_push(_t203 - 0x24);
							_push( *((intOrPtr*)(_t203 + 0xc)));
							_push( *((intOrPtr*)(_t203 + 8)));
							E0040C20B();
							_t133 =  *((intOrPtr*)(_t203 - 0x10));
							 *(_t203 - 4) = 3;
							if(_t133 != 0) {
								_t133 =  *((intOrPtr*)( *_t133 + 8))(_t133);
							}
							E00405205(_t133,  *((intOrPtr*)(_t203 - 0x24)));
							goto L33;
						}
						E00405205(_t122,  *((intOrPtr*)(_t203 - 0x24)));
						_t147 =  *((intOrPtr*)(_t203 + 0xc));
						 *(_t203 - 4) = 1;
						if(_t147 != 0) {
							 *((intOrPtr*)( *_t147 + 8))(_t147);
						}
						_t148 =  *(_t203 + 0x18);
						 *(_t203 - 4) = 0;
						if(_t148 != 0) {
							 *((intOrPtr*)( *_t148 + 8))(_t148);
						}
						_t149 =  *((intOrPtr*)(_t203 + 0x10));
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						if(_t149 != 0) {
							 *((intOrPtr*)( *_t149 + 8))(_t149);
						}
						_t106 = _t200;
					} else {
						_t153 =  *((intOrPtr*)(_t203 + 0xc));
						 *(_t203 - 4) = 1;
						if(_t153 != 0) {
							 *((intOrPtr*)( *_t153 + 8))(_t153);
						}
						_t154 =  *(_t203 + 0x18);
						 *(_t203 - 4) = 0;
						if(_t154 != 0) {
							 *((intOrPtr*)( *_t154 + 8))(_t154);
						}
						_t155 =  *((intOrPtr*)(_t203 + 0x10));
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						if(_t155 != 0) {
							 *((intOrPtr*)( *_t155 + 8))(_t155);
						}
						_t106 =  *((intOrPtr*)(_t203 - 0x14));
					}
					goto L42;
				}
			}


























                                  0x0040c590
                                  0x0040c59a
                                  0x0040c59e
                                  0x0040c5a1
                                  0x0040c5a4
                                  0x0040c5a7
                                  0x0040c5a8
                                  0x0040c5a9
                                  0x0040c5ac
                                  0x0040c5af
                                  0x0040c5b8
                                  0x0040c81a
                                  0x0040c820
                                  0x0040c828
                                  0x0040c828
                                  0x0040c5be
                                  0x0040c5c1
                                  0x0040c5cf
                                  0x0040c5d2
                                  0x0040c5d6
                                  0x0040c5d9
                                  0x0040c80a
                                  0x00000000
                                  0x0040c5e7
                                  0x0040c5e7
                                  0x0040c5ef
                                  0x0040c5f0
                                  0x0040c5f1
                                  0x0040c5f2
                                  0x0040c5fb
                                  0x0040c7f1
                                  0x0040c7f1
                                  0x0040c7f4
                                  0x0040c7f9
                                  0x0040c7fe
                                  0x0040c7fe
                                  0x0040c801
                                  0x0040c805
                                  0x0040c80e
                                  0x0040c810
                                  0x0040c815
                                  0x0040c815
                                  0x0040c818
                                  0x00000000
                                  0x0040c818
                                  0x0040c601
                                  0x0040c604
                                  0x0040c60a
                                  0x0040c60b
                                  0x0040c612
                                  0x0040c613
                                  0x0040c61b
                                  0x0040c7e0
                                  0x0040c7e0
                                  0x0040c7e3
                                  0x0040c7e9
                                  0x0040c7ee
                                  0x0040c7ee
                                  0x00000000
                                  0x0040c7e9
                                  0x0040c624
                                  0x00000000
                                  0x00000000
                                  0x0040c62a
                                  0x0040c62c
                                  0x0040c633
                                  0x0040c638
                                  0x0040c63b
                                  0x0040c67b
                                  0x00000000
                                  0x00000000
                                  0x0040c683
                                  0x0040c686
                                  0x0040c689
                                  0x0040c68c
                                  0x0040c68f
                                  0x0040c697
                                  0x0040c69b
                                  0x0040c69c
                                  0x0040c69d
                                  0x0040c6a4
                                  0x0040c6a8
                                  0x0040c6ef
                                  0x0040c76a
                                  0x0040c773
                                  0x0040c77f
                                  0x0040c6f1
                                  0x0040c6f1
                                  0x0040c6f4
                                  0x0040c6ff
                                  0x0040c71e
                                  0x0040c729
                                  0x0040c733
                                  0x0040c744
                                  0x0040c748
                                  0x0040c74c
                                  0x0040c755
                                  0x0040c75b
                                  0x0040c75b
                                  0x0040c755
                                  0x0040c71e
                                  0x0040c785
                                  0x0040c788
                                  0x0040c797
                                  0x0040c79b
                                  0x0040c79d
                                  0x0040c7a2
                                  0x0040c7aa
                                  0x0040c7aa
                                  0x0040c7ad
                                  0x0040c7b1
                                  0x0040c7b4
                                  0x0040c7b7
                                  0x0040c7ba
                                  0x0040c7bb
                                  0x0040c7be
                                  0x0040c7c1
                                  0x0040c7c6
                                  0x0040c7c9
                                  0x0040c7cf
                                  0x0040c7d4
                                  0x0040c7d4
                                  0x0040c7da
                                  0x00000000
                                  0x0040c7df
                                  0x0040c6ad
                                  0x0040c6b2
                                  0x0040c6b8
                                  0x0040c6bc
                                  0x0040c6c1
                                  0x0040c6c1
                                  0x0040c6c4
                                  0x0040c6c7
                                  0x0040c6cc
                                  0x0040c6d1
                                  0x0040c6d1
                                  0x0040c6d4
                                  0x0040c6d7
                                  0x0040c6dd
                                  0x0040c6e2
                                  0x0040c6e2
                                  0x0040c6e5
                                  0x0040c63d
                                  0x0040c63d
                                  0x0040c640
                                  0x0040c646
                                  0x0040c64b
                                  0x0040c64b
                                  0x0040c64e
                                  0x0040c651
                                  0x0040c656
                                  0x0040c65b
                                  0x0040c65b
                                  0x0040c65e
                                  0x0040c661
                                  0x0040c667
                                  0x0040c66c
                                  0x0040c66c
                                  0x0040c66f
                                  0x0040c66f
                                  0x00000000
                                  0x0040c63b

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040C590
                                    • Part of subcall function 0040C4D4: __EH_prolog.LIBCMT ref: 0040C4D9
                                    • Part of subcall function 0040C4D4: GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00000000,?,?,0000000F,00421290,?,00000000), ref: 0040C532
                                    • Part of subcall function 0040C82B: __EH_prolog.LIBCMT ref: 0040C830
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$ErrorLastfree
                                  • String ID: .7z
                                  • API String ID: 683690243-3980757742
                                  • Opcode ID: 1710e7829d891934031f47c97b434ddb9fe1881f7c0f6d9b9fb44cc2da6818e2
                                  • Instruction ID: ec7e6db391864308e5c0b58f172718c6c8c5db5a8cbaa532e3ca303321de8c9e
                                  • Opcode Fuzzy Hash: 1710e7829d891934031f47c97b434ddb9fe1881f7c0f6d9b9fb44cc2da6818e2
                                  • Instruction Fuzzy Hash: 65A15771900249EFCF10DFA4C8C59AEBBB4AF49314F2485AEF805E7291C73A9E45DB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412A81 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 180COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1896 412a81-412abf call 4182c0 call 410a20 1901 412ac1 call 410efb 1896->1901 1902 412ac6-412b0c call 418290 1896->1902 1901->1902 1906 412b13-412b19 1902->1906 1907 412b0e call 410efb 1902->1907 1909 412b22-412b26 1906->1909 1910 412b1b-412b1d 1906->1910 1907->1906 1912 412b28-412b2c 1909->1912 1913 412b2e-412b31 1909->1913 1911 412c9d-412cab 1910->1911 1912->1913 1914 412b36-412b4c call 407dda 1912->1914 1913->1911 1914->1911 1916 412b52-412b81 call 408ffb 1914->1916 1920 412b83-412b85 1916->1920 1921 412b8a-412b90 1916->1921 1922 412c8b-412c9b call 405205 1920->1922 1923 412b92-412b95 1921->1923 1924 412b9a-412ba5 call 418290 1921->1924 1922->1911 1923->1922 1929 412ba7 call 410efb 1924->1929 1930 412bac-412bd3 call 410e96 call 407282 1924->1930 1929->1930 1936 412bd7-412be2 call 410f9f 1930->1936 1939 412be4-412be6 1936->1939 1940 412be8-412beb 1936->1940 1939->1940 1941 412c43-412c55 call 4121da 1939->1941 1942 412bf1 call 410efb 1940->1942 1943 412bed-412bef 1940->1943 1949 412c5e-412c60 1941->1949 1945 412bf6-412c12 call 411e4e 1942->1945 1943->1942 1943->1945 1950 412c17-412c19 1945->1950 1951 412c6b-412c86 call 405898 call 405858 call 410de8 1949->1951 1952 412c57-412c5a 1950->1952 1953 412c1b-412c1e 1950->1953 1951->1922 1952->1949 1955 412c20-412c24 1953->1955 1956 412c62-412c69 1953->1956 1958 412c26 call 410efb 1955->1958 1959 412c2b-412c41 call 410de8 call 410e96 1955->1959 1956->1951 1958->1959 1959->1936
                                  C-Code - Quality: 98%
                                  			E00412A81(intOrPtr* __ecx) {
				void* _t95;
				signed char _t98;
				intOrPtr* _t99;
				intOrPtr* _t101;
				signed char _t102;
				void* _t103;
				void* _t107;
				signed char _t111;
				void* _t148;
				signed char _t151;
				intOrPtr _t153;
				intOrPtr* _t156;
				signed char _t158;
				void* _t159;

				E004182C0(E0041A53C, _t159);
				_t153 =  *((intOrPtr*)(_t159 + 8));
				_t156 = __ecx;
				_t128 = _t153;
				E00410A20(_t153);
				 *((intOrPtr*)(_t153 + 0x80)) =  *((intOrPtr*)(_t156 + 0x20));
				 *((intOrPtr*)(_t153 + 0x84)) =  *((intOrPtr*)(_t156 + 0x24));
				 *((char*)(_t153 + 0x78)) =  *((intOrPtr*)(_t156 + 0x2e));
				 *((char*)(_t153 + 0x79)) =  *((intOrPtr*)(_t156 + 0x2f));
				if( *((char*)(_t153 + 0x78)) != 0) {
					E00410EFB(_t128);
				}
				 *((intOrPtr*)(_t159 - 0x28)) =  *((intOrPtr*)(_t156 + 0x34));
				 *((intOrPtr*)(_t159 - 0x24)) =  *((intOrPtr*)(_t156 + 0x38));
				 *(_t159 - 0x18) =  *(_t156 + 0x3c);
				 *(_t159 - 0x14) =  *(_t156 + 0x40);
				_t148 = 0x14;
				 *((intOrPtr*)(_t159 - 0x10)) =  *((intOrPtr*)(_t156 + 0x44));
				_t95 = E00418290(_t156 + 0x34, _t148);
				_t131 =  *((intOrPtr*)(_t156 + 0x20)) + 0x20;
				asm("adc edx, 0x0");
				 *((intOrPtr*)(_t153 + 0x88)) =  *((intOrPtr*)(_t156 + 0x20)) + 0x20;
				 *((intOrPtr*)(_t153 + 0x8c)) =  *((intOrPtr*)(_t156 + 0x24));
				if(_t95 !=  *((intOrPtr*)(_t156 + 0x30))) {
					E00410EFB(_t131);
				}
				if(( *(_t159 - 0x18) |  *(_t159 - 0x14)) != 0) {
					__eflags =  *(_t159 - 0x14);
					if( *(_t159 - 0x14) > 0) {
						L8:
						_t98 = 1;
					} else {
						__eflags =  *(_t159 - 0x18) - 0xffffffff;
						if( *(_t159 - 0x18) <= 0xffffffff) {
							_t99 =  *_t156;
							_t98 =  *((intOrPtr*)( *_t99 + 0x10))(_t99,  *((intOrPtr*)(_t159 - 0x28)),  *((intOrPtr*)(_t159 - 0x24)), 1, 0);
							__eflags = _t98;
							if(_t98 == 0) {
								 *((intOrPtr*)(_t159 - 0x30)) = 0;
								 *((intOrPtr*)(_t159 - 0x2c)) = 0;
								 *((intOrPtr*)(_t159 - 0x34)) = 0x41b7b4;
								 *(_t159 - 4) = 0;
								E00408FFB(_t159 - 0x34,  *(_t159 - 0x18));
								_t101 =  *_t156;
								_t102 =  *((intOrPtr*)( *_t101 + 0xc))(_t101,  *((intOrPtr*)(_t159 - 0x2c)),  *(_t159 - 0x18), _t159 + 8);
								__eflags = _t102;
								if(_t102 == 0) {
									_t151 =  *(_t159 - 0x18);
									__eflags =  *((intOrPtr*)(_t159 + 8)) - _t151;
									if( *((intOrPtr*)(_t159 + 8)) == _t151) {
										_t136 =  *((intOrPtr*)(_t159 - 0x2c));
										_t103 = E00418290( *((intOrPtr*)(_t159 - 0x2c)), _t151);
										__eflags = _t103 -  *((intOrPtr*)(_t159 - 0x10));
										if(_t103 !=  *((intOrPtr*)(_t159 - 0x10))) {
											E00410EFB(_t136);
										}
										_t48 = _t159 - 0x1c;
										 *_t48 =  *(_t159 - 0x1c) & 0x00000000;
										__eflags =  *_t48;
										 *(_t159 - 4) = 1;
										E00410E96(_t156, _t159 - 0x34);
										E00407282(_t159 - 0x48, 4);
										 *((intOrPtr*)(_t159 - 0x48)) = 0x41b8f0;
										 *(_t159 - 4) = 2;
										while(1) {
											_t139 =  *((intOrPtr*)(_t156 + 0x18));
											_t107 = E00410F9F( *((intOrPtr*)(_t156 + 0x18)), _t151);
											__eflags = _t107 - 1;
											if(_t107 != 1) {
												goto L19;
											}
											__eflags = _t151;
											if(_t151 == 0) {
												_t111 = E004121DA(_t156, _t151, _t153,  *((intOrPtr*)(_t159 + 0xc)));
												 *((intOrPtr*)(_t159 - 0x48)) = 0x41b8f0;
												 *(_t159 - 4) = 5;
												L29:
												_t158 = _t111;
											} else {
												goto L19;
											}
											L31:
											E00405898();
											 *(_t159 - 4) = 1;
											E00405858(_t159 - 0x48);
											_t77 = _t159 - 4;
											 *_t77 =  *(_t159 - 4) & 0x00000000;
											__eflags =  *_t77;
											_t102 = E00410DE8(_t159 - 0x20);
											goto L32;
											L19:
											__eflags = _t107 - 0x17;
											if(_t107 != 0x17) {
												L21:
												E00410EFB(_t139);
											} else {
												__eflags = _t151;
												if(__eflags != 0) {
													goto L21;
												}
											}
											_t140 = _t156;
											_t111 = E00411E4E(_t156, _t151, __eflags,  *((intOrPtr*)(_t153 + 0x88)),  *((intOrPtr*)(_t153 + 0x8c)), _t153 + 0x98, _t159 - 0x48,  *((intOrPtr*)(_t159 + 0xc))); // executed
											__eflags = _t111;
											if(_t111 != 0) {
												 *((intOrPtr*)(_t159 - 0x48)) = 0x41b8f0;
												 *(_t159 - 4) = 3;
												goto L29;
											} else {
												__eflags =  *((intOrPtr*)(_t159 - 0x40)) - _t111;
												if( *((intOrPtr*)(_t159 - 0x40)) == _t111) {
													 *((intOrPtr*)(_t159 - 0x48)) = 0x41b8f0;
													 *(_t159 - 4) = 4;
													_t158 = 0;
													__eflags = 0;
												} else {
													__eflags =  *((intOrPtr*)(_t159 - 0x40)) - 1;
													if( *((intOrPtr*)(_t159 - 0x40)) > 1) {
														E00410EFB(_t140);
													}
													E00410DE8(_t159 - 0x20);
													E00410E96(_t156,  *((intOrPtr*)( *((intOrPtr*)(_t159 - 0x3c)))));
													continue;
												}
											}
											goto L31;
										}
									} else {
										_t158 = 1;
									}
								} else {
									_t158 = _t102;
								}
								L32:
								 *((intOrPtr*)(_t159 - 0x34)) = 0x41b7b4;
								E00405205(_t102,  *((intOrPtr*)(_t159 - 0x2c)));
								_t98 = _t158;
							}
						} else {
							goto L8;
						}
					}
				} else {
					_t98 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t159 - 0xc));
				return _t98;
			}

















                                  0x00412a86
                                  0x00412a91
                                  0x00412a94
                                  0x00412a96
                                  0x00412a98
                                  0x00412aa0
                                  0x00412aa9
                                  0x00412ab2
                                  0x00412abc
                                  0x00412abf
                                  0x00412ac1
                                  0x00412ac1
                                  0x00412acc
                                  0x00412ad7
                                  0x00412add
                                  0x00412ae3
                                  0x00412ae9
                                  0x00412aea
                                  0x00412aed
                                  0x00412af8
                                  0x00412afb
                                  0x00412afe
                                  0x00412b06
                                  0x00412b0c
                                  0x00412b0e
                                  0x00412b0e
                                  0x00412b19
                                  0x00412b22
                                  0x00412b26
                                  0x00412b2e
                                  0x00412b30
                                  0x00412b28
                                  0x00412b28
                                  0x00412b2c
                                  0x00412b36
                                  0x00412b45
                                  0x00412b4a
                                  0x00412b4c
                                  0x00412b52
                                  0x00412b55
                                  0x00412b58
                                  0x00412b65
                                  0x00412b68
                                  0x00412b6d
                                  0x00412b7c
                                  0x00412b7f
                                  0x00412b81
                                  0x00412b8a
                                  0x00412b8d
                                  0x00412b90
                                  0x00412b9a
                                  0x00412b9d
                                  0x00412ba2
                                  0x00412ba5
                                  0x00412ba7
                                  0x00412ba7
                                  0x00412bac
                                  0x00412bac
                                  0x00412bac
                                  0x00412bb8
                                  0x00412bbc
                                  0x00412bc6
                                  0x00412bd0
                                  0x00412bd3
                                  0x00412bd7
                                  0x00412bd7
                                  0x00412bda
                                  0x00412bdf
                                  0x00412be2
                                  0x00000000
                                  0x00000000
                                  0x00412be4
                                  0x00412be6
                                  0x00412c49
                                  0x00412c4e
                                  0x00412c51
                                  0x00412c5e
                                  0x00412c5e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412c6b
                                  0x00412c6e
                                  0x00412c76
                                  0x00412c7a
                                  0x00412c7f
                                  0x00412c7f
                                  0x00412c7f
                                  0x00412c86
                                  0x00000000
                                  0x00412be8
                                  0x00412be8
                                  0x00412beb
                                  0x00412bf1
                                  0x00412bf1
                                  0x00412bed
                                  0x00412bed
                                  0x00412bef
                                  0x00000000
                                  0x00000000
                                  0x00412bef
                                  0x00412bfc
                                  0x00412c12
                                  0x00412c17
                                  0x00412c19
                                  0x00412c57
                                  0x00412c5a
                                  0x00000000
                                  0x00412c1b
                                  0x00412c1b
                                  0x00412c1e
                                  0x00412c62
                                  0x00412c65
                                  0x00412c69
                                  0x00412c69
                                  0x00412c20
                                  0x00412c20
                                  0x00412c24
                                  0x00412c26
                                  0x00412c26
                                  0x00412c2e
                                  0x00412c3c
                                  0x00000000
                                  0x00412c3c
                                  0x00412c1e
                                  0x00000000
                                  0x00412c19
                                  0x00412b92
                                  0x00412b94
                                  0x00412b94
                                  0x00412b83
                                  0x00412b83
                                  0x00412b83
                                  0x00412c8b
                                  0x00412c8e
                                  0x00412c95
                                  0x00412c9b
                                  0x00412c9b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412b2c
                                  0x00412b1b
                                  0x00412b1b
                                  0x00412b1b
                                  0x00412ca3
                                  0x00412cab

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00412A86
                                    • Part of subcall function 00410EFB: _CxxThrowException.MSVCRT(?,0041EB70), ref: 00410F0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionH_prologThrow
                                  • String ID: *0A
                                  • API String ID: 461045715-335961553
                                  • Opcode ID: 82f40fe226bbcee75cf8f4f9767c897154021d06e598dc79d5324489b42667ee
                                  • Instruction ID: cd7b04f0bca9122ce139c8bca0d83a49eed7245e0e4b0f90579a4085fe1bd2ed
                                  • Opcode Fuzzy Hash: 82f40fe226bbcee75cf8f4f9767c897154021d06e598dc79d5324489b42667ee
                                  • Instruction Fuzzy Hash: 0F717E30A00609EFCF20DFA5C581BEEBBB1BF08304F14842EE545E7241D7B8A995CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040760A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1969 40760a-40762b call 407754 SysAllocString 1972 40762d-407631 1969->1972 1973 40763f-407642 1969->1973 1972->1973 1974 407633-407638 1972->1974 1974->1973
                                  C-Code - Quality: 37%
                                  			E0040760A(short* __ecx, char _a4) {
				intOrPtr _v0;
				intOrPtr _t7;
				short* _t10;

				_t10 = __ecx;
				_t7 = E00407754(__ecx);
				_t1 =  &_a4; // 0x75e80a6a
				 *(__ecx + 2) =  *(__ecx + 2) & 0x00000000;
				 *__ecx = 8; // executed
				__imp__#2( *_t1); // executed
				 *((intOrPtr*)(__ecx + 8)) = _t7;
				if(_t7 == 0 && _v0 != _t7) {
					 *__ecx = 0xa;
					 *((intOrPtr*)(__ecx + 8)) = 0x8007000e;
				}
				return _t10;
			}






                                  0x0040760b
                                  0x0040760d
                                  0x00407612
                                  0x00407616
                                  0x0040761b
                                  0x00407620
                                  0x00407628
                                  0x0040762b
                                  0x00407633
                                  0x00407638
                                  0x00407638
                                  0x00407642

                                  APIs
                                  • SysAllocString.OLEAUT32(ju), ref: 00407620
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: AllocString
                                  • String ID: ju
                                  • API String ID: 2525500382-1661413435
                                  • Opcode ID: 8af5511eaa3c4c714c848c96c29ecbbb16c8bb4958b7a991c9b05f8a2d3f72a0
                                  • Instruction ID: 06c97605a6ef011f43595d7b378a249ccaf717c704776d511cf461feff293147
                                  • Opcode Fuzzy Hash: 8af5511eaa3c4c714c848c96c29ecbbb16c8bb4958b7a991c9b05f8a2d3f72a0
                                  • Instruction Fuzzy Hash: 61E0EC31918752DAD7306F19C455647B6F0FF40394B10CC3EE4C996260E7BAE895C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C4D4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1975 40c4d4-40c4ed call 4182c0 call 4051de 1980 40c50f 1975->1980 1981 40c4ef-40c50d 1975->1981 1982 40c511-40c516 1980->1982 1981->1982 1983 40c518-40c51a 1982->1983 1984 40c51e-40c530 call 407d8c 1982->1984 1983->1984 1987 40c532-40c53a GetLastError 1984->1987 1988 40c53c-40c55b call 405b48 call 40c20b 1984->1988 1989 40c56b-40c571 1987->1989 1995 40c560-40c56a call 405205 1988->1995 1992 40c573-40c575 1989->1992 1993 40c579-40c588 1989->1993 1992->1993 1995->1989
                                  C-Code - Quality: 49%
                                  			E0040C4D4() {
				intOrPtr* _t26;
				void* _t29;
				long _t30;
				long _t44;
				intOrPtr* _t47;
				void* _t49;

				E004182C0(E004199A4, _t49);
				_push(0x10);
				_t26 = E004051DE();
				if(_t26 == 0) {
					_t47 = 0;
				} else {
					 *((intOrPtr*)(_t26 + 4)) = 0x41b64c;
					 *(_t26 + 8) =  *(_t26 + 8) & 0x00000000;
					 *(_t26 + 0xc) =  *(_t26 + 0xc) | 0xffffffff;
					 *_t26 = 0x41b634;
					 *((intOrPtr*)(_t26 + 4)) = 0x41b624;
					_t47 = _t26;
				}
				 *((intOrPtr*)(_t49 - 0x10)) = _t47;
				if(_t47 != 0) {
					 *((intOrPtr*)( *_t47 + 4))(_t47);
				}
				_t43 =  *((intOrPtr*)(_t49 + 0xc));
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t39 = _t47;
				if(E00407D8C(_t47,  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0xc))))) != 0) {
					_t29 = E00405B48(_t39, _t49 - 0x1c, _t43);
					_push( *((intOrPtr*)(_t49 + 0x1c)));
					 *(_t49 - 4) = 1;
					_push( *((intOrPtr*)(_t49 + 0x18)));
					_push( *((intOrPtr*)(_t49 + 0x14)));
					_push( *((intOrPtr*)(_t49 + 0x10)));
					_push(_t29);
					_push(_t47);
					_push( *((intOrPtr*)(_t49 + 8)));
					_t30 = E0040C20B(); // executed
					_t44 = _t30;
					E00405205(_t30,  *((intOrPtr*)(_t49 - 0x1c)));
				} else {
					_t44 = GetLastError();
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				if(_t47 != 0) {
					 *((intOrPtr*)( *_t47 + 8))(_t47);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t44;
			}









                                  0x0040c4d9
                                  0x0040c4e3
                                  0x0040c4e5
                                  0x0040c4ed
                                  0x0040c50f
                                  0x0040c4ef
                                  0x0040c4ef
                                  0x0040c4f6
                                  0x0040c4fa
                                  0x0040c4fe
                                  0x0040c504
                                  0x0040c50b
                                  0x0040c50b
                                  0x0040c513
                                  0x0040c516
                                  0x0040c51b
                                  0x0040c51b
                                  0x0040c51e
                                  0x0040c521
                                  0x0040c525
                                  0x0040c530
                                  0x0040c541
                                  0x0040c546
                                  0x0040c549
                                  0x0040c54d
                                  0x0040c550
                                  0x0040c553
                                  0x0040c556
                                  0x0040c557
                                  0x0040c558
                                  0x0040c55b
                                  0x0040c563
                                  0x0040c565
                                  0x0040c532
                                  0x0040c538
                                  0x0040c538
                                  0x0040c56b
                                  0x0040c571
                                  0x0040c576
                                  0x0040c576
                                  0x0040c580
                                  0x0040c588

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040C4D9
                                    • Part of subcall function 004051DE: malloc.MSVCRT ref: 004051E4
                                    • Part of subcall function 004051DE: _CxxThrowException.MSVCRT(?,0041C8F8), ref: 004051FE
                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,00000000,?,?,0000000F,00421290,?,00000000), ref: 0040C532
                                    • Part of subcall function 0040C20B: __EH_prolog.LIBCMT ref: 0040C210
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$ErrorExceptionLastThrowfreemalloc
                                  • String ID:
                                  • API String ID: 1455235784-0
                                  • Opcode ID: 0b61db450aa8ed80a5d84bb9d0552dc6b3b56931fbcda5a4c1de008d153ee1b0
                                  • Instruction ID: 285fd8773204fd8ce4f9368b351486560d2cfe712b6a4ac759f03b4cc882c1a4
                                  • Opcode Fuzzy Hash: 0b61db450aa8ed80a5d84bb9d0552dc6b3b56931fbcda5a4c1de008d153ee1b0
                                  • Instruction Fuzzy Hash: CC21D175801110EFCB219F60C808A9FBFB0EF44760F14826AFC10A72A1C7389901DFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CA75 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0040CA75(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				intOrPtr* _t22;
				signed char _t24;
				void* _t26;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t47;

				_t39 = __edx;
				E004182C0(E00419A38, _t47);
				_t45 = __ecx;
				_t41 = __ecx + 0x14;
				E00401E63(_t41,  *((intOrPtr*)(_t47 + 8)));
				_push( *((intOrPtr*)(_t47 + 0xc)));
				_push(_t41);
				_push(_t47 - 0x18);
				_t22 = E00406F88(_t39);
				_push(_t45 + 0x20);
				_push( *_t22);
				 *(_t47 - 4) = 0;
				_t24 = E00407203(_t45 + 0x20, _t39, 0); // executed
				asm("sbb bl, bl");
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				E00405205(_t24,  *((intOrPtr*)(_t47 - 0x18)));
				if( ~_t24 + 1 != 0) {
					_push(0x41c9b8);
					_push(_t47 + 8);
					 *((intOrPtr*)(_t47 + 8)) = 1;
					L004182FC();
				}
				_t26 = E00405898();
				 *(_t45 + 0x60) =  *(_t45 + 0x60) & 0x00000000;
				 *((intOrPtr*)(_t45 + 0x88)) = 0;
				 *((intOrPtr*)(_t45 + 0x8c)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t26;
			}











                                  0x0040ca75
                                  0x0040ca7a
                                  0x0040ca84
                                  0x0040ca8a
                                  0x0040ca8f
                                  0x0040ca94
                                  0x0040ca9a
                                  0x0040ca9b
                                  0x0040ca9c
                                  0x0040caa8
                                  0x0040caa9
                                  0x0040caaa
                                  0x0040caad
                                  0x0040cab9
                                  0x0040cabb
                                  0x0040cac1
                                  0x0040cac9
                                  0x0040cace
                                  0x0040cad3
                                  0x0040cad4
                                  0x0040cadb
                                  0x0040cadb
                                  0x0040cae3
                                  0x0040cae8
                                  0x0040caef
                                  0x0040caf5
                                  0x0040cafe
                                  0x0040cb06

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040CA7A
                                    • Part of subcall function 00406F88: __EH_prolog.LIBCMT ref: 00406F8D
                                    • Part of subcall function 00407203: __EH_prolog.LIBCMT ref: 00407208
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 0040CADB
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrowfree
                                  • String ID:
                                  • API String ID: 1371406966-0
                                  • Opcode ID: d5034872c49d00cd3ed9f22cbdf8a2000eeae9733236f70e05b3d1789acf247d
                                  • Instruction ID: e7f75e4611bb2f84d59e2f904d8c425c10361317d6cd57de005c8a9f34f2d36e
                                  • Opcode Fuzzy Hash: d5034872c49d00cd3ed9f22cbdf8a2000eeae9733236f70e05b3d1789acf247d
                                  • Instruction Fuzzy Hash: 1301E171900604AECB11EB26C441FDFBBA8FF85348F00412FF495A3291CB785609CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004073FA Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E004073FA(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                                  0x004073fd
                                  0x004073fe
                                  0x00407405
                                  0x00407408
                                  0x0040740e
                                  0x00407415
                                  0x0040741e
                                  0x00407421
                                  0x00407431
                                  0x00407437
                                  0x0040743c
                                  0x00000000
                                  0x0040742d
                                  0x00000000
                                  0x0040742d

                                  APIs
                                  • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00407415
                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00407423
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer
                                  • String ID:
                                  • API String ID: 2976181284-0
                                  • Opcode ID: 3e22442caf7a7b016bcef987e1326f3569b8576d2787536326cdaf356eabcae3
                                  • Instruction ID: 2b251251a07a9e316f8e9d728f48e9b7a00f5215de2c71b12d7e239d6b85ec4e
                                  • Opcode Fuzzy Hash: 3e22442caf7a7b016bcef987e1326f3569b8576d2787536326cdaf356eabcae3
                                  • Instruction Fuzzy Hash: 9BF0D4B4904208EFCB04CF64D9448AE7FF9EF49314B2081A9F815E7391D735AE40EBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402665 Relevance: 3.0, APIs: 2, Instructions: 16COMMONLIBRARYCODE
                                  Download Yara Rule
                                  C-Code - Quality: 65%
                                  			E00402665(intOrPtr* __ecx) {
				char* _v8;
				int _t3;
				char** _t4;

				_push(__ecx);
				 *__ecx = 0x41b484; // executed
				_t3 = SetConsoleCtrlHandler(E00402628, 0); // executed
				if(_t3 == 0) {
					_t4 =  &_v8;
					_push(0x41c200);
					_push(_t4);
					_v8 = "SetConsoleCtrlHandler fails";
					L004182FC();
					return _t4;
				}
				return _t3;
			}






                                  0x00402668
                                  0x00402670
                                  0x00402676
                                  0x0040267e
                                  0x00402680
                                  0x00402683
                                  0x00402688
                                  0x00402689
                                  0x00402690
                                  0x00000000
                                  0x00402690
                                  0x00402696

                                  APIs
                                  • SetConsoleCtrlHandler.KERNELBASE(00402628,00000000,?,?,0040422B), ref: 00402676
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 00402690
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ConsoleCtrlExceptionHandlerThrow
                                  • String ID:
                                  • API String ID: 4041287486-0
                                  • Opcode ID: 35e6545f48ec51e707f148a4fdde3101364494a4921bde0abb7a15ce974cf648
                                  • Instruction ID: 7c6106b357ca9253274a8e89baa1ef2d9984cd4f0ce2552f6585b02f84e33583
                                  • Opcode Fuzzy Hash: 35e6545f48ec51e707f148a4fdde3101364494a4921bde0abb7a15ce974cf648
                                  • Instruction Fuzzy Hash: 24D0A770640308FFD701DBD1AD4AF8A76ECDB0470CF6040ABA400B61C2D7F9A64487AC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004051DE Relevance: 2.5, APIs: 2, Instructions: 15COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004051DE(int _a4, char _a7) {
				void* _t5;
				char* _t7;

				_t5 = malloc(_a4); // executed
				if(_t5 == 0) {
					_push(0x41c8f8);
					_t7 =  &_a7;
					_push(_t7);
					L004182FC();
					return _t7;
				}
				return _t5;
			}





                                  0x004051e4
                                  0x004051ed
                                  0x004051f2
                                  0x004051fa
                                  0x004051fd
                                  0x004051fe
                                  0x00000000
                                  0x004051fe
                                  0x00405204

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrowmalloc
                                  • String ID:
                                  • API String ID: 2436765578-0
                                  • Opcode ID: 3231366bd2f069958e84db24044a3f189f2dbc9aa367fd2821093fe3f844290c
                                  • Instruction ID: dc38a72ad25f6e31971effc925cf9a62f721c946e3374edf35d1f4f08671a061
                                  • Opcode Fuzzy Hash: 3231366bd2f069958e84db24044a3f189f2dbc9aa367fd2821093fe3f844290c
                                  • Instruction Fuzzy Hash: 9DD0A73150424C7ACF016FE5DC045CA3F1CDD056A0700906BF8289F112DB34C3808B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F3F3 Relevance: 2.1, APIs: 1, Instructions: 552COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0040F3F3(signed char __edx) {
				signed int _t305;
				signed char _t307;
				signed int _t309;
				signed char _t310;
				signed char _t313;
				signed char _t319;
				void* _t324;
				signed char _t328;
				intOrPtr _t330;
				intOrPtr _t336;
				signed char _t338;
				signed char _t341;
				signed char _t342;
				signed char _t352;
				signed char _t353;
				signed char _t354;
				signed char _t358;
				signed char _t363;
				signed char _t364;
				signed char _t365;
				signed char _t371;
				signed char _t372;
				signed char _t375;
				signed char _t376;
				signed char _t382;
				signed char _t383;
				signed char _t389;
				signed char _t391;
				signed char _t392;
				signed char _t396;
				signed char _t404;
				signed int _t412;
				intOrPtr _t420;
				intOrPtr _t429;
				signed char _t433;
				signed char _t439;
				signed char _t441;
				signed char _t442;
				signed int _t444;
				void* _t446;
				intOrPtr _t447;
				intOrPtr _t517;
				signed char _t527;
				signed int _t529;
				intOrPtr* _t531;
				signed int _t534;
				intOrPtr _t537;
				signed char _t539;
				void* _t542;
				signed char _t543;
				signed int _t544;
				intOrPtr _t545;
				void* _t546;
				void* _t548;

				_t527 = __edx;
				_t305 = E004182C0(E0041A0C0, _t546);
				_t439 = 0;
				 *(_t546 - 4) = 0;
				 *((char*)(_t546 - 0x5c)) = _t305 & 0xffffff00 |  *(_t546 + 0x14) != 0x00000000;
				_t307 =  *(_t546 + 0x18);
				 *((intOrPtr*)(_t546 - 0x10)) = _t548 - 0x134;
				 *(_t546 + 0x18) = _t307;
				if(_t307 != 0) {
					 *((intOrPtr*)( *_t307 + 4))(_t307);
				}
				 *(_t546 - 4) = 1;
				 *(_t546 - 0x38) = _t439;
				 *(_t546 - 0x34) = _t439;
				 *((char*)(_t546 + 0x17)) =  *(_t546 + 0x10) == 0xffffffff;
				if( *((char*)(_t546 + 0x17)) != 0) {
					 *(_t546 + 0x10) =  *( *(_t546 + 8) + 0x7c);
				}
				if( *(_t546 + 0x10) != _t439) {
					E00402463(_t546 - 0x2c);
					 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
					_t309 = 0;
					__eflags = 0;
					 *(_t546 - 4) = 2;
					 *(_t546 - 0x30) = 0;
					while(1) {
						__eflags = _t309 -  *(_t546 + 0x10);
						if(__eflags >= 0) {
							break;
						}
						__eflags =  *((char*)(_t546 + 0x17));
						if( *((char*)(_t546 + 0x17)) == 0) {
							_t309 =  *( *(_t546 + 0xc) + _t309 * 4);
						}
						_t535 =  *(_t546 + 8);
						 *(_t546 - 0x18) = _t309;
						_t544 =  *( *((intOrPtr*)( *(_t546 + 8) + 0x110)) + _t309 * 4);
						__eflags = _t544 - 0xffffffff;
						if(_t544 != 0xffffffff) {
							_t412 =  *(_t546 - 0x24);
							__eflags = _t412 - _t439;
							if(_t412 == _t439) {
								L16:
								 *(_t546 - 0x8c) =  *(_t546 - 0x8c) | 0xffffffff;
								 *(_t546 - 0x88) = _t544;
								E0040FCAA(_t546 - 0x84);
								 *(_t546 - 0x6c) = _t439;
								 *(_t546 - 0x68) = _t439;
								_push(_t546 - 0x8c);
								 *(_t546 - 4) = 5;
								E0040FD1F(_t546 - 0x2c, _t527);
								 *(_t546 - 4) = 2;
								E00405858(_t546 - 0x84);
								_t517 = E0040FB33( *((intOrPtr*)( *((intOrPtr*)(_t535 + 0x58)) + _t544 * 4)));
								_t67 = _t546 - 0x38;
								 *_t67 =  *(_t546 - 0x38) + _t517;
								__eflags =  *_t67;
								_t420 =  *((intOrPtr*)( *((intOrPtr*)(_t546 - 0x20)) +  *(_t546 - 0x24) * 4 - 4));
								asm("adc [ebp-0x34], edx");
								 *((intOrPtr*)(_t420 + 0x20)) = _t517;
								 *(_t420 + 0x24) = _t527;
								L17:
								_t537 =  *((intOrPtr*)( *((intOrPtr*)(_t546 - 0x20)) +  *(_t546 - 0x24) * 4 - 4));
								_t447 =  *((intOrPtr*)( *((intOrPtr*)( *(_t546 + 8) + 0xfc)) + _t544 * 4));
								_t545 =  *((intOrPtr*)(_t537 + 0x10));
								while(1) {
									_t425 =  *(_t546 - 0x18) - _t447;
									__eflags = _t545 -  *(_t546 - 0x18) - _t447;
									if(_t545 >  *(_t546 - 0x18) - _t447) {
										goto L13;
									}
									_t87 = _t537 + 8; // 0xa
									E0040FCC5(_t87, _t527, _t425 & 0xffffff00 | __eflags == 0x00000000);
									_t545 = _t545 + 1;
								}
								goto L13;
							}
							_t429 =  *((intOrPtr*)( *((intOrPtr*)(_t546 - 0x20)) + _t412 * 4 - 4));
							__eflags = _t544 -  *((intOrPtr*)(_t429 + 4));
							if(_t544 ==  *((intOrPtr*)(_t429 + 4))) {
								goto L17;
							}
							goto L16;
						} else {
							_push(_t544);
							_push(_t309);
							_push(E0040FBC0(_t546 - 0x140, _t527));
							 *(_t546 - 4) = 3;
							E0040FD1F(_t546 - 0x2c, _t527);
							 *(_t546 - 4) = 2;
							E00405858(_t546 - 0x138);
							L13:
							_t309 =  *(_t546 - 0x30) + 1;
							_t439 = 0;
							 *(_t546 - 0x30) = _t309;
							continue;
						}
					}
					_t310 =  *(_t546 + 0x18);
					 *((intOrPtr*)( *_t310 + 0xc))(_t310,  *(_t546 - 0x38),  *(_t546 - 0x34));
					E0040E1E9(_t546 - 0x118, __eflags, 1);
					_push(0x38);
					 *(_t546 - 4) = 6;
					 *(_t546 - 0x40) = _t439;
					 *(_t546 - 0x3c) = _t439;
					 *(_t546 - 0x48) = _t439;
					 *(_t546 - 0x44) = _t439;
					_t313 = E004051DE();
					 *(_t546 + 0x10) = _t313;
					__eflags = _t313 - _t439;
					 *(_t546 - 4) = 7;
					if(_t313 == _t439) {
						_t539 = 0;
						__eflags = 0;
					} else {
						_t539 = E00408B98(_t313);
					}
					__eflags = _t539 - _t439;
					 *(_t546 - 4) = 6;
					 *(_t546 - 0x34) = _t539;
					 *(_t546 - 0x14) = _t539;
					if(_t539 != _t439) {
						 *((intOrPtr*)( *_t539 + 4))(_t539);
					}
					_push(_t439);
					 *(_t546 - 4) = 8;
					E00408C2B(_t539,  *(_t546 + 0x18));
					_t529 = 0;
					__eflags = 0;
					 *(_t546 - 0x18) = 0;
					while(1) {
						__eflags = _t529 -  *(_t546 - 0x24);
						if(_t529 >=  *(_t546 - 0x24)) {
							break;
						}
						 *(_t539 + 0x28) =  *(_t546 - 0x48);
						 *(_t539 + 0x2c) =  *(_t546 - 0x44);
						 *(_t539 + 0x20) =  *(_t546 - 0x40);
						 *(_t539 + 0x24) =  *(_t546 - 0x3c);
						_t324 = E00408D07(_t539);
						__eflags = _t324 - _t439;
						if(_t324 == _t439) {
							_push(0x38);
							 *(_t546 - 0x50) = _t439;
							 *(_t546 - 0x4c) = _t439;
							_t531 =  *((intOrPtr*)( *((intOrPtr*)(_t546 - 0x20)) + _t529 * 4));
							 *((intOrPtr*)(_t546 - 0x58)) =  *((intOrPtr*)(_t531 + 0x20));
							 *((intOrPtr*)(_t546 - 0x54)) =  *((intOrPtr*)(_t531 + 0x24));
							_t328 = E004051DE();
							 *(_t546 + 0xc) = _t328;
							__eflags = _t328 - _t439;
							 *(_t546 - 4) = 0xa;
							if(_t328 == _t439) {
								_t441 = 0;
								__eflags = 0;
							} else {
								_t441 = E0040FE9A(_t328);
							}
							__eflags = _t441;
							 *(_t546 + 0xc) = _t441;
							 *(_t546 - 4) = 8;
							 *(_t546 + 0x10) = _t441;
							if(_t441 != 0) {
								 *((intOrPtr*)( *_t441 + 4))(_t441);
							}
							 *(_t546 - 4) = 0xb;
							_t542 =  *(_t546 + 8) + 0x10;
							_t330 =  *_t531;
							__eflags = _t330 - 0xffffffff;
							if(_t330 == 0xffffffff) {
								_t330 =  *((intOrPtr*)( *((intOrPtr*)(_t542 + 0xec)) +  *(_t531 + 4) * 4));
							}
							__eflags =  *( *(_t546 + 8) + 0x118);
							_t442 = E0040FF72(_t441, _t542, 0, _t330, _t531 + 8,  *(_t546 + 0x18),  *((intOrPtr*)(_t546 - 0x5c)),  *(_t546 + 8) & 0xffffff00 |  *( *(_t546 + 8) + 0x118) != 0x00000000);
							__eflags = _t442;
							if(_t442 == 0) {
								__eflags =  *_t531 - 0xffffffff;
								if( *_t531 == 0xffffffff) {
									_t444 =  *(_t531 + 4) << 2;
									 *(_t546 - 0x30) =  *( *((intOrPtr*)(_t542 + 0x48)) + _t444);
									 *(_t546 - 0x50) = E0040FB7F(_t542,  *(_t531 + 4));
									 *(_t546 - 0x4c) = _t527;
									_t336 =  *((intOrPtr*)(_t542 + 0xc4));
									_t534 =  *( *((intOrPtr*)(_t542 + 0xd8)) + _t444) << 3;
									_t446 =  *((intOrPtr*)(_t336 + _t534)) +  *((intOrPtr*)(_t542 + 0x90));
									asm("adc eax, [esi+0x94]");
									 *(_t546 + 0x14) =  *(_t546 + 0x14) & 0x00000000;
									 *((intOrPtr*)(_t546 - 0x60)) =  *((intOrPtr*)(_t336 + _t534 + 4));
									_t338 =  *(_t546 + 0x18);
									 *(_t546 - 4) = 0xd;
									__eflags = _t338;
									if(__eflags != 0) {
										_t527 = _t546 + 0x14;
										 *((intOrPtr*)( *_t338))(_t338, 0x41b368, _t527);
									}
									 *(_t546 - 4) = 0xe;
									_t341 = E0040E298(_t546 - 0x118, _t527, __eflags,  *((intOrPtr*)( *(_t546 + 8) + 8)), _t446,  *((intOrPtr*)(_t546 - 0x60)),  *((intOrPtr*)(_t542 + 0xc)) + _t534,  *(_t546 - 0x30),  *(_t546 + 0x10),  *(_t546 - 0x14),  *(_t546 + 0x14)); // executed
									_t543 = _t341;
									__eflags = _t543 - 1;
									if(_t543 != 1) {
										__eflags = _t543 - 0x80004001;
										if(_t543 != 0x80004001) {
											__eflags = _t543;
											if(_t543 == 0) {
												_t342 = E0041029B( *(_t546 + 0xc));
												__eflags = _t342;
												if(_t342 == 0) {
													 *(_t546 - 4) = 0xb;
													E0040CD67(_t546 + 0x14);
													 *(_t546 - 4) = 8;
													E0040CD67(_t546 + 0x10);
													goto L98;
												}
												_t543 = E0041024E( *(_t546 + 0xc), _t546, 2);
												 *(_t546 - 4) = 0xb;
												__eflags = _t543;
												if(_t543 == 0) {
													E0040CD67(_t546 + 0x14);
													 *(_t546 - 4) = 8;
													E0040CD67(_t546 + 0x10);
													goto L95;
												}
												_t352 =  *(_t546 + 0x14);
												__eflags = _t352;
												if(_t352 != 0) {
													 *((intOrPtr*)( *_t352 + 8))(_t352);
												}
												_t353 =  *(_t546 + 0x10);
												 *(_t546 - 4) = 8;
												__eflags = _t353;
												if(_t353 != 0) {
													 *((intOrPtr*)( *_t353 + 8))(_t353);
												}
												_t354 =  *(_t546 - 0x14);
												 *(_t546 - 4) = 6;
												__eflags = _t354;
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t354 + 8))(_t354);
												}
												 *(_t546 - 4) = 2;
												E0040FC32(_t546 - 0x118, __eflags);
												 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
												 *(_t546 - 4) = 0x12;
												goto L90;
											}
											_t363 =  *(_t546 + 0x14);
											 *(_t546 - 4) = 0xb;
											__eflags = _t363;
											if(_t363 != 0) {
												 *((intOrPtr*)( *_t363 + 8))(_t363);
											}
											_t364 =  *(_t546 + 0x10);
											 *(_t546 - 4) = 8;
											__eflags = _t364;
											if(_t364 != 0) {
												 *((intOrPtr*)( *_t364 + 8))(_t364);
											}
											_t365 =  *(_t546 - 0x14);
											 *(_t546 - 4) = 6;
											__eflags = _t365;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t365 + 8))(_t365);
											}
											 *(_t546 - 4) = 2;
											E0040FC32(_t546 - 0x118, __eflags);
											 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
											 *(_t546 - 4) = 0x11;
											goto L90;
										}
										_t543 = E0041024E( *(_t546 + 0xc), _t546, 1);
										_t371 =  *(_t546 + 0x14);
										__eflags = _t543;
										 *(_t546 - 4) = 0xb;
										if(_t543 == 0) {
											goto L69;
										}
										__eflags = _t371;
										if(_t371 != 0) {
											 *((intOrPtr*)( *_t371 + 8))(_t371);
										}
										_t375 =  *(_t546 + 0x10);
										 *(_t546 - 4) = 8;
										__eflags = _t375;
										if(_t375 != 0) {
											 *((intOrPtr*)( *_t375 + 8))(_t375);
										}
										_t376 =  *(_t546 - 0x14);
										 *(_t546 - 4) = 6;
										__eflags = _t376;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t376 + 8))(_t376);
										}
										 *(_t546 - 4) = 2;
										E0040FC32(_t546 - 0x118, __eflags);
										 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
										 *(_t546 - 4) = 0x10;
										goto L90;
									} else {
										_t543 = E0041024E( *(_t546 + 0xc), _t546, 2);
										_t371 =  *(_t546 + 0x14);
										__eflags = _t543;
										 *(_t546 - 4) = 0xb;
										if(_t543 == 0) {
											L69:
											__eflags = _t371;
											if(_t371 != 0) {
												 *((intOrPtr*)( *_t371 + 8))(_t371);
											}
											_t372 =  *(_t546 + 0x10);
											 *(_t546 - 4) = 8;
											__eflags = _t372;
											if(_t372 != 0) {
												 *((intOrPtr*)( *_t372 + 8))(_t372);
											}
											L95:
											 *(_t546 - 4) = 8;
											L98:
											 *(_t546 - 0x18) =  *(_t546 - 0x18) + 1;
											 *(_t546 - 0x48) =  *(_t546 - 0x48) +  *((intOrPtr*)(_t546 - 0x58));
											_t539 =  *(_t546 - 0x34);
											_t529 =  *(_t546 - 0x18);
											asm("adc [ebp-0x44], eax");
											 *(_t546 - 0x40) =  *(_t546 - 0x40) +  *(_t546 - 0x50);
											asm("adc [ebp-0x3c], eax");
											_t439 = 0;
											continue;
										}
										__eflags = _t371;
										if(_t371 != 0) {
											 *((intOrPtr*)( *_t371 + 8))(_t371);
										}
										_t382 =  *(_t546 + 0x10);
										 *(_t546 - 4) = 8;
										__eflags = _t382;
										if(_t382 != 0) {
											 *((intOrPtr*)( *_t382 + 8))(_t382);
										}
										_t383 =  *(_t546 - 0x14);
										 *(_t546 - 4) = 6;
										__eflags = _t383;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t383 + 8))(_t383);
										}
										 *(_t546 - 4) = 2;
										E0040FC32(_t546 - 0x118, __eflags);
										 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
										 *(_t546 - 4) = 0xf;
										L90:
										E00405898();
										 *(_t546 - 4) = 1;
										E00405858(_t546 - 0x2c);
										_t358 =  *(_t546 + 0x18);
										 *(_t546 - 4) =  *(_t546 - 4) & 0x00000000;
										__eflags = _t358;
										L91:
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t358 + 8))(_t358);
										}
										_t319 = _t543;
										goto L101;
									}
								}
								_t389 =  *(_t546 + 0x10);
								 *(_t546 - 4) = 8;
								__eflags = _t389;
								if(_t389 != 0) {
									 *((intOrPtr*)( *_t389 + 8))(_t389);
								}
								goto L98;
							} else {
								_t391 =  *(_t546 + 0x10);
								 *(_t546 - 4) = 8;
								__eflags = _t391;
								if(_t391 != 0) {
									 *((intOrPtr*)( *_t391 + 8))(_t391);
								}
								_t392 =  *(_t546 - 0x14);
								 *(_t546 - 4) = 6;
								__eflags = _t392;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t392 + 8))(_t392);
								}
								 *(_t546 - 4) = 2;
								E0040FC32(_t546 - 0x118, __eflags);
								 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
								 *(_t546 - 4) = 0xc;
								E00405898();
								 *(_t546 - 4) = 1;
								E00405858(_t546 - 0x2c);
								_t396 =  *(_t546 + 0x18);
								 *(_t546 - 4) =  *(_t546 - 4) & 0x00000000;
								__eflags = _t396;
								if(_t396 != 0) {
									 *((intOrPtr*)( *_t396 + 8))(_t396);
								}
								_t319 = _t442;
								goto L101;
							}
						}
						_t404 =  *(_t546 - 0x14);
						 *(_t546 - 4) = 6;
						__eflags = _t404 - _t439;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t404 + 8))(_t404);
						}
						 *(_t546 - 4) = 2;
						E0040FC32(_t546 - 0x118, __eflags);
						 *((intOrPtr*)(_t546 - 0x2c)) = 0x41b820;
						 *(_t546 - 4) = 9;
						E00405898();
						 *(_t546 - 4) = 1;
						E00405858(_t546 - 0x2c);
						_t358 =  *(_t546 + 0x18);
						 *(_t546 - 4) =  *(_t546 - 4) & 0x00000000;
						__eflags = _t358 - _t439;
						goto L91;
					}
					 *(_t546 - 4) = 6;
					E0040CD67(_t546 - 0x14);
					 *(_t546 - 4) = 2;
					E0040FC32(_t546 - 0x118, __eflags); // executed
					 *(_t546 - 4) = 1;
					E0040FCE7(_t546 - 0x2c);
					_t300 = _t546 - 4;
					 *_t300 =  *(_t546 - 4) & 0x00000000;
					__eflags =  *_t300;
					E0040CD67(_t546 + 0x18);
					goto L100;
				} else {
					_t433 =  *(_t546 + 0x18);
					 *(_t546 - 4) =  *(_t546 - 4) & 0x00000000;
					if(_t433 != _t439) {
						 *((intOrPtr*)( *_t433 + 8))(_t433);
					}
					L100:
					_t319 = 0;
					L101:
					 *[fs:0x0] =  *((intOrPtr*)(_t546 - 0xc));
					return _t319;
				}
			}

























































                                  0x0040f3f3
                                  0x0040f3f8
                                  0x0040f404
                                  0x0040f40b
                                  0x0040f411
                                  0x0040f414
                                  0x0040f419
                                  0x0040f41c
                                  0x0040f41f
                                  0x0040f424
                                  0x0040f424
                                  0x0040f42b
                                  0x0040f42f
                                  0x0040f432
                                  0x0040f435
                                  0x0040f43d
                                  0x0040f445
                                  0x0040f445
                                  0x0040f44b
                                  0x0040f46a
                                  0x0040f46f
                                  0x0040f476
                                  0x0040f476
                                  0x0040f478
                                  0x0040f47c
                                  0x0040f47f
                                  0x0040f47f
                                  0x0040f482
                                  0x00000000
                                  0x00000000
                                  0x0040f488
                                  0x0040f48c
                                  0x0040f491
                                  0x0040f491
                                  0x0040f494
                                  0x0040f497
                                  0x0040f4a0
                                  0x0040f4a3
                                  0x0040f4a6
                                  0x0040f4dc
                                  0x0040f4df
                                  0x0040f4e1
                                  0x0040f4ef
                                  0x0040f4ef
                                  0x0040f4fc
                                  0x0040f502
                                  0x0040f507
                                  0x0040f50a
                                  0x0040f516
                                  0x0040f517
                                  0x0040f51b
                                  0x0040f526
                                  0x0040f52a
                                  0x0040f53d
                                  0x0040f542
                                  0x0040f542
                                  0x0040f542
                                  0x0040f545
                                  0x0040f549
                                  0x0040f54c
                                  0x0040f54f
                                  0x0040f552
                                  0x0040f558
                                  0x0040f565
                                  0x0040f568
                                  0x0040f56b
                                  0x0040f56e
                                  0x0040f570
                                  0x0040f572
                                  0x00000000
                                  0x00000000
                                  0x0040f57c
                                  0x0040f57f
                                  0x0040f584
                                  0x0040f584
                                  0x00000000
                                  0x0040f56b
                                  0x0040f4e6
                                  0x0040f4ea
                                  0x0040f4ed
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040f4a8
                                  0x0040f4a8
                                  0x0040f4a9
                                  0x0040f4b5
                                  0x0040f4b9
                                  0x0040f4bd
                                  0x0040f4c8
                                  0x0040f4cc
                                  0x0040f4d1
                                  0x0040f4d4
                                  0x0040f4d5
                                  0x0040f4d7
                                  0x00000000
                                  0x0040f4d7
                                  0x0040f4a6
                                  0x0040f58a
                                  0x0040f593
                                  0x0040f59e
                                  0x0040f5a3
                                  0x0040f5a5
                                  0x0040f5a9
                                  0x0040f5ac
                                  0x0040f5af
                                  0x0040f5b2
                                  0x0040f5b5
                                  0x0040f5bb
                                  0x0040f5be
                                  0x0040f5c0
                                  0x0040f5c4
                                  0x0040f5d1
                                  0x0040f5d1
                                  0x0040f5c6
                                  0x0040f5cd
                                  0x0040f5cd
                                  0x0040f5d3
                                  0x0040f5d5
                                  0x0040f5d9
                                  0x0040f5dc
                                  0x0040f5df
                                  0x0040f5e4
                                  0x0040f5e4
                                  0x0040f5e7
                                  0x0040f5ed
                                  0x0040f5f1
                                  0x0040f5f6
                                  0x0040f5f6
                                  0x0040f5f8
                                  0x0040f5fb
                                  0x0040f5fb
                                  0x0040f5fe
                                  0x00000000
                                  0x00000000
                                  0x0040f609
                                  0x0040f60f
                                  0x0040f615
                                  0x0040f61b
                                  0x0040f61e
                                  0x0040f625
                                  0x0040f627
                                  0x0040f679
                                  0x0040f67b
                                  0x0040f67e
                                  0x0040f681
                                  0x0040f687
                                  0x0040f68d
                                  0x0040f690
                                  0x0040f696
                                  0x0040f699
                                  0x0040f69b
                                  0x0040f69f
                                  0x0040f6ac
                                  0x0040f6ac
                                  0x0040f6a1
                                  0x0040f6a8
                                  0x0040f6a8
                                  0x0040f6ae
                                  0x0040f6b0
                                  0x0040f6b3
                                  0x0040f6b7
                                  0x0040f6ba
                                  0x0040f6bf
                                  0x0040f6bf
                                  0x0040f6c5
                                  0x0040f6c9
                                  0x0040f6cc
                                  0x0040f6ce
                                  0x0040f6d1
                                  0x0040f6dc
                                  0x0040f6dc
                                  0x0040f6e2
                                  0x0040f702
                                  0x0040f704
                                  0x0040f706
                                  0x0040f770
                                  0x0040f773
                                  0x0040f798
                                  0x0040f7a0
                                  0x0040f7a8
                                  0x0040f7b1
                                  0x0040f7b7
                                  0x0040f7bd
                                  0x0040f7c3
                                  0x0040f7cd
                                  0x0040f7d3
                                  0x0040f7d7
                                  0x0040f7da
                                  0x0040f7dd
                                  0x0040f7e1
                                  0x0040f7e3
                                  0x0040f7e7
                                  0x0040f7f1
                                  0x0040f7f1
                                  0x0040f801
                                  0x0040f81a
                                  0x0040f81f
                                  0x0040f821
                                  0x0040f824
                                  0x0040f88c
                                  0x0040f892
                                  0x0040f91e
                                  0x0040f920
                                  0x0040f974
                                  0x0040f979
                                  0x0040f97b
                                  0x0040fa27
                                  0x0040faa7
                                  0x0040faaf
                                  0x0040fab3
                                  0x00000000
                                  0x0040fab3
                                  0x0040f98b
                                  0x0040f98d
                                  0x0040f991
                                  0x0040f993
                                  0x0040fa0d
                                  0x0040fa15
                                  0x0040fa19
                                  0x00000000
                                  0x0040fa19
                                  0x0040f995
                                  0x0040f998
                                  0x0040f99a
                                  0x0040f99f
                                  0x0040f99f
                                  0x0040f9a2
                                  0x0040f9a5
                                  0x0040f9a9
                                  0x0040f9ab
                                  0x0040f9b0
                                  0x0040f9b0
                                  0x0040f9b3
                                  0x0040f9b6
                                  0x0040f9ba
                                  0x0040f9bc
                                  0x0040f9c1
                                  0x0040f9c1
                                  0x0040f9ca
                                  0x0040f9ce
                                  0x0040f9d3
                                  0x0040f9da
                                  0x00000000
                                  0x0040f9da
                                  0x0040f922
                                  0x0040f925
                                  0x0040f929
                                  0x0040f92b
                                  0x0040f930
                                  0x0040f930
                                  0x0040f933
                                  0x0040f936
                                  0x0040f93a
                                  0x0040f93c
                                  0x0040f941
                                  0x0040f941
                                  0x0040f944
                                  0x0040f947
                                  0x0040f94b
                                  0x0040f94d
                                  0x0040f952
                                  0x0040f952
                                  0x0040f95b
                                  0x0040f95f
                                  0x0040f964
                                  0x0040f96b
                                  0x00000000
                                  0x0040f96b
                                  0x0040f8a2
                                  0x0040f8a4
                                  0x0040f8a7
                                  0x0040f8a9
                                  0x0040f8ad
                                  0x00000000
                                  0x00000000
                                  0x0040f8af
                                  0x0040f8b1
                                  0x0040f8b6
                                  0x0040f8b6
                                  0x0040f8b9
                                  0x0040f8bc
                                  0x0040f8c0
                                  0x0040f8c2
                                  0x0040f8c7
                                  0x0040f8c7
                                  0x0040f8ca
                                  0x0040f8cd
                                  0x0040f8d1
                                  0x0040f8d3
                                  0x0040f8d8
                                  0x0040f8d8
                                  0x0040f8e1
                                  0x0040f8e5
                                  0x0040f8ea
                                  0x0040f8f1
                                  0x00000000
                                  0x0040f826
                                  0x0040f830
                                  0x0040f832
                                  0x0040f835
                                  0x0040f837
                                  0x0040f83b
                                  0x0040f8fa
                                  0x0040f8fa
                                  0x0040f8fc
                                  0x0040f901
                                  0x0040f901
                                  0x0040f904
                                  0x0040f907
                                  0x0040f90b
                                  0x0040f90d
                                  0x0040f916
                                  0x0040f916
                                  0x0040fa1e
                                  0x0040fa1e
                                  0x0040fab8
                                  0x0040fabb
                                  0x0040fabe
                                  0x0040fac4
                                  0x0040fac7
                                  0x0040faca
                                  0x0040fad0
                                  0x0040fad6
                                  0x0040fad9
                                  0x00000000
                                  0x0040fad9
                                  0x0040f841
                                  0x0040f843
                                  0x0040f848
                                  0x0040f848
                                  0x0040f84b
                                  0x0040f84e
                                  0x0040f852
                                  0x0040f854
                                  0x0040f859
                                  0x0040f859
                                  0x0040f85c
                                  0x0040f85f
                                  0x0040f863
                                  0x0040f865
                                  0x0040f86a
                                  0x0040f86a
                                  0x0040f873
                                  0x0040f877
                                  0x0040f87c
                                  0x0040f883
                                  0x0040f9de
                                  0x0040f9e1
                                  0x0040f9e9
                                  0x0040f9ed
                                  0x0040f9f2
                                  0x0040f9f5
                                  0x0040f9f9
                                  0x0040f9fb
                                  0x0040f9fb
                                  0x0040fa00
                                  0x0040fa00
                                  0x0040fa03
                                  0x00000000
                                  0x0040fa03
                                  0x0040f824
                                  0x0040f775
                                  0x0040f778
                                  0x0040f77c
                                  0x0040f77e
                                  0x0040f787
                                  0x0040f787
                                  0x00000000
                                  0x0040f708
                                  0x0040f708
                                  0x0040f70b
                                  0x0040f70f
                                  0x0040f711
                                  0x0040f716
                                  0x0040f716
                                  0x0040f719
                                  0x0040f71c
                                  0x0040f720
                                  0x0040f722
                                  0x0040f727
                                  0x0040f727
                                  0x0040f730
                                  0x0040f734
                                  0x0040f739
                                  0x0040f743
                                  0x0040f747
                                  0x0040f74f
                                  0x0040f753
                                  0x0040f758
                                  0x0040f75b
                                  0x0040f75f
                                  0x0040f761
                                  0x0040f766
                                  0x0040f766
                                  0x0040f769
                                  0x00000000
                                  0x0040f769
                                  0x0040f706
                                  0x0040f629
                                  0x0040f62c
                                  0x0040f630
                                  0x0040f632
                                  0x0040f637
                                  0x0040f637
                                  0x0040f640
                                  0x0040f644
                                  0x0040f649
                                  0x0040f653
                                  0x0040f657
                                  0x0040f65f
                                  0x0040f663
                                  0x0040f668
                                  0x0040f66b
                                  0x0040f66f
                                  0x00000000
                                  0x0040f66f
                                  0x0040fae3
                                  0x0040fae7
                                  0x0040faf2
                                  0x0040faf6
                                  0x0040fafe
                                  0x0040fb02
                                  0x0040fb07
                                  0x0040fb07
                                  0x0040fb07
                                  0x0040fb0e
                                  0x00000000
                                  0x0040f44d
                                  0x0040f44d
                                  0x0040f450
                                  0x0040f456
                                  0x0040f45f
                                  0x0040f45f
                                  0x0040fb13
                                  0x0040fb13
                                  0x0040fb22
                                  0x0040fb27
                                  0x0040fb30
                                  0x0040fb30

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: fc3c5e853fa150d8dd0dcc825e549b8563742216a277d13321a711c4ca7a5728
                                  • Instruction ID: 70013f1d368e743815822e784fa38cd3b7a421b3aa8c7b3b0c6337e5eb558727
                                  • Opcode Fuzzy Hash: fc3c5e853fa150d8dd0dcc825e549b8563742216a277d13321a711c4ca7a5728
                                  • Instruction Fuzzy Hash: 36322C70904249DFDB20DFA8C584BDEBBB4AF19304F1484BEE845A7781CB789E49CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C20B Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 94%
                                  			E0040C20B() {
				signed int _t115;
				signed int _t119;
				intOrPtr* _t120;
				signed int _t123;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t135;
				void* _t138;
				signed int _t141;
				void* _t150;
				signed int _t155;
				signed int _t164;
				signed int _t166;
				void* _t169;
				void* _t170;
				intOrPtr* _t177;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t212;
				signed int* _t214;
				signed int _t216;
				signed int _t217;
				intOrPtr _t219;
				void* _t221;

				E004182C0(E00419988, _t221);
				 *( *(_t221 + 0x14)) = 0;
				 *((intOrPtr*)(_t221 - 0x20)) = 0;
				 *((intOrPtr*)(_t221 - 0x1c)) = 0;
				 *((intOrPtr*)(_t221 - 0x18)) = 0;
				E0040247E(_t221 - 0x20, 0xf);
				_t177 =  *((intOrPtr*)(_t221 + 0x10));
				 *((intOrPtr*)(_t221 - 4)) = 0;
				_t115 =  *(_t177 + 4);
				if(_t115 == 0) {
					L9:
					E00407282(_t221 - 0x58, 4);
					 *((intOrPtr*)(_t221 - 0x58)) = 0x41b6e8;
					_t216 =  *(_t221 + 8);
					_t212 = 0;
					 *((char*)(_t221 - 4)) = 2;
					 *(_t221 - 0x10) = 0;
					__eflags =  *(_t216 + 0x10);
					if( *(_t216 + 0x10) <= 0) {
						L14:
						__eflags =  *(_t221 - 0x50);
						 *(_t221 - 0x14) = 0;
						 *(_t221 - 0x10) = 0;
						if( *(_t221 - 0x50) <= 0) {
							L25:
							_t217 = 1;
							L26:
							 *((char*)(_t221 - 4)) = 0;
							E00405205(E00405858(_t221 - 0x58),  *((intOrPtr*)(_t221 - 0x20)));
							_t119 = _t217;
							L27:
							 *[fs:0x0] =  *((intOrPtr*)(_t221 - 0xc));
							return _t119;
						}
						_t214 =  *(_t221 + 0x18);
						do {
							_t120 =  *((intOrPtr*)(_t221 + 0xc));
							 *((intOrPtr*)( *_t120 + 0x10))(_t120, 0, 0, 0, 0);
							 *(_t221 + 8) = 0;
							 *((char*)(_t221 - 4)) = 3;
							_t123 =  *( *((intOrPtr*)(_t221 - 0x4c)) +  *(_t221 - 0x10) * 4);
							 *_t214 = _t123;
							E00408D12(_t221 + 8,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x14)) + _t123 * 4)) + 4))());
							_t127 =  *(_t221 + 8);
							__eflags = _t127;
							if(_t127 != 0) {
								_t128 =  *((intOrPtr*)( *_t127 + 0xc))(_t127,  *((intOrPtr*)(_t221 + 0xc)), 0x41b6e0,  *((intOrPtr*)(_t221 + 0x20)));
								__eflags = _t128 - 1;
								if(_t128 == 1) {
									L21:
									_t129 =  *(_t221 + 8);
									 *((char*)(_t221 - 4)) = 2;
									__eflags = _t129;
									if(_t129 != 0) {
										 *((intOrPtr*)( *_t129 + 8))(_t129);
									}
									goto L23;
								}
								__eflags = _t128;
								if(_t128 == 0) {
									 *(_t221 + 8) = 0;
									 *( *(_t221 + 0x14)) =  *(_t221 + 8);
									_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x14)) +  *_t214 * 4));
									__eflags =  *(_t219 + 0x20);
									if( *(_t219 + 0x20) != 0) {
										_t135 = E0040C4A0(_t219, _t221 - 0x20);
										__eflags = _t135;
										if(_t135 < 0) {
											_t135 = 0;
											__eflags = 0;
										}
										_t191 =  *((intOrPtr*)(_t219 + 0x24));
										_t99 =  *((intOrPtr*)(_t191 + _t135 * 4)) + 0xc; // 0xc
										_push( *((intOrPtr*)(_t191 + _t135 * 4)));
										_push( *((intOrPtr*)(_t221 + 0x10)));
										_push(_t221 - 0x44);
										_t138 = E0040AA96();
										 *((char*)(_t221 - 4)) = 7;
										E00405205(E00401E63( *((intOrPtr*)(_t221 + 0x1c)), _t138),  *((intOrPtr*)(_t221 - 0x44)));
									} else {
										E00401DBF(_t221 - 0x38, 0x42126c);
										 *((char*)(_t221 - 4)) = 4;
										E00401DBF(_t221 - 0x2c, 0x42126c);
										 *((char*)(_t221 - 4)) = 5;
										_push(_t221 - 0x38);
										_push(_t221 - 0x2c);
										_push( *((intOrPtr*)(_t221 + 0x10)));
										_push(_t221 - 0x44);
										_t150 = E0040AA96();
										 *((char*)(_t221 - 4)) = 6;
										E00405205(E00405205(E00405205(E00401E63( *((intOrPtr*)(_t221 + 0x1c)), _t150),  *((intOrPtr*)(_t221 - 0x44))),  *((intOrPtr*)(_t221 - 0x2c))),  *((intOrPtr*)(_t221 - 0x38)));
									}
									_t141 =  *(_t221 + 8);
									 *((char*)(_t221 - 4)) = 2;
									__eflags = _t141;
									if(_t141 != 0) {
										 *((intOrPtr*)( *_t141 + 8))(_t141);
									}
									 *((char*)(_t221 - 4)) = 0;
									E00405205(E00405858(_t221 - 0x58),  *((intOrPtr*)(_t221 - 0x20)));
									_t119 = 0;
									goto L27;
								}
								__eflags = _t128 - 0x80004004;
								 *(_t221 - 0x14) = _t128;
								if(_t128 == 0x80004004) {
									_t155 =  *(_t221 + 8);
									 *((char*)(_t221 - 4)) = 2;
									__eflags = _t155;
									if(_t155 != 0) {
										 *((intOrPtr*)( *_t155 + 8))(_t155);
									}
									break;
								}
								goto L21;
							}
							 *((char*)(_t221 - 4)) = 2;
							L23:
							 *(_t221 - 0x10) =  *(_t221 - 0x10) + 1;
							__eflags =  *(_t221 - 0x10) -  *(_t221 - 0x50);
						} while ( *(_t221 - 0x10) <  *(_t221 - 0x50));
						_t217 =  *(_t221 - 0x14);
						__eflags = _t217;
						if(_t217 != 0) {
							goto L26;
						}
						goto L25;
					} else {
						goto L10;
					}
					do {
						L10:
						__eflags = E0040C4A0( *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x14)) + _t212 * 4)), _t221 - 0x20);
						if(__eflags < 0) {
							E0040DCD2(_t221 - 0x58, _t210, _t212);
						} else {
							 *(_t221 - 0x10) =  *(_t221 - 0x10) + 1;
							 *(_t221 + 8) =  *(_t221 - 0x10) << 2;
							E004059C4(_t221 - 0x58, __eflags,  *(_t221 - 0x10));
							 *( *(_t221 + 8) +  *((intOrPtr*)(_t221 - 0x4c))) = _t212;
						}
						_t212 = _t212 + 1;
						__eflags = _t212 -  *(_t216 + 0x10);
					} while (_t212 <  *(_t216 + 0x10));
					goto L14;
				} else {
					_t210 =  *_t177;
					_t164 = _t210 + _t115 * 2 - 2;
					while( *_t164 != 0x2e) {
						if(_t164 == _t210) {
							_t166 = _t164 | 0xffffffff;
							__eflags = _t166;
							L7:
							__eflags = _t166;
							if(_t166 >= 0) {
								__eflags = _t166 + 1;
								_t169 = E00404E1A(_t177, _t221 - 0x38, _t166 + 1);
								 *((char*)(_t221 - 4)) = 1;
								_t170 = E00401E63(_t221 - 0x20, _t169);
								 *((char*)(_t221 - 4)) = 0;
								E00405205(_t170,  *((intOrPtr*)(_t221 - 0x38)));
							}
							goto L9;
						} else {
							_t164 = _t164;
							continue;
						}
					}
					_t166 = _t164 - _t210 >> 1;
					goto L7;
				}
			}




























                                  0x0040c210
                                  0x0040c225
                                  0x0040c227
                                  0x0040c22a
                                  0x0040c22d
                                  0x0040c230
                                  0x0040c235
                                  0x0040c238
                                  0x0040c23b
                                  0x0040c240
                                  0x0040c287
                                  0x0040c28c
                                  0x0040c291
                                  0x0040c298
                                  0x0040c29b
                                  0x0040c29d
                                  0x0040c2a1
                                  0x0040c2a4
                                  0x0040c2a7
                                  0x0040c2ed
                                  0x0040c2ed
                                  0x0040c2f0
                                  0x0040c2f3
                                  0x0040c2f6
                                  0x0040c384
                                  0x0040c386
                                  0x0040c387
                                  0x0040c38a
                                  0x0040c395
                                  0x0040c39b
                                  0x0040c39d
                                  0x0040c3a3
                                  0x0040c3ab
                                  0x0040c3ab
                                  0x0040c2fc
                                  0x0040c2ff
                                  0x0040c2ff
                                  0x0040c309
                                  0x0040c30c
                                  0x0040c315
                                  0x0040c319
                                  0x0040c31c
                                  0x0040c32b
                                  0x0040c330
                                  0x0040c333
                                  0x0040c335
                                  0x0040c34b
                                  0x0040c34e
                                  0x0040c351
                                  0x0040c361
                                  0x0040c361
                                  0x0040c364
                                  0x0040c368
                                  0x0040c36a
                                  0x0040c36f
                                  0x0040c36f
                                  0x00000000
                                  0x0040c36a
                                  0x0040c353
                                  0x0040c355
                                  0x0040c3c7
                                  0x0040c3ca
                                  0x0040c3d1
                                  0x0040c3d4
                                  0x0040c3d7
                                  0x0040c43c
                                  0x0040c441
                                  0x0040c443
                                  0x0040c445
                                  0x0040c445
                                  0x0040c445
                                  0x0040c447
                                  0x0040c44d
                                  0x0040c451
                                  0x0040c452
                                  0x0040c458
                                  0x0040c459
                                  0x0040c462
                                  0x0040c46e
                                  0x0040c3d9
                                  0x0040c3e2
                                  0x0040c3eb
                                  0x0040c3ef
                                  0x0040c3f7
                                  0x0040c3fb
                                  0x0040c3ff
                                  0x0040c403
                                  0x0040c406
                                  0x0040c407
                                  0x0040c410
                                  0x0040c42c
                                  0x0040c431
                                  0x0040c474
                                  0x0040c477
                                  0x0040c47b
                                  0x0040c47d
                                  0x0040c482
                                  0x0040c482
                                  0x0040c488
                                  0x0040c493
                                  0x0040c499
                                  0x00000000
                                  0x0040c499
                                  0x0040c357
                                  0x0040c35c
                                  0x0040c35f
                                  0x0040c3ae
                                  0x0040c3b1
                                  0x0040c3b5
                                  0x0040c3b7
                                  0x0040c3bc
                                  0x0040c3bc
                                  0x00000000
                                  0x0040c3b7
                                  0x00000000
                                  0x0040c35f
                                  0x0040c337
                                  0x0040c372
                                  0x0040c372
                                  0x0040c378
                                  0x0040c378
                                  0x0040c37d
                                  0x0040c380
                                  0x0040c382
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040c2a9
                                  0x0040c2a9
                                  0x0040c2b8
                                  0x0040c2ba
                                  0x0040c2e2
                                  0x0040c2bc
                                  0x0040c2c5
                                  0x0040c2c8
                                  0x0040c2ce
                                  0x0040c2d9
                                  0x0040c2d9
                                  0x0040c2e7
                                  0x0040c2e8
                                  0x0040c2e8
                                  0x00000000
                                  0x0040c242
                                  0x0040c242
                                  0x0040c244
                                  0x0040c248
                                  0x0040c250
                                  0x0040c25c
                                  0x0040c25c
                                  0x0040c25f
                                  0x0040c25f
                                  0x0040c261
                                  0x0040c263
                                  0x0040c269
                                  0x0040c272
                                  0x0040c276
                                  0x0040c27e
                                  0x0040c281
                                  0x0040c286
                                  0x00000000
                                  0x0040c252
                                  0x0040c253
                                  0x00000000
                                  0x0040c253
                                  0x0040c250
                                  0x0040c258
                                  0x00000000
                                  0x0040c258

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: fcfe8dd33a06a4e9d8f4e7a7fddfaea7d2e0626a8c219c3292687359c1ed5bf3
                                  • Instruction ID: 34c8c0f4eddd8557cf2989ebeaf78d02abf78edc58a5ca364ade629c4c6cdd4e
                                  • Opcode Fuzzy Hash: fcfe8dd33a06a4e9d8f4e7a7fddfaea7d2e0626a8c219c3292687359c1ed5bf3
                                  • Instruction Fuzzy Hash: 4D915C71900249EFCF10DFA5C8C49AEBBB5FF48304F24856EE815BB291D738AA45CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040CB6B Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E0040CB6B(void* __edx) {
				intOrPtr* _t74;
				intOrPtr _t75;
				intOrPtr* _t89;
				void* _t94;
				intOrPtr* _t96;
				intOrPtr* _t100;
				void* _t107;
				intOrPtr* _t116;
				void* _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int _t139;
				intOrPtr* _t142;
				void* _t144;

				_t135 = __edx;
				E004182C0(E00419AB2, _t144);
				_t74 =  *((intOrPtr*)(_t144 + 0x24));
				 *_t74 = 0;
				_push(0x90);
				 *((intOrPtr*)(_t74 + 4)) = 0;
				_t75 = E004051DE();
				 *((intOrPtr*)(_t144 - 0x14)) = _t75;
				 *(_t144 - 4) = 0;
				if(_t75 == 0) {
					_t142 = 0;
					__eflags = 0;
				} else {
					_t116 = E0040C8E9(_t75); // executed
					_t142 = _t116;
				}
				 *(_t144 - 4) =  *(_t144 - 4) | 0xffffffff;
				_t152 = _t142;
				 *((intOrPtr*)(_t144 - 0x14)) = _t142;
				if(_t142 != 0) {
					 *((intOrPtr*)( *_t142 + 4))(_t142);
				}
				 *((intOrPtr*)(_t142 + 0x84)) =  *((intOrPtr*)(_t144 + 0x28));
				 *(_t144 - 4) = 1;
				 *((intOrPtr*)(_t144 - 0x28)) = 0;
				 *((intOrPtr*)(_t144 - 0x24)) = 0;
				 *((intOrPtr*)(_t144 - 0x20)) = 0;
				E0040247E(_t144 - 0x28, 0xf);
				_t137 =  *((intOrPtr*)(_t144 + 0xc));
				_push(_t144 - 0x10);
				_push(_t144 - 0x28);
				_push( *_t137);
				 *(_t144 - 4) = 2;
				E00406CCC();
				E00404E3B(_t144 - 0x28, _t144 - 0x34,  *((intOrPtr*)(_t144 - 0x10)));
				 *(_t144 - 4) = 3;
				E00404E1A(_t144 - 0x28, _t144 - 0x40,  *((intOrPtr*)(_t144 - 0x10)));
				 *(_t144 - 4) = 4;
				E0040CA75(_t142, _t135, _t152, _t144 - 0x34, _t144 - 0x40); // executed
				_push(_t142);
				_push( *((intOrPtr*)(_t144 + 0x1c)));
				_push( *((intOrPtr*)(_t144 + 0x18)));
				_push(_t144 - 0x18);
				_push(_t144 - 0x1c);
				_push( *((intOrPtr*)(_t144 + 0x14)));
				_push( *((intOrPtr*)(_t144 + 0x10)));
				_push(_t137);
				_push( *((intOrPtr*)(_t144 + 8)));
				_t89 = E0040C58B(); // executed
				_t138 = _t89;
				if(_t138 == 0) {
					_push(_t144 - 0x40);
					_push(_t144 - 0x34);
					_push(_t144 - 0x4c);
					_push(E00406F88(_t135));
					 *(_t144 - 4) = 5;
					_t94 = E00401CFC( *((intOrPtr*)(_t144 + 0x20)), _t135);
					 *(_t144 - 4) = 4;
					E00405205(_t94,  *((intOrPtr*)(_t144 - 0x4c)));
					_t139 = 0;
					__eflags =  *((intOrPtr*)(_t142 + 0x78));
					if( *((intOrPtr*)(_t142 + 0x78)) > 0) {
						do {
							_push( *((intOrPtr*)( *((intOrPtr*)(_t142 + 0x7c)) + _t139 * 4)));
							_push(_t144 - 0x34);
							_push(_t144 - 0x4c);
							_push(E00406F88(_t135));
							 *(_t144 - 4) = 6;
							_t107 = E00401CFC( *((intOrPtr*)(_t144 + 0x20)), _t135);
							 *(_t144 - 4) = 4;
							E00405205(_t107,  *((intOrPtr*)(_t144 - 0x4c)));
							_t139 = _t139 + 1;
							__eflags = _t139 -  *((intOrPtr*)(_t142 + 0x78));
						} while (_t139 <  *((intOrPtr*)(_t142 + 0x78)));
					}
					_t96 =  *((intOrPtr*)(_t144 + 0x24));
					 *_t96 =  *((intOrPtr*)(_t142 + 0x88));
					 *((intOrPtr*)(_t96 + 4)) =  *((intOrPtr*)(_t142 + 0x8c));
					E00405205(E00405205(E00405205(_t96,  *((intOrPtr*)(_t144 - 0x40))),  *((intOrPtr*)(_t144 - 0x34))),  *((intOrPtr*)(_t144 - 0x28)));
					 *(_t144 - 4) =  *(_t144 - 4) | 0xffffffff;
					__eflags = _t142;
					if(_t142 != 0) {
						 *((intOrPtr*)( *_t142 + 8))(_t142);
					}
					_t100 = 0;
					__eflags = 0;
				} else {
					E00405205(E00405205(E00405205(_t89,  *((intOrPtr*)(_t144 - 0x40))),  *((intOrPtr*)(_t144 - 0x34))),  *((intOrPtr*)(_t144 - 0x28)));
					 *(_t144 - 4) =  *(_t144 - 4) | 0xffffffff;
					if(_t142 != 0) {
						 *((intOrPtr*)( *_t142 + 8))(_t142);
					}
					_t100 = _t138;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t144 - 0xc));
				return _t100;
			}

















                                  0x0040cb6b
                                  0x0040cb70
                                  0x0040cb78
                                  0x0040cb80
                                  0x0040cb82
                                  0x0040cb87
                                  0x0040cb8a
                                  0x0040cb90
                                  0x0040cb95
                                  0x0040cb98
                                  0x0040cba5
                                  0x0040cba5
                                  0x0040cb9a
                                  0x0040cb9c
                                  0x0040cba1
                                  0x0040cba1
                                  0x0040cba7
                                  0x0040cbab
                                  0x0040cbad
                                  0x0040cbb0
                                  0x0040cbb5
                                  0x0040cbb5
                                  0x0040cbbd
                                  0x0040cbc6
                                  0x0040cbcd
                                  0x0040cbd0
                                  0x0040cbd3
                                  0x0040cbd6
                                  0x0040cbdb
                                  0x0040cbe1
                                  0x0040cbe7
                                  0x0040cbe8
                                  0x0040cbe9
                                  0x0040cbed
                                  0x0040cbfc
                                  0x0040cc0a
                                  0x0040cc0f
                                  0x0040cc1e
                                  0x0040cc22
                                  0x0040cc27
                                  0x0040cc2b
                                  0x0040cc2e
                                  0x0040cc31
                                  0x0040cc35
                                  0x0040cc36
                                  0x0040cc39
                                  0x0040cc3c
                                  0x0040cc3d
                                  0x0040cc40
                                  0x0040cc45
                                  0x0040cc49
                                  0x0040cc7e
                                  0x0040cc82
                                  0x0040cc86
                                  0x0040cc8f
                                  0x0040cc90
                                  0x0040cc94
                                  0x0040cc9c
                                  0x0040cca0
                                  0x0040cca5
                                  0x0040cca7
                                  0x0040ccab
                                  0x0040ccad
                                  0x0040ccb0
                                  0x0040ccb6
                                  0x0040ccba
                                  0x0040ccc3
                                  0x0040ccc4
                                  0x0040ccc8
                                  0x0040ccd0
                                  0x0040ccd4
                                  0x0040ccd9
                                  0x0040ccdb
                                  0x0040ccdb
                                  0x0040ccad
                                  0x0040cce0
                                  0x0040ccec
                                  0x0040ccf4
                                  0x0040cd07
                                  0x0040cd0c
                                  0x0040cd13
                                  0x0040cd15
                                  0x0040cd1a
                                  0x0040cd1a
                                  0x0040cd1d
                                  0x0040cd1d
                                  0x0040cc4b
                                  0x0040cc5e
                                  0x0040cc63
                                  0x0040cc6c
                                  0x0040cc71
                                  0x0040cc71
                                  0x0040cc74
                                  0x0040cc74
                                  0x0040cd25
                                  0x0040cd2d

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040CB70
                                    • Part of subcall function 004051DE: malloc.MSVCRT ref: 004051E4
                                    • Part of subcall function 004051DE: _CxxThrowException.MSVCRT(?,0041C8F8), ref: 004051FE
                                    • Part of subcall function 0040C8E9: __EH_prolog.LIBCMT ref: 0040C8EE
                                    • Part of subcall function 00406F88: __EH_prolog.LIBCMT ref: 00406F8D
                                    • Part of subcall function 00401CFC: __EH_prolog.LIBCMT ref: 00401D01
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrowfreemalloc
                                  • String ID:
                                  • API String ID: 2423332413-0
                                  • Opcode ID: 76844eaf267596c194a9e6911aa847b34f27502004ec9db9c0fad6393f7ab807
                                  • Instruction ID: 0eb5e3a5701fc9070a8efe3f40e92e61e0ff5e6ef19bda8cc2e419561c656c07
                                  • Opcode Fuzzy Hash: 76844eaf267596c194a9e6911aa847b34f27502004ec9db9c0fad6393f7ab807
                                  • Instruction Fuzzy Hash: 3D516872901109EFCB01EFA4C885ADEBBB9FF08314F14426EF516B3291DB389A058F64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410803 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00410803() {
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t69;
				intOrPtr* _t74;
				void* _t82;
				intOrPtr* _t83;
				void* _t100;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				void* _t109;

				E004182C0(E0041A2A0, _t107);
				_t83 =  *((intOrPtr*)(_t107 + 8));
				 *((intOrPtr*)(_t107 - 0x10)) = _t109 - 0x50;
				 *((intOrPtr*)(_t107 - 4)) = 0;
				 *((intOrPtr*)( *_t83 + 0x10))(_t83, _t100, _t104, _t82);
				_t105 =  *((intOrPtr*)(_t107 + 0x14));
				 *((char*)(_t107 - 4)) = 1;
				 *((intOrPtr*)(_t107 - 0x14)) = _t105;
				if(_t105 != 0) {
					 *((intOrPtr*)( *_t105 + 4))(_t105);
				}
				 *((intOrPtr*)(_t107 + 0x14)) = 0;
				_t113 = _t105;
				 *((char*)(_t107 - 4)) = 3;
				if(_t105 != 0) {
					 *((intOrPtr*)( *_t105))(_t105, 0x41b368, _t107 + 0x14);
				}
				 *((intOrPtr*)(_t107 - 0x5c)) = 0;
				 *((char*)(_t107 - 4)) = 4;
				E00402463(_t107 - 0x58);
				 *((intOrPtr*)(_t107 - 0x58)) = 0x41b8c8;
				_push( *((intOrPtr*)(_t107 + 0x10)));
				 *((char*)(_t107 - 4)) = 5;
				_t56 = E0041132A(_t107 - 0x5c, _t107, _t113,  *((intOrPtr*)(_t107 + 0xc)));
				_t114 = _t56;
				 *((intOrPtr*)(_t107 + 0x10)) = _t56;
				if(_t56 == 0) {
					_push( *((intOrPtr*)(_t107 + 0x14)));
					_t102 = _t83 + 0x10;
					_push(_t83 + 0x10); // executed
					_t57 = E00412CAE(_t107 - 0x5c); // executed
					__eflags = _t57;
					 *((intOrPtr*)(_t107 + 0x10)) = _t57;
					if(__eflags == 0) {
						E00412911(_t102);
						E00412953();
						E004129A8(_t102);
						E00408D12(_t83 + 8,  *((intOrPtr*)(_t107 + 0xc)));
						 *((char*)(_t107 - 4)) = 3;
						E00410978(_t107 - 0x5c, __eflags);
						_t63 =  *((intOrPtr*)(_t107 + 0x14));
						 *((char*)(_t107 - 4)) = 2;
						__eflags = _t63;
						if(_t63 != 0) {
							 *((intOrPtr*)( *_t63 + 8))(_t63);
						}
						__eflags = _t105;
						 *((char*)(_t107 - 4)) = 1;
						if(_t105 != 0) {
							 *((intOrPtr*)( *_t105 + 8))(_t105);
						}
						_t64 = 0;
					} else {
						 *((char*)(_t107 - 4)) = 3;
						E00410978(_t107 - 0x5c, __eflags);
						_t69 =  *((intOrPtr*)(_t107 + 0x14));
						 *((char*)(_t107 - 4)) = 2;
						__eflags = _t69;
						if(_t69 != 0) {
							 *((intOrPtr*)( *_t69 + 8))(_t69);
						}
						__eflags = _t105;
						 *((char*)(_t107 - 4)) = 1;
						if(_t105 != 0) {
							 *((intOrPtr*)( *_t105 + 8))(_t105);
						}
						_t64 =  *((intOrPtr*)(_t107 + 0x10));
					}
				} else {
					 *((char*)(_t107 - 4)) = 3;
					E00410978(_t107 - 0x5c, _t114);
					_t74 =  *((intOrPtr*)(_t107 + 0x14));
					 *((char*)(_t107 - 4)) = 2;
					if(_t74 != 0) {
						 *((intOrPtr*)( *_t74 + 8))(_t74);
					}
					 *((char*)(_t107 - 4)) = 1;
					if(_t105 != 0) {
						 *((intOrPtr*)( *_t105 + 8))(_t105);
					}
					_t64 =  *((intOrPtr*)(_t107 + 0x10));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t107 - 0xc));
				return _t64;
			}
















                                  0x00410808
                                  0x00410811
                                  0x00410818
                                  0x0041081e
                                  0x00410821
                                  0x00410824
                                  0x00410827
                                  0x0041082d
                                  0x00410830
                                  0x00410835
                                  0x00410835
                                  0x00410838
                                  0x0041083b
                                  0x0041083d
                                  0x00410841
                                  0x0041084f
                                  0x0041084f
                                  0x00410851
                                  0x00410857
                                  0x0041085b
                                  0x00410860
                                  0x00410867
                                  0x0041086d
                                  0x00410874
                                  0x00410879
                                  0x0041087b
                                  0x0041087e
                                  0x004108b3
                                  0x004108b6
                                  0x004108bc
                                  0x004108bd
                                  0x004108c2
                                  0x004108c4
                                  0x004108c7
                                  0x004108fb
                                  0x00410902
                                  0x00410909
                                  0x00410914
                                  0x0041091c
                                  0x00410920
                                  0x00410925
                                  0x00410928
                                  0x0041092c
                                  0x0041092e
                                  0x00410933
                                  0x00410933
                                  0x00410936
                                  0x00410938
                                  0x0041093c
                                  0x00410941
                                  0x00410941
                                  0x00410944
                                  0x004108c9
                                  0x004108cc
                                  0x004108d0
                                  0x004108d5
                                  0x004108d8
                                  0x004108dc
                                  0x004108de
                                  0x004108e3
                                  0x004108e3
                                  0x004108e6
                                  0x004108e8
                                  0x004108ec
                                  0x004108f1
                                  0x004108f1
                                  0x004108f4
                                  0x004108f4
                                  0x00410880
                                  0x00410883
                                  0x00410887
                                  0x0041088c
                                  0x0041088f
                                  0x00410895
                                  0x0041089a
                                  0x0041089a
                                  0x0041089f
                                  0x004108a3
                                  0x004108a8
                                  0x004108a8
                                  0x004108ab
                                  0x004108ab
                                  0x0041096c
                                  0x00410975

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00410808
                                    • Part of subcall function 00412CAE: __EH_prolog.LIBCMT ref: 00412CB3
                                    • Part of subcall function 00410978: __EH_prolog.LIBCMT ref: 0041097D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: b1e8aa02f6dbdcc819803c70b3d15307e2af8e1e1de9a58bcd7a218129bfac7a
                                  • Instruction ID: 57528297a4767065094c528dc7b1115d42b161d3372c49fb56dfc779fa15cb0a
                                  • Opcode Fuzzy Hash: b1e8aa02f6dbdcc819803c70b3d15307e2af8e1e1de9a58bcd7a218129bfac7a
                                  • Instruction Fuzzy Hash: 0441F570900249DFDF01EFA8C558ADEBBB4AF54304F14408EF845AB352D7B88E85DB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A312 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E0040A312(void* __ecx) {
				void* __edi;
				intOrPtr _t53;
				intOrPtr* _t54;
				void* _t55;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t66;
				intOrPtr* _t77;
				intOrPtr _t79;
				void* _t83;
				intOrPtr* _t87;
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t92;

				E004182C0(E004194D0, _t90);
				_push(__ecx);
				_push(_t84);
				 *((intOrPtr*)(_t90 - 0x10)) = _t92;
				 *((intOrPtr*)(_t90 - 4)) = 0;
				if( *((intOrPtr*)(_t90 + 0xc)) < 0 ||  *((intOrPtr*)(_t90 + 0xc)) > 3) {
					_t53 =  *((intOrPtr*)(_t90 + 8));
					_t87 = _t53 + 0x94;
					_t54 =  *((intOrPtr*)(_t53 + 0x94));
					__eflags = _t54;
					if(_t54 != 0) {
						 *((intOrPtr*)( *_t54 + 8))(_t54);
						 *_t87 = 0;
					}
					_t55 = 0x80004005;
					goto L26;
				} else {
					_t89 =  *((intOrPtr*)(_t90 + 8));
					if( *((intOrPtr*)(_t89 + 0x94)) == 0) {
						L17:
						 *((intOrPtr*)(_t89 + 0xf8)) =  *((intOrPtr*)(_t89 + 0xf8)) +  *((intOrPtr*)(_t89 + 0x88));
						asm("adc [eax+0x4], edx");
						_t58 = _t89 + 0xe8;
						if( *((intOrPtr*)(_t89 + 0x7f)) == 0) {
							_t58 = _t89 + 0xf0;
						}
						 *_t58 =  *_t58 + 1;
						asm("adc [eax+0x4], ebx");
						if( *((intOrPtr*)(_t89 + 0x58)) != 0 &&  *((intOrPtr*)(_t89 + 0x80)) != 0) {
							E00406821(_t84,  *((intOrPtr*)(_t89 + 0x4c)),  *((intOrPtr*)(_t89 + 0x78))); // executed
						}
						_t59 =  *((intOrPtr*)(_t89 + 0x14));
						_t55 =  *((intOrPtr*)( *_t59 + 0x20))(_t59,  *((intOrPtr*)(_t90 + 0xc)),  *((intOrPtr*)(_t89 + 0x5c)));
						L26:
						 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
						return _t55;
					}
					if( *((intOrPtr*)(_t89 + 0x59)) == 0) {
						L5:
						_t83 = _t89 + 0xb8;
						L6:
						if( *((intOrPtr*)(_t89 + 0x5b)) == 0 ||  *((intOrPtr*)(_t89 + 0x7e)) == 0) {
							 *((intOrPtr*)(_t90 + 8)) = 0;
						} else {
							 *((intOrPtr*)(_t90 + 8)) = _t89 + 0x70;
						}
						if( *((intOrPtr*)(_t89 + 0x5a)) == 0) {
							L13:
							_t77 = 0;
							__eflags = 0;
							goto L14;
						} else {
							_t102 =  *((intOrPtr*)(_t89 + 0x7c));
							if( *((intOrPtr*)(_t89 + 0x7c)) == 0) {
								goto L13;
							}
							_t77 = _t89 + 0x60;
							L14:
							_t84 = _t89 + 0x90;
							E00407515( *((intOrPtr*)(_t89 + 0x90)) + 8, _t77,  *((intOrPtr*)(_t90 + 8)), _t83);
							_t79 =  *((intOrPtr*)(_t89 + 0x90));
							 *((intOrPtr*)(_t89 + 0x88)) =  *((intOrPtr*)(_t79 + 0x10));
							 *((intOrPtr*)(_t89 + 0x8c)) =  *((intOrPtr*)(_t79 + 0x14));
							_t55 = E00407E59(_t79, _t102);
							if(_t55 != 0) {
								goto L26;
							}
							_t66 =  *((intOrPtr*)(_t89 + 0x94));
							if(_t66 != 0) {
								 *((intOrPtr*)( *_t66 + 8))(_t66);
								 *((intOrPtr*)(_t89 + 0x94)) = 0;
							}
							goto L17;
						}
					}
					_t83 = _t89 + 0x68;
					if( *((intOrPtr*)(_t89 + 0x7d)) != 0) {
						goto L6;
					}
					goto L5;
				}
			}

















                                  0x0040a317
                                  0x0040a31c
                                  0x0040a321
                                  0x0040a325
                                  0x0040a328
                                  0x0040a32b
                                  0x0040a430
                                  0x0040a433
                                  0x0040a439
                                  0x0040a43f
                                  0x0040a441
                                  0x0040a446
                                  0x0040a449
                                  0x0040a449
                                  0x0040a44b
                                  0x00000000
                                  0x0040a33b
                                  0x0040a33b
                                  0x0040a344
                                  0x0040a3d3
                                  0x0040a3df
                                  0x0040a3eb
                                  0x0040a3f1
                                  0x0040a3f7
                                  0x0040a3f9
                                  0x0040a3f9
                                  0x0040a3ff
                                  0x0040a402
                                  0x0040a408
                                  0x0040a419
                                  0x0040a419
                                  0x0040a421
                                  0x0040a42b
                                  0x0040a450
                                  0x0040a455
                                  0x0040a45e
                                  0x0040a45e
                                  0x0040a34d
                                  0x0040a357
                                  0x0040a357
                                  0x0040a35d
                                  0x0040a360
                                  0x0040a36f
                                  0x0040a367
                                  0x0040a36a
                                  0x0040a36a
                                  0x0040a375
                                  0x0040a381
                                  0x0040a381
                                  0x0040a381
                                  0x00000000
                                  0x0040a377
                                  0x0040a377
                                  0x0040a37a
                                  0x00000000
                                  0x00000000
                                  0x0040a37c
                                  0x0040a383
                                  0x0040a389
                                  0x0040a397
                                  0x0040a39c
                                  0x0040a3a1
                                  0x0040a3aa
                                  0x0040a3b0
                                  0x0040a3b7
                                  0x00000000
                                  0x00000000
                                  0x0040a3bd
                                  0x0040a3c5
                                  0x0040a3ca
                                  0x0040a3cd
                                  0x0040a3cd
                                  0x00000000
                                  0x0040a3c5
                                  0x0040a375
                                  0x0040a352
                                  0x0040a355
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040a355

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: d9cc3935345482605defc3b128e648b25969308404ad7c17a5e8a440d85acbf5
                                  • Instruction ID: 774a884254762bb38ad82490c0acd06e79f5ab22e87e24bbdeafff3378b08567
                                  • Opcode Fuzzy Hash: d9cc3935345482605defc3b128e648b25969308404ad7c17a5e8a440d85acbf5
                                  • Instruction Fuzzy Hash: 28417C75900780DFCB21CF74C484AA7BBE1BF44304F08887EE99A9B652D734A959CB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FFBB Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040FFBB(void* __ecx) {
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr* _t61;
				intOrPtr _t62;
				intOrPtr* _t66;
				signed int _t87;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				intOrPtr _t93;
				void* _t95;

				E004182C0(E0041A190, _t95);
				_t91 = __ecx;
				_t53 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x14)) + 0xc)) + _t53)) == 0) {
					 *(_t95 - 0x10) = 2;
				} else {
					 *(_t95 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x28)) != 0x00000000;
				}
				 *((intOrPtr*)(_t95 - 0x14)) = 0;
				_t87 =  *((intOrPtr*)(_t91 + 0x18)) + _t53;
				_t54 =  *((intOrPtr*)(_t91 + 0x24));
				 *(_t95 - 4) = 0;
				_t55 =  *((intOrPtr*)( *_t54 + 0x14))(_t54,  *((intOrPtr*)(_t91 + 0x1c)) + _t87, _t95 - 0x14,  *(_t95 - 0x10));
				 *((intOrPtr*)(_t95 - 0x18)) = _t55;
				if(_t55 == 0) {
					E00408D12( *((intOrPtr*)(_t91 + 8)) + 8,  *((intOrPtr*)(_t95 - 0x14)));
					_t58 =  *((intOrPtr*)(_t91 + 8));
					 *(_t58 + 0x18) =  *(_t58 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t58 + 0x10)) = 0;
					 *((intOrPtr*)(_t58 + 0x14)) = 0;
					 *((char*)(_t58 + 0x1c)) =  *((intOrPtr*)(_t91 + 0x2a));
					if( *(_t95 - 0x10) == 0 &&  *((intOrPtr*)(_t95 - 0x14)) == 0) {
						_t89 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t91 + 0x10)) + 0x70)) + _t87 * 4));
						if( *((intOrPtr*)(_t89 + 0x3e)) == 0 &&  *((intOrPtr*)(_t89 + 0x3d)) == 0) {
							 *(_t95 - 0x10) = 2;
						}
					}
					_t92 =  *((intOrPtr*)(_t91 + 0x24));
					_t60 =  *((intOrPtr*)( *_t92 + 0x18))(_t92,  *(_t95 - 0x10));
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					_t93 = _t60;
					_t61 =  *((intOrPtr*)(_t95 - 0x14));
					if(_t61 != 0) {
						 *((intOrPtr*)( *_t61 + 8))(_t61);
					}
					_t62 = _t93;
				} else {
					_t66 =  *((intOrPtr*)(_t95 - 0x14));
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					if(_t66 != 0) {
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t62 =  *((intOrPtr*)(_t95 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return _t62;
			}

















                                  0x0040ffc0
                                  0x0040ffca
                                  0x0040ffd2
                                  0x0040ffdb
                                  0x0040ffea
                                  0x0040ffdd
                                  0x0040ffe5
                                  0x0040ffe5
                                  0x0040fff1
                                  0x0040fffd
                                  0x0040ffff
                                  0x00410006
                                  0x0041000f
                                  0x00410014
                                  0x00410017
                                  0x00410038
                                  0x0041003d
                                  0x00410043
                                  0x0041004a
                                  0x0041004d
                                  0x00410050
                                  0x00410053
                                  0x00410060
                                  0x00410066
                                  0x0041006d
                                  0x0041006d
                                  0x00410066
                                  0x00410074
                                  0x0041007d
                                  0x00410080
                                  0x00410084
                                  0x00410086
                                  0x0041008b
                                  0x00410090
                                  0x00410090
                                  0x00410093
                                  0x00410019
                                  0x00410019
                                  0x0041001c
                                  0x00410022
                                  0x00410027
                                  0x00410027
                                  0x0041002a
                                  0x0041002a
                                  0x0041009b
                                  0x004100a3

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 4c4a3d2c69a261ed5c8a68563d2bbac9d93fe23595bd1d7248e1a44615b8c637
                                  • Instruction ID: 9955d2ed5f287c616c08fc1feac3e4bb552ab63f97a0fe6a998199c56080c600
                                  • Opcode Fuzzy Hash: 4c4a3d2c69a261ed5c8a68563d2bbac9d93fe23595bd1d7248e1a44615b8c637
                                  • Instruction Fuzzy Hash: C431BE70900246DFCB24CF98C4809AABBF1FF49310B244AAEE095A77A1C775ED85CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004142F2 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004142F2(intOrPtr __edx, void* __eflags) {
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr* _t54;
				intOrPtr _t55;
				void* _t57;
				intOrPtr* _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				intOrPtr* _t76;
				void* _t79;
				void* _t91;

				_t70 = __edx;
				E004182C0(E0041A6F8, _t79);
				_t76 =  *((intOrPtr*)(_t79 + 8));
				 *((intOrPtr*)( *_t76 + 0x14))(_t76,  *((intOrPtr*)(_t79 + 0xc)), _t72, _t75, _t57);
				_t73 = _t76 + 0x10;
				E00408A7B(_t76 + 0x10,  *((intOrPtr*)(_t79 + 0x10)));
				 *((intOrPtr*)( *_t76 + 0x1c))(_t76,  *((intOrPtr*)(_t79 + 0x18)));
				 *((intOrPtr*)(_t79 - 0x14)) = _t76;
				 *(_t79 - 0x10) = 1;
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				while(1) {
					_t46 = E00413B6F(_t76, _t70, 0x40000); // executed
					if(_t46 != 0) {
						break;
					}
					if( *((intOrPtr*)(_t76 + 0x1d60)) == 0xffffffff) {
						L11:
						 *(_t79 - 0x10) =  *(_t79 - 0x10) & 0x00000000;
						_t46 = E00408B5C(_t73);
						break;
					} else {
						if( *((intOrPtr*)(_t79 + 0x1c)) == _t46) {
							L5:
							if( *((char*)(_t76 + 0x1d70)) == 0) {
								continue;
							} else {
								_t49 = E00408AA2(_t73);
								_t91 = _t70 -  *((intOrPtr*)(_t76 + 0x1d6c));
								_t66 = _t76 + 0x1d68;
								if(_t91 > 0) {
									goto L11;
								} else {
									if(_t91 < 0) {
										continue;
									} else {
										if(_t49 >=  *_t66) {
											goto L11;
										} else {
											continue;
										}
									}
								}
							}
						} else {
							asm("cdq");
							asm("adc edx, [esi+0x4c]");
							 *((intOrPtr*)(_t79 - 0x24)) =  *((intOrPtr*)(_t76 + 0x38)) -  *((intOrPtr*)(_t76 + 0x40)) +  *((intOrPtr*)(_t76 + 0x48));
							 *((intOrPtr*)(_t79 - 0x20)) = _t70;
							_t53 = E00408AA2(_t73);
							 *((intOrPtr*)(_t79 - 0x18)) = _t70;
							 *((intOrPtr*)(_t79 - 0x1c)) = _t53;
							_t54 =  *((intOrPtr*)(_t79 + 0x1c));
							_t70 = _t79 - 0x24;
							_t55 =  *((intOrPtr*)( *_t54 + 0xc))(_t54, _t70, _t79 - 0x1c);
							 *((intOrPtr*)(_t79 + 8)) = _t55;
							if(_t55 != 0) {
								 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
								E004143ED(_t79 - 0x14);
								_t48 =  *((intOrPtr*)(_t79 + 8));
							} else {
								goto L5;
							}
						}
					}
					L13:
					 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
					return _t48;
				}
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				E004143ED(_t79 - 0x14);
				_t48 = _t46;
				goto L13;
			}

















                                  0x004142f2
                                  0x004142f7
                                  0x00414301
                                  0x0041430b
                                  0x00414311
                                  0x00414316
                                  0x00414321
                                  0x00414324
                                  0x00414327
                                  0x0041432b
                                  0x00414334
                                  0x00414337
                                  0x0041433e
                                  0x00000000
                                  0x00000000
                                  0x0041434b
                                  0x004143c1
                                  0x004143c1
                                  0x004143c7
                                  0x00000000
                                  0x0041434d
                                  0x00414350
                                  0x0041438a
                                  0x00414391
                                  0x00000000
                                  0x00414393
                                  0x00414395
                                  0x0041439a
                                  0x004143a0
                                  0x004143a6
                                  0x00000000
                                  0x004143a8
                                  0x004143a8
                                  0x00000000
                                  0x004143aa
                                  0x004143ac
                                  0x00000000
                                  0x004143ae
                                  0x00000000
                                  0x004143ae
                                  0x004143ac
                                  0x004143a8
                                  0x004143a6
                                  0x00414352
                                  0x0041435a
                                  0x0041435e
                                  0x00414361
                                  0x00414364
                                  0x00414367
                                  0x0041436c
                                  0x00414372
                                  0x00414375
                                  0x00414379
                                  0x00414380
                                  0x00414385
                                  0x00414388
                                  0x004143b0
                                  0x004143b7
                                  0x004143bc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00414388
                                  0x00414350
                                  0x004143dc
                                  0x004143e2
                                  0x004143ea
                                  0x004143ea
                                  0x004143cc
                                  0x004143d5
                                  0x004143da
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 312c447434b9462cf542418978356e561273d1fcf7fd6583e5ea37c6618a43af
                                  • Instruction ID: 14f3069cf61c19aaa0a06990d3a071d1c7f46b0377bf0735e5a37bc4d9367d94
                                  • Opcode Fuzzy Hash: 312c447434b9462cf542418978356e561273d1fcf7fd6583e5ea37c6618a43af
                                  • Instruction Fuzzy Hash: 16318474A00609DBCF14DF69C544AEEB7B5FF84314F10851FE862A7281D738AA42CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D676 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0040D676(signed int __ecx, void* __eflags) {
				void* _t28;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t49;

				E004182C0(E00419C7B, _t49);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *(_t49 - 4) = 4;
				E00405858(__ecx + 0xb4);
				 *(_t49 - 4) = 3;
				E00405858(__ecx + 0xa0);
				_t42 = __ecx + 0x8c;
				 *((intOrPtr*)(_t49 - 0x14)) = _t42;
				 *_t42 = 0x41b79c;
				 *(_t49 - 4) = 5;
				E00405898();
				 *(_t49 - 4) = 2;
				E00405858(_t42);
				_t43 = __ecx + 0x78;
				 *((intOrPtr*)(_t49 - 0x14)) = _t43;
				 *_t43 = 0x41b7a4;
				 *(_t49 - 4) = 6;
				E00405898();
				 *(_t49 - 4) = 1;
				E00405858(_t43);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E0040917A(__ecx);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t28 = E0040D2AF( ~__ecx & __ecx + 0x00000014,  ~__ecx & __ecx + 0x00000014); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t28;
			}







                                  0x0040d67b
                                  0x0040d680
                                  0x0040d681
                                  0x0040d686
                                  0x0040d68f
                                  0x0040d696
                                  0x0040d6a1
                                  0x0040d6a5
                                  0x0040d6aa
                                  0x0040d6b0
                                  0x0040d6b3
                                  0x0040d6bb
                                  0x0040d6bf
                                  0x0040d6c6
                                  0x0040d6ca
                                  0x0040d6cf
                                  0x0040d6d2
                                  0x0040d6d5
                                  0x0040d6dd
                                  0x0040d6e1
                                  0x0040d6e8
                                  0x0040d6ec
                                  0x0040d6f1
                                  0x0040d6f7
                                  0x0040d6fc
                                  0x0040d707
                                  0x0040d70b
                                  0x0040d715
                                  0x0040d71d

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040D67B
                                    • Part of subcall function 0040D2AF: __EH_prolog.LIBCMT ref: 0040D2B4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9f1fa342b64c8b041612b16aaa2a71d08e3e6d0649737842ea7f2ffe260de7b4
                                  • Instruction ID: 90546e75892ce681a9f70d3b32ec42ec205f0c2bbfbf46c55eb460bf5b2d5067
                                  • Opcode Fuzzy Hash: 9f1fa342b64c8b041612b16aaa2a71d08e3e6d0649737842ea7f2ffe260de7b4
                                  • Instruction Fuzzy Hash: BB11A371A00685DADB09FBA9C1163DEFBA5DF91318F14859F9452732C2CBF81B048B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C0D0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040C0D0() {
				intOrPtr* _t20;
				short _t21;
				intOrPtr* _t24;
				void* _t32;
				short _t33;
				void* _t35;

				E004182C0(E00419928, _t35);
				_t33 = 0;
				 *((short*)(_t35 - 0x1c)) = 0;
				 *((short*)(_t35 - 0x1a)) = 0;
				_t20 =  *((intOrPtr*)(_t35 + 8));
				 *(_t35 - 4) = 0;
				_t21 =  *((intOrPtr*)( *_t20 + 0x18))(_t20,  *((intOrPtr*)(_t35 + 0xc)), 3, _t35 - 0x1c, _t32);
				if(_t21 == 0) {
					if( *((short*)(_t35 - 0x1c)) != 8) {
						if( *((intOrPtr*)(_t35 - 0x1c)) != 0) {
							_t33 = 0x80004005;
						} else {
							_t24 =  *((intOrPtr*)(_t35 + 0x10));
							 *((intOrPtr*)(_t24 + 4)) = 0;
							 *((short*)( *_t24)) = 0;
						}
					} else {
						E00403D65( *((intOrPtr*)(_t35 + 0x10)),  *((intOrPtr*)(_t35 - 0x14)));
					}
				} else {
					_t33 = _t21;
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				E004076D9(_t35 - 0x1c);
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t33;
			}









                                  0x0040c0d5
                                  0x0040c0de
                                  0x0040c0e0
                                  0x0040c0e4
                                  0x0040c0e8
                                  0x0040c0f6
                                  0x0040c0fa
                                  0x0040c0ff
                                  0x0040c10a
                                  0x0040c11d
                                  0x0040c12c
                                  0x0040c11f
                                  0x0040c11f
                                  0x0040c122
                                  0x0040c127
                                  0x0040c127
                                  0x0040c10c
                                  0x0040c112
                                  0x0040c112
                                  0x0040c101
                                  0x0040c101
                                  0x0040c101
                                  0x0040c131
                                  0x0040c138
                                  0x0040c143
                                  0x0040c14b

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a179967ded42f83d08ffb1126eafceeb10ed7689412f9ef60a4f1d1a352643f0
                                  • Instruction ID: 1fd2e7ab790fc0b19be9f41c3a3d0be7551f8103822e0fdd80879c46f83cddba
                                  • Opcode Fuzzy Hash: a179967ded42f83d08ffb1126eafceeb10ed7689412f9ef60a4f1d1a352643f0
                                  • Instruction Fuzzy Hash: 9F016D35E10219DBCB10DF94C8809AEB774FF04354F10816AE822BB291C3789E41DF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407B40 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E00407B40(void* __ecx) {
				void* _t19;
				signed int _t20;
				void* _t27;
				void* _t29;

				E004182C0(E00419254, _t29);
				 *(_t29 - 0x10) =  *(_t29 - 0x10) & 0x00000000;
				_push(1);
				_push( *((intOrPtr*)(_t29 + 0x18)));
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				_push( *((intOrPtr*)(_t29 + 0x14)));
				_push( *((intOrPtr*)(_t29 + 0x10)));
				_push(_t29 - 0x10);
				_push( *((intOrPtr*)(_t29 + 0xc)));
				_push( *((intOrPtr*)(_t29 + 8)));
				_t19 = E00407A70(); // executed
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				_t27 = _t19;
				_t20 =  *(_t29 - 0x10);
				if(_t20 != 0) {
					 *((intOrPtr*)( *_t20 + 8))(_t20);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return _t27;
			}







                                  0x00407b45
                                  0x00407b4b
                                  0x00407b50
                                  0x00407b55
                                  0x00407b58
                                  0x00407b5c
                                  0x00407b5f
                                  0x00407b62
                                  0x00407b63
                                  0x00407b66
                                  0x00407b69
                                  0x00407b6e
                                  0x00407b72
                                  0x00407b74
                                  0x00407b79
                                  0x00407b7e
                                  0x00407b7e
                                  0x00407b87
                                  0x00407b8f

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00407B45
                                    • Part of subcall function 00407A70: __EH_prolog.LIBCMT ref: 00407A75
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 8d27b7b8fd71322444765d38ee138a07588898a92f9bc1f32eadbc9324aa4abd
                                  • Instruction ID: 1f516a39cdf3484767a05aaeae39b06efcdf82b2b05a1121c2daefed4227c010
                                  • Opcode Fuzzy Hash: 8d27b7b8fd71322444765d38ee138a07588898a92f9bc1f32eadbc9324aa4abd
                                  • Instruction Fuzzy Hash: 7DF03A32A00219AFDF11DF94CC05BEEBB75FF04364F108569F921E6190C7799A10DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406821 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406821(void* __edi, WCHAR* _a4, long _a8) {
				char _v16;
				void* __ebp;
				signed int _t9;
				void* _t14;

				if( *0x421274 != 0) {
					_t9 = SetFileAttributesW(_a4, _a8); // executed
					return _t9 & 0xffffff00 | _t9 != 0x00000000;
				}
				_t14 = E004067E3( *((intOrPtr*)(E0040686D(__edi,  &_v16, _a4))), _a8);
				E00405205(_t14, _v16);
				return _t14;
			}







                                  0x0040682e
                                  0x0040685e
                                  0x00000000
                                  0x00406866
                                  0x00406843
                                  0x0040684d
                                  0x00000000

                                  APIs
                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 0040685E
                                    • Part of subcall function 0040686D: __EH_prolog.LIBCMT ref: 00406872
                                    • Part of subcall function 0040686D: AreFileApisANSI.KERNEL32(?,?,?,00000000,00000000), ref: 0040688D
                                    • Part of subcall function 004067E3: SetFileAttributesA.KERNEL32(?,?,00406848,?,?,?,?), ref: 004067EB
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: File$Attributes$ApisH_prologfree
                                  • String ID:
                                  • API String ID: 1139671477-0
                                  • Opcode ID: d56c4e2c4f286f28f8821c580194c9519cbf5fd9fad2f1fb3e40367833da1135
                                  • Instruction ID: 6e620bb20d84f0afdff3fdb90a06bf1728c0e471580b8935a240b6f353a5eb58
                                  • Opcode Fuzzy Hash: d56c4e2c4f286f28f8821c580194c9519cbf5fd9fad2f1fb3e40367833da1135
                                  • Instruction Fuzzy Hash: EEE03036901108BFCF017FA1D845E8A7B699B15314F018477B916A71A1C639C1699B59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406990 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406990(void* __edi, WCHAR* _a4) {
				char _v16;
				void* __ebp;
				signed int _t7;
				void* _t11;

				if( *0x421274 != 0) {
					_t7 = CreateDirectoryW(_a4, 0); // executed
					return _t7 & 0xffffff00 | _t7 != 0x00000000;
				}
				_t11 = E0040697C( *((intOrPtr*)(E0040686D(__edi,  &_v16, _a4))));
				E00405205(_t11, _v16);
				return _t11;
			}







                                  0x0040699d
                                  0x004069c8
                                  0x00000000
                                  0x004069d0
                                  0x004069ae
                                  0x004069b8
                                  0x00000000

                                  APIs
                                  • CreateDirectoryW.KERNELBASE(?,00000000,U @,?,00000001), ref: 004069C8
                                    • Part of subcall function 0040686D: __EH_prolog.LIBCMT ref: 00406872
                                    • Part of subcall function 0040686D: AreFileApisANSI.KERNEL32(?,?,?,00000000,00000000), ref: 0040688D
                                    • Part of subcall function 0040697C: CreateDirectoryA.KERNEL32(?,00000000,004069B3,00000000,?,?,00000001,U @,?,00000001), ref: 00406982
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: CreateDirectory$ApisFileH_prologfree
                                  • String ID:
                                  • API String ID: 2455149606-0
                                  • Opcode ID: 97e46ef7f873d2d27041b6941f2e4955680bae8dd77d270d31e996f3c2a22d0e
                                  • Instruction ID: 4d7ed2d5a6c825df5f9d55ecdbd361db3397e2ee4d033b40fb51446e385b3e65
                                  • Opcode Fuzzy Hash: 97e46ef7f873d2d27041b6941f2e4955680bae8dd77d270d31e996f3c2a22d0e
                                  • Instruction Fuzzy Hash: A4E01275901104BECF012B71EC06F8E7BA99F15714F018077B512761A1D63985699A5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414B07 Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE
                                  Download Yara Rule
                                  C-Code - Quality: 92%
                                  			E00414B07(intOrPtr __ecx) {
				void* _t14;
				void* _t17;
				signed int* _t23;
				intOrPtr _t26;
				void* _t28;

				_t14 = E004182C0(E0041A747, _t28);
				_push(__ecx);
				_t26 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x41b9d4;
				 *((intOrPtr*)(__ecx + 4)) = 0x41b9c4;
				 *((intOrPtr*)(__ecx + 8)) = 0x41b9b4;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_t23 = __ecx + 0x1d38;
				E004176E8(_t14,  *(__ecx + 0x1d38));
				 *_t23 =  *_t23 & 0x00000000;
				E0041373F(_t26 + 0x38); // executed
				 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
				_t17 = E0041380C(_t26 + 0x10); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t17;
			}








                                  0x00414b0c
                                  0x00414b11
                                  0x00414b13
                                  0x00414b16
                                  0x00414b19
                                  0x00414b1f
                                  0x00414b26
                                  0x00414b33
                                  0x00414b37
                                  0x00414b3d
                                  0x00414b42
                                  0x00414b48
                                  0x00414b4d
                                  0x00414b54
                                  0x00414b5e
                                  0x00414b66

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00414B0C
                                    • Part of subcall function 004176E8: free.MSVCRT(?,00414561,00000000,?,?,?,00414515,00000005,?,00000000), ref: 004176EC
                                    • Part of subcall function 0041373F: __EH_prolog.LIBCMT ref: 00413744
                                    • Part of subcall function 0041380C: __EH_prolog.LIBCMT ref: 00413811
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID:
                                  • API String ID: 2654054672-0
                                  • Opcode ID: f79bf26199318447c630432363e40fdd9c239f7ad1ee1ecf3fa96d9d2f815c89
                                  • Instruction ID: 784fa9291955f5a2981922cf982207be4a86c0dfb86100e9efd36a471906623b
                                  • Opcode Fuzzy Hash: f79bf26199318447c630432363e40fdd9c239f7ad1ee1ecf3fa96d9d2f815c89
                                  • Instruction Fuzzy Hash: C7F05EB1520B01DBC725DF15C5056E9F7F4FF40329F008A1FE0A252690DBB86A85CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414412 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00414412() {
				intOrPtr* _t14;
				void* _t15;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				void* _t26;

				E004182C0(E0041A704, _t24);
				_t14 =  *((intOrPtr*)(_t24 + 8));
				 *((intOrPtr*)(_t24 - 0x10)) = _t26 - 0xc;
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				_t15 =  *((intOrPtr*)( *_t14 + 0x10))(_t14,  *((intOrPtr*)(_t24 + 0xc)),  *((intOrPtr*)(_t24 + 0x10)),  *((intOrPtr*)(_t24 + 0x14)),  *((intOrPtr*)(_t24 + 0x18)),  *((intOrPtr*)(_t24 + 0x1c)), _t20, _t22, _t16);
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return _t15;
			}










                                  0x00414417
                                  0x00414422
                                  0x00414425
                                  0x0041442d
                                  0x0041443e
                                  0x00414477
                                  0x00414480

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 37a3a0a142a1e075976fbffd1e76a951c998d0944eecf9623ca48cfc43a725d9
                                  • Instruction ID: 1c35332ac09105d5b0279860cdde77eae81587fc8a84049d9af5a7aff18b2837
                                  • Opcode Fuzzy Hash: 37a3a0a142a1e075976fbffd1e76a951c998d0944eecf9623ca48cfc43a725d9
                                  • Instruction Fuzzy Hash: 49F06D76500109FFCF029F84D845ADE7F79FF49354F10845AF91196151C33ADA21DBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004074A7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E004074A7(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x420d40; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = ReadFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                                  0x004074a7
                                  0x004074aa
                                  0x004074ab
                                  0x004074b3
                                  0x004074b5
                                  0x004074b5
                                  0x004074be
                                  0x004074ca
                                  0x004074d8
                                  0x004074de

                                  APIs
                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004074CA
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: c90912c1a58b713a405efaace1797cdc79f3c96d2f18b9a807c7859e2963f948
                                  • Instruction ID: 479bdb3a2e5df75e71f8f525854861f90d1ebf69c8dfb7ead51cbed92c9f603a
                                  • Opcode Fuzzy Hash: c90912c1a58b713a405efaace1797cdc79f3c96d2f18b9a807c7859e2963f948
                                  • Instruction Fuzzy Hash: CDE0E575600208FBCB11CF95CC01B8E7BF9FB09354F60C069F919AA2A0D339AA10DF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407532 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00407532(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x420d40; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                                  0x00407532
                                  0x00407535
                                  0x00407536
                                  0x0040753e
                                  0x00407540
                                  0x00407540
                                  0x00407549
                                  0x00407555
                                  0x00407563
                                  0x00407569

                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00407555
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 066d6eea2b2865358b65cfd8ed2f0a4bf6d124ca78edb3e89457abc5dac7ddde
                                  • Instruction ID: abee8363b21c54f383130ef7d9fb9d6c4dca513b1424001a958b7581904cf36c
                                  • Opcode Fuzzy Hash: 066d6eea2b2865358b65cfd8ed2f0a4bf6d124ca78edb3e89457abc5dac7ddde
                                  • Instruction Fuzzy Hash: 78E0C275A41208FBCB11CF95CC01B8E7BBAAB08354F60C069F919AA2A0D379AA10DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00417778 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00417778(intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char* _t7;

				_t7 =  &_a12;
				__imp___beginthreadex(0, 0, _a8, _a12, 0, _t7); // executed
				 *_a4 = _t7;
				return E00417742(0 | _t7 != 0x00000000);
			}




                                  0x0041777b
                                  0x0041778b
                                  0x00417797
                                  0x004177a7

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: _beginthreadex
                                  • String ID:
                                  • API String ID: 3014514943-0
                                  • Opcode ID: 6bc987106ebbef4c50fdc1e314d3b9a0af8c46bdf91a3f8676ed7bffecea135a
                                  • Instruction ID: 755d7ad64be910da95dc5ffe2a219538b38d859fcc88b51fbcc9eca835600a4b
                                  • Opcode Fuzzy Hash: 6bc987106ebbef4c50fdc1e314d3b9a0af8c46bdf91a3f8676ed7bffecea135a
                                  • Instruction Fuzzy Hash: 8EE01272144309BBDB049F64DC16FAE376DEB44704F04801DFE158A1D1D672E5709B65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407203 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 86%
                                  			E00407203(void* __ecx, void* __edx, void* __edi) {
				void* _t12;
				void* _t24;

				E004182C0(E004191E8, _t24);
				_push(__ecx);
				 *(_t24 - 0x10) =  *(_t24 - 0x10) | 0xffffffff;
				_t4 = _t24 - 4;
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				_t12 = E00406FF9(_t24 - 0x10, __edx, __edi,  *_t4,  *((intOrPtr*)(_t24 + 8)),  *((intOrPtr*)(_t24 + 0xc))); // executed
				E00406FD9(_t24 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return _t12;
			}





                                  0x00407208
                                  0x0040720d
                                  0x0040720e
                                  0x00407216
                                  0x00407216
                                  0x00407220
                                  0x0040722a
                                  0x00407235
                                  0x0040723d

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00407208
                                    • Part of subcall function 00406FF9: __EH_prolog.LIBCMT ref: 00406FFE
                                    • Part of subcall function 00406FF9: FindFirstFileW.KERNELBASE(?,?,0042020C), ref: 0040702C
                                    • Part of subcall function 00406FD9: FindClose.KERNELBASE(00000000,?,00407011,0042020C), ref: 00406FE4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FindH_prolog$CloseFileFirst
                                  • String ID:
                                  • API String ID: 2004497850-0
                                  • Opcode ID: 0d389b9c446fd27a73677301cbe4cfe401e2e58280bea3c08b8f9d0f6bb886ed
                                  • Instruction ID: 0c901a624fb18e08dd025f961f1f69eb9ef01d41913b6d6cb3535672dd5a2d43
                                  • Opcode Fuzzy Hash: 0d389b9c446fd27a73677301cbe4cfe401e2e58280bea3c08b8f9d0f6bb886ed
                                  • Instruction Fuzzy Hash: 2DE04F3190111AAACB05DF91D851BEDB730FB11324F00821EE432622D0CB789A58DA14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412CAE Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00412CAE(intOrPtr* __ecx) {
				void* _t9;
				void* _t18;
				intOrPtr _t20;

				E004182C0(E0041A548, _t18);
				_push(__ecx);
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				 *((intOrPtr*)(_t18 - 0x10)) = _t20;
				_t9 = E00412A81(__ecx,  *((intOrPtr*)(_t18 + 8)),  *((intOrPtr*)(_t18 + 0xc))); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t18 - 0xc));
				return _t9;
			}






                                  0x00412cb3
                                  0x00412cb8
                                  0x00412cbc
                                  0x00412cc0
                                  0x00412cc9
                                  0x00412cde
                                  0x00412ce7

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00412CB3
                                    • Part of subcall function 00412A81: __EH_prolog.LIBCMT ref: 00412A86
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 6d0bea5e1ec3ecfa05defc8d6a377cadc14d397af3240a856389319c5f49188e
                                  • Instruction ID: f80f7c9d7e9a1bcbfc2a812b7f463d8e3baeba77f42e4b49b78fd0dc58baf42e
                                  • Opcode Fuzzy Hash: 6d0bea5e1ec3ecfa05defc8d6a377cadc14d397af3240a856389319c5f49188e
                                  • Instruction Fuzzy Hash: 2AE01276904118FBDB059F89D902BEE7B75EB45365F00805FF00155101D7BA5950D7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040738F Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040738F(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                  0x00407390
                                  0x00407392
                                  0x00407397
                                  0x004073ab
                                  0x004073ae
                                  0x00407399
                                  0x0040739a
                                  0x004073a2
                                  0x004073a8
                                  0x00000000
                                  0x004073a4
                                  0x004073a7
                                  0x004073a7
                                  0x004073a2

                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,00407358,00000000,00000000,00407D98,?,0040C52E,?,?,?,?,?,00000000,00000000,?), ref: 0040739A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: c82bffb7444a61b0d558c3df9c2875541e7a1a33c6c1e37c8e2bfa1f93154cfd
                                  • Instruction ID: 20f7d08ef486c992a3570cc9cc2e42df5d48140a16e567f68264dcd366c58f17
                                  • Opcode Fuzzy Hash: c82bffb7444a61b0d558c3df9c2875541e7a1a33c6c1e37c8e2bfa1f93154cfd
                                  • Instruction Fuzzy Hash: C7D0123191826167DA745E3CB8455C377D85B463303310B6AFCB4D32E0D3789C83A694
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406FD9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406FD9(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                  0x00406fda
                                  0x00406fdc
                                  0x00406fe1
                                  0x00406ff5
                                  0x00406ff8
                                  0x00406fe3
                                  0x00406fe4
                                  0x00406fec
                                  0x00406ff2
                                  0x00000000
                                  0x00406fee
                                  0x00406ff1
                                  0x00406ff1
                                  0x00406fec

                                  APIs
                                  • FindClose.KERNELBASE(00000000,?,00407011,0042020C), ref: 00406FE4
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: 40dd603590203b5e8be4a0906842daebde1db945935a60bfb9929490c6dc78ff
                                  • Instruction ID: 2fcae327cddf06ca53aeb8be46b8b95c5b6a9852e5205ed71096779c452df8b2
                                  • Opcode Fuzzy Hash: 40dd603590203b5e8be4a0906842daebde1db945935a60bfb9929490c6dc78ff
                                  • Instruction Fuzzy Hash: 2FD0C93111426246CA645E6C78489C33B985E16330326076AF4B5D22E0D7748C976694
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040548E Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040548E(void* __ecx, int _a4) {
				void* _t9;

				_t9 = __ecx;
				_t2 = _t9 + 4; // 0x74dc4620
				fputc(_a4,  *_t2); // executed
				return _t9;
			}




                                  0x00405494
                                  0x00405496
                                  0x0040549a
                                  0x004054a5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: fputc
                                  • String ID:
                                  • API String ID: 1992160199-0
                                  • Opcode ID: f5ddcbcaaa207e6862402b567c6ee6024b08e1e03a40dbf0e362c6cf5f2e6d85
                                  • Instruction ID: 93a0f5a0ec481a8b21a8cf476ce537bbbc5602dd4be662cb821658261cbc05c6
                                  • Opcode Fuzzy Hash: f5ddcbcaaa207e6862402b567c6ee6024b08e1e03a40dbf0e362c6cf5f2e6d85
                                  • Instruction Fuzzy Hash: 26C02B3310C2307F820403987D088E7BBECCB0C621311886FF384C2000CA70EC0087D8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040541C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040541C(void* __ecx, char* _a4) {
				void* _t8;

				_t8 = __ecx;
				_t1 = _t8 + 4; // 0x74dc4620
				fputs(_a4,  *_t1); // executed
				return _t8;
			}




                                  0x0040541d
                                  0x0040541f
                                  0x00405426
                                  0x00405431

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID:
                                  • API String ID: 1795875747-0
                                  • Opcode ID: 041ac145d6724d3d11adc1e60242431d8d572d9f04c5211370dd3b915a4d3a44
                                  • Instruction ID: da3309ffd15c68e96801067eac15af0457ae4c0fc92ec4bdc8c5a6e06c3c4840
                                  • Opcode Fuzzy Hash: 041ac145d6724d3d11adc1e60242431d8d572d9f04c5211370dd3b915a4d3a44
                                  • Instruction Fuzzy Hash: 95C04C33108120AF96151648BC058D6B795DB58671721856BF55581160DB719C509798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407515 Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00407515(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                                  0x00407523
                                  0x0040752b
                                  0x0040752f

                                  APIs
                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00407523
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FileTime
                                  • String ID:
                                  • API String ID: 1425588814-0
                                  • Opcode ID: a10e45bf61729573677ae84edf713be06d89e19cd6b8180282c205b74d65691c
                                  • Instruction ID: d26bf12c95368f3b52983635ff87ba621adbe75a2051ff2ef1158636d16c8821
                                  • Opcode Fuzzy Hash: a10e45bf61729573677ae84edf713be06d89e19cd6b8180282c205b74d65691c
                                  • Instruction Fuzzy Hash: 02C00236158109AE8A024B70C804D1ABBA2AB99311F10D918B16985070D7328024EB02
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408ACB Relevance: 1.3, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00408ACB(intOrPtr* __ecx) {
				int _v8;
				int _v12;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t42;
				intOrPtr _t50;
				int _t51;
				intOrPtr* _t54;

				_push(__ecx);
				_push(__ecx);
				_t54 = __ecx;
				_t30 =  *((intOrPtr*)(__ecx + 0xc));
				_t50 =  *((intOrPtr*)(__ecx + 4));
				if(_t30 >= _t50) {
					_t50 =  *((intOrPtr*)(__ecx + 0x10));
				}
				_t51 = _t50 - _t30;
				_t31 =  *(_t54 + 0x20);
				_v12 = 0;
				if(_t31 != 0) {
					memmove(_t31,  *_t54 +  *((intOrPtr*)(_t54 + 0xc)), _t51);
					 *(_t54 + 0x20) =  *(_t54 + 0x20) + _t51;
				}
				_t32 =  *((intOrPtr*)(_t54 + 0x14));
				if(_t32 != 0) {
					_v8 = 0;
					_t35 =  *((intOrPtr*)( *_t32 + 0xc))(_t32,  *_t54 +  *((intOrPtr*)(_t54 + 0xc)), _t51,  &_v8);
					_t51 = _v8;
					_v12 = _t35;
				}
				 *((intOrPtr*)(_t54 + 0xc)) =  *((intOrPtr*)(_t54 + 0xc)) + _t51;
				_t33 =  *((intOrPtr*)(_t54 + 0x10));
				if( *((intOrPtr*)(_t54 + 0xc)) == _t33) {
					 *((intOrPtr*)(_t54 + 0xc)) = 0;
				}
				if( *((intOrPtr*)(_t54 + 4)) == _t33) {
					 *((char*)(_t54 + 0x24)) = 1;
					 *((intOrPtr*)(_t54 + 4)) = 0;
				}
				_t42 =  *((intOrPtr*)(_t54 + 0xc));
				if(_t42 >  *((intOrPtr*)(_t54 + 4))) {
					_t33 = _t42;
				}
				 *((intOrPtr*)(_t54 + 0x18)) =  *((intOrPtr*)(_t54 + 0x18)) + _t51;
				 *((intOrPtr*)(_t54 + 8)) = _t33;
				asm("adc [esi+0x1c], ebx");
				return _v12;
			}














                                  0x00408ace
                                  0x00408acf
                                  0x00408ad2
                                  0x00408ad5
                                  0x00408ad8
                                  0x00408add
                                  0x00408adf
                                  0x00408adf
                                  0x00408ae2
                                  0x00408ae4
                                  0x00408aeb
                                  0x00408aee
                                  0x00408af8
                                  0x00408b01
                                  0x00408b01
                                  0x00408b04
                                  0x00408b09
                                  0x00408b0e
                                  0x00408b1c
                                  0x00408b1f
                                  0x00408b22
                                  0x00408b22
                                  0x00408b25
                                  0x00408b2b
                                  0x00408b30
                                  0x00408b32
                                  0x00408b32
                                  0x00408b38
                                  0x00408b3a
                                  0x00408b3e
                                  0x00408b3e
                                  0x00408b41
                                  0x00408b47
                                  0x00408b49
                                  0x00408b49
                                  0x00408b4b
                                  0x00408b4e
                                  0x00408b55
                                  0x00408b5b

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: memmove
                                  • String ID:
                                  • API String ID: 2162964266-0
                                  • Opcode ID: 5e02e98049ad4d9db7703ca3d3d07620116c9d1f45fffd6152c08d8c4daf9154
                                  • Instruction ID: 46bc3fea37674ea86779e6bac72ca74ccd164962cb472590a40144d90977bf29
                                  • Opcode Fuzzy Hash: 5e02e98049ad4d9db7703ca3d3d07620116c9d1f45fffd6152c08d8c4daf9154
                                  • Instruction Fuzzy Hash: 9F21D0B1A00B009FC720CF99C99485BF7F9FF88724724896EE49A93A40E774BD45CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408060 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E00408060(intOrPtr* __ecx) {
				char _v8;
				char _v12;
				intOrPtr* _t21;
				char _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t34;
				intOrPtr* _t38;

				_push(__ecx);
				_push(__ecx);
				_t38 = __ecx;
				if( *((char*)(__ecx + 0x1c)) == 0) {
					_t29 =  *((intOrPtr*)(__ecx + 8));
					asm("cdq");
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) +  *__ecx - _t29;
					_t21 =  *((intOrPtr*)(__ecx + 0xc));
					asm("adc [esi+0x14], edx");
					_t22 =  *((intOrPtr*)( *_t21 + 0xc))(_t21, _t29,  *((intOrPtr*)(__ecx + 0x18)),  &_v12, _t34);
					if(_t22 != 0) {
						_v8 = _t22;
						_push(0x41cfa8);
						_push( &_v8);
						L004182FC();
					}
					_t23 =  *((intOrPtr*)(_t38 + 8));
					_t30 = _v12;
					 *_t38 = _t23;
					_t24 = _t23 + _t30;
					 *(_t38 + 4) = _t24;
					_t25 = _t24 & 0xffffff00 | _t30 == 0x00000000;
					 *(_t38 + 0x1c) = _t25;
					_t26 = 0 | _t25 == 0x00000000;
				} else {
					_t26 = 0;
				}
				return _t26;
			}















                                  0x00408063
                                  0x00408064
                                  0x00408066
                                  0x0040806c
                                  0x00408072
                                  0x0040807a
                                  0x0040807b
                                  0x0040807e
                                  0x00408088
                                  0x0040808f
                                  0x00408095
                                  0x00408097
                                  0x0040809d
                                  0x004080a2
                                  0x004080a3
                                  0x004080a3
                                  0x004080a8
                                  0x004080ab
                                  0x004080ae
                                  0x004080b0
                                  0x004080b4
                                  0x004080b7
                                  0x004080bc
                                  0x004080c4
                                  0x0040806e
                                  0x0040806e
                                  0x0040806e
                                  0x004080c8

                                  APIs
                                  • _CxxThrowException.MSVCRT(?,0041CFA8), ref: 004080A3
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow
                                  • String ID:
                                  • API String ID: 432778473-0
                                  • Opcode ID: 294aed70a42eabc70a54e2230a12f214853df0e18c929324cdb65bfab5602195
                                  • Instruction ID: 1de3344ccf0ffcff05acc207e866cb5a08b8c317d8043b4a5af0d4902f3de5d4
                                  • Opcode Fuzzy Hash: 294aed70a42eabc70a54e2230a12f214853df0e18c929324cdb65bfab5602195
                                  • Instruction Fuzzy Hash: 5301D471600701AFCB28CFA9C90599BBBF8EF453107004A6EA0C2D3251EB74F949CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408FFB Relevance: 1.3, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E00408FFB(void* __ecx, int _a4) {
				int _t8;
				void* _t9;
				void* _t10;
				void* _t12;
				int _t17;
				void* _t18;

				_t17 = _a4;
				_t18 = __ecx;
				if(_t17 ==  *((intOrPtr*)(__ecx + 4))) {
					return _t8;
				}
				if(_t17 <= 0) {
					_t12 = 0;
				} else {
					_push(_t17); // executed
					_t10 = E004051DE(); // executed
					_t12 = _t10;
					_t8 =  *(_t18 + 4);
					if(_t8 > 0) {
						if(_t8 >= _t17) {
							_t8 = _t17;
						}
						_t8 = memmove(_t12,  *(_t18 + 8), _t8);
					}
				}
				_t9 = E00405205(_t8,  *(_t18 + 8));
				 *(_t18 + 8) = _t12;
				 *(_t18 + 4) = _t17;
				return _t9;
			}









                                  0x00408ffd
                                  0x00409001
                                  0x00409006
                                  0x00409047
                                  0x00409047
                                  0x0040900b
                                  0x00409033
                                  0x0040900d
                                  0x0040900d
                                  0x0040900e
                                  0x00409013
                                  0x00409015
                                  0x0040901b
                                  0x0040901f
                                  0x00409021
                                  0x00409021
                                  0x00409028
                                  0x0040902e
                                  0x0040901b
                                  0x00409038
                                  0x0040903e
                                  0x00409041
                                  0x00000000

                                  APIs
                                    • Part of subcall function 004051DE: malloc.MSVCRT ref: 004051E4
                                    • Part of subcall function 004051DE: _CxxThrowException.MSVCRT(?,0041C8F8), ref: 004051FE
                                  • memmove.MSVCRT ref: 00409028
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrowmallocmemmove
                                  • String ID:
                                  • API String ID: 2847158419-0
                                  • Opcode ID: 638d39dc7af13675156b937218e0978d29fe290e2f41f6fe357e522e92a557fb
                                  • Instruction ID: 725f882373fd74750eb62ca6ac225ba859815cbaabf2c18215c94345c56981b1
                                  • Opcode Fuzzy Hash: 638d39dc7af13675156b937218e0978d29fe290e2f41f6fe357e522e92a557fb
                                  • Instruction Fuzzy Hash: FBF082727046005FC2305B1AEC8091BB7ADDFC4710711C83FF56DA2252C638EC418A68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407DDA Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407DDA(intOrPtr _a4, char _a8, long _a12, long _a16, intOrPtr* _a20) {
				void* _t14;
				long _t15;
				intOrPtr* _t20;

				if(_a16 >= 3) {
					return 0x80030001;
				}
				_t14 = E004073FA(_a4 + 0xc, _a8, _a12, _a16,  &_a8); // executed
				_t20 = _a20;
				if(_t20 != 0) {
					 *_t20 = _a8;
					 *((intOrPtr*)(_t20 + 4)) = _a12;
				}
				if(_t14 != 0) {
					return 0;
				}
				_t15 = GetLastError();
				if(_t15 == 0) {
					return 0x80004005;
				}
				return _t15;
			}






                                  0x00407de1
                                  0x00000000
                                  0x00407de3
                                  0x00407dfd
                                  0x00407e02
                                  0x00407e07
                                  0x00407e0c
                                  0x00407e11
                                  0x00407e11
                                  0x00407e16
                                  0x00000000
                                  0x00407e18
                                  0x00407e1c
                                  0x00407e24
                                  0x00000000
                                  0x00407e26
                                  0x00407e2c

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 896520adb8f025b6a30b75db4ebd7d0475d1af913a571b97acb7e5438bc62927
                                  • Instruction ID: 729f98ad717a39c7bf3decac8cff04ef5caad0d4984dcbe333da9150151a5e72
                                  • Opcode Fuzzy Hash: 896520adb8f025b6a30b75db4ebd7d0475d1af913a571b97acb7e5438bc62927
                                  • Instruction Fuzzy Hash: ABF0907460620A9BCF14DF54C8509AB37A5EF45340B14C06AFE099B2A0E335ED22DBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E78 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 91%
                                  			E00407E78(void* __eflags, intOrPtr _a4, void* _a8, char _a12, intOrPtr* _a16) {
				void* _t11;
				long _t12;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr _t19;

				_t19 = _a4;
				_t11 = E00407532(_t19 + 8, _a8, _a12,  &_a12); // executed
				_t16 = _a12;
				_t17 = _a16;
				 *((intOrPtr*)(_t19 + 0x10)) =  *((intOrPtr*)(_t19 + 0x10)) + _t16;
				asm("adc dword [esi+0x14], 0x0");
				if(_t17 != 0) {
					 *_t17 = _t16;
				}
				if(_t11 != 0) {
					return 0;
				}
				_t12 = GetLastError();
				if(_t12 == 0) {
					return 0x80004005;
				}
				return _t12;
			}








                                  0x00407e7f
                                  0x00407e8c
                                  0x00407e91
                                  0x00407e94
                                  0x00407e97
                                  0x00407e9a
                                  0x00407ea1
                                  0x00407ea3
                                  0x00407ea3
                                  0x00407ea7
                                  0x00000000
                                  0x00407ea9
                                  0x00407ead
                                  0x00407eb5
                                  0x00000000
                                  0x00407eb7
                                  0x00407ebd

                                  APIs
                                    • Part of subcall function 00407532: WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00407555
                                  • GetLastError.KERNEL32 ref: 00407EAD
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastWrite
                                  • String ID:
                                  • API String ID: 442123175-0
                                  • Opcode ID: b65ac19af8f1163355a25ffa50068ad845ebb320bf546252cd49b982b8d1ca24
                                  • Instruction ID: 5c28d40db20b5e9eb2e6e5e75d15de0cf90833bff8fd94997348813f53e7d69e
                                  • Opcode Fuzzy Hash: b65ac19af8f1163355a25ffa50068ad845ebb320bf546252cd49b982b8d1ca24
                                  • Instruction Fuzzy Hash: 8EF05E3150530AABDB20CF14DC00AD73779BF44310B10886AEC529B650D734FD218BE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D9B Relevance: 1.3, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00407D9B(void* __eflags, intOrPtr _a4, void* _a8, char _a12, intOrPtr* _a16) {
				void* _t10;
				long _t11;
				intOrPtr* _t15;

				_t10 = E004074A7(_a4 + 0xc, _a8, _a12,  &_a12); // executed
				_t15 = _a16;
				if(_t15 != 0) {
					 *_t15 = _a12;
				}
				if(_t10 != 0) {
					return 0;
				}
				_t11 = GetLastError();
				if(_t11 == 0) {
					return 0x80004005;
				}
				return _t11;
			}






                                  0x00407dae
                                  0x00407db3
                                  0x00407db8
                                  0x00407dbd
                                  0x00407dbd
                                  0x00407dc1
                                  0x00000000
                                  0x00407dc3
                                  0x00407dc7
                                  0x00407dcf
                                  0x00000000
                                  0x00407dd1
                                  0x00407dd7

                                  APIs
                                    • Part of subcall function 004074A7: ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004074CA
                                  • GetLastError.KERNEL32 ref: 00407DC7
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastRead
                                  • String ID:
                                  • API String ID: 1948546556-0
                                  • Opcode ID: cc94c2acc332f7b78d897eaae3c67707f501a19b5120f44dc2ea2d539b24c98a
                                  • Instruction ID: 7267684e49551bd3e8269e19f2ae80ab97c96a6670348af2546bd810ecd3637b
                                  • Opcode Fuzzy Hash: cc94c2acc332f7b78d897eaae3c67707f501a19b5120f44dc2ea2d539b24c98a
                                  • Instruction Fuzzy Hash: 92E06D3160420AABCF10DF54DC00DAB37A9BF44354B00842AB805AB290D335E911CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004176F6 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004176F6(long _a4) {
				void* _t3;

				if(_a4 != 0) {
					_t3 = VirtualAlloc(0, _a4, 0x1000, 4); // executed
					return _t3;
				}
				return 0;
			}




                                  0x004176fb
                                  0x0041770e
                                  0x00000000
                                  0x0041770e
                                  0x00000000

                                  APIs
                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00413905,00020000), ref: 0041770E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: c84eb885001f818df23cc9a6cf0895cfa3ba5c6a48865c2d9d03591b16269b0a
                                  • Instruction ID: 619f1417a23d226b7129bf99ba72b465731956285945e83f7f48b37d4337c1ea
                                  • Opcode Fuzzy Hash: c84eb885001f818df23cc9a6cf0895cfa3ba5c6a48865c2d9d03591b16269b0a
                                  • Instruction Fuzzy Hash: D3C08C3024C300FEE6218A508C0AF8B76A09758B96F10C825F365581C0C3B4A080E72E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00417717 Relevance: 1.3, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00417717(void* _a4) {
				void* _t3;
				int _t4;

				if(_a4 != 0) {
					_t4 = VirtualFree(_a4, 0, 0x8000); // executed
					return _t4;
				}
				return _t3;
			}





                                  0x0041771c
                                  0x00417729
                                  0x00000000
                                  0x00417729
                                  0x0041772f

                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00408A76,?,?,00408A53,?,?,004144FB,00000000), ref: 00417729
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 905c5def430ea3206637e515c218b94326d3f4dfc4b4856edc48e26f9cc97e35
                                  • Instruction ID: 9f165adfe0245f79264c46124aea25fd0354d32660b40f814fd94543fbbb21f9
                                  • Opcode Fuzzy Hash: 905c5def430ea3206637e515c218b94326d3f4dfc4b4856edc48e26f9cc97e35
                                  • Instruction Fuzzy Hash: 87C09230148300BAE7258B00DD09F8BBBA0EB94B01F20C429B2A8641E4C7B4A998EA4D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0041738A Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 186COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 76%
                                  			E0041738A(void* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				intOrPtr* _v36;
				intOrPtr _v40;
				void _v72;
				char _v136;
				signed int _t108;
				signed int _t115;
				signed int _t128;
				signed int _t136;
				signed int _t138;
				signed int _t144;
				void* _t146;
				signed int _t148;
				signed int _t152;
				signed int _t157;
				signed int _t165;
				intOrPtr* _t167;
				void* _t186;
				intOrPtr _t190;
				signed int _t191;
				signed int _t193;
				void* _t200;
				intOrPtr* _t206;
				unsigned int _t207;
				signed int _t211;
				void* _t214;
				void* _t215;
				void* _t216;

				_v16 = _v16 & 0x00000000;
				_t165 = 8;
				memcpy( &_v72, _a4, _t165 << 2);
				_t216 = _t215 + 0xc;
				do {
					_t108 = 1;
					_v32 = 0x41bb48 + _v16 * 4;
					_t167 =  &_v136;
					_t190 = _a8 -  &_v136;
					_v28 = _t108;
					_t211 = 0xfffffffc;
					_v36 = _t167;
					_v40 = _t190;
					L3:
					L3:
					if(_v16 == 0) {
						_t191 =  *((intOrPtr*)(_t190 + _t167));
						 *_t167 = _t191;
						_v8 = _t191;
					} else {
						_t18 = _t108 - 3; // -2
						_push(0x12);
						_t207 =  *(_t214 + (_t18 & 0x0000000f) * 4 - 0x84);
						_v12 = _t207;
						_t157 =  *((intOrPtr*)(_t214 + (_t108 & 0x0000000f) * 4 - 0x84));
						_t136 = _t214 + (_t108 - 0x00000001 & 0x0000000f) * 4 - 0x84;
						_push(_t157);
						_v24 = _t157;
						_v20 = _t136;
						L00418646();
						_push(7);
						_push(_t157);
						L00418646();
						_push(0x13);
						_t138 = _v24 >> 3;
						_push(_t207);
						L00418646();
						_push(0x11);
						_v8 = _t136 ^ _t136 ^ _t138;
						_push(_t207);
						L00418646();
						_t216 = _t216 + 0x20;
						_t144 = _v20;
						 *_t144 =  *_t144 + _v8 + (_t138 ^ _t138 ^ _t207 >> 0x0000000a) +  *((intOrPtr*)(_t214 + (_v28 + 0xfffffff8 & 0x0000000f) * 4 - 0x84));
						_v8 =  *_t144;
					}
					_push(0x19);
					_t148 =  *((intOrPtr*)(_t214 + (_t211 & 0x00000007) * 4 - 0x44));
					_t45 = _t211 + 2; // 0xfd
					_push(_t148);
					_v12 = _t148;
					_v24 =  *((intOrPtr*)(_t214 + (_t45 & 0x00000007) * 4 - 0x44));
					_t51 = _t211 + 3; // 0xfe
					_t115 = _t51 & 0x00000007;
					_t206 = _t214 + _t115 * 4 - 0x44;
					L00418646();
					_push(0xb);
					_push(_t148);
					L00418646();
					_push(6);
					_push(_v12);
					L00418646();
					_t56 = _t211 + 1; // 0xfc
					_t193 = 7;
					_push(0x16);
					_t65 = _t211 - 1; // 0xfa
					 *_t206 =  *_t206 + (( *(_t214 + (_t56 & _t193) * 4 - 0x44) ^ _v24) & _v12 ^ _v24) + _v8 + (_t115 ^ _t115 ^ _t115) +  *_v32;
					 *((intOrPtr*)(_t214 + (_t65 & _t193) * 4 - 0x44)) =  *((intOrPtr*)(_t214 + (_t65 & _t193) * 4 - 0x44)) +  *_t206;
					_t75 = _t211 - 4; // 0xf7
					_t152 =  *((intOrPtr*)(_t214 + (_t75 & _t193) * 4 - 0x44));
					_t79 = _t211 - 3; // 0xf8
					_push(_t152);
					_v12 = _t152;
					_t128 =  *(_t214 + (_t79 & _t193) * 4 - 0x44);
					_v8 = _t128;
					L00418646();
					_push(0xd);
					_push(_t152);
					L00418646();
					_push(2);
					_push(_v12);
					L00418646();
					_t88 = _t211 - 2; // 0xf9
					_t216 = _t216 + 0x30;
					 *_t206 =  *_t206 + (_t128 ^ _t128 ^ _t128) + ( *(_t214 + (_t88 & 0x00000007) * 4 - 0x44) & (_v8 | _v12) | _v8 & _v12);
					_t108 = _v28 + 1;
					_v28 = _t108;
					_v32 = _v32 + 4;
					_t167 = _v36 + 4;
					_t99 = _t108 - 1; // 0x4175d9
					_t211 = _t211 - 1;
					_v36 = _t167;
					if(_t99 < 0x10) {
						goto L2;
					}
					goto L7;
					L2:
					_t190 = _v40;
					goto L3;
					L7:
					_v16 = _v16 + 0x10;
				} while (_v16 < 0x40);
				_t146 = _a4;
				_t186 =  &_v72 - _t146;
				_t200 = 8;
				do {
					 *_t146 =  *_t146 +  *((intOrPtr*)(_t186 + _t146));
					_t146 = _t146 + 4;
					_t200 = _t200 - 1;
				} while (_t200 != 0);
				return _t146;
			}





































                                  0x00417393
                                  0x0041739f
                                  0x004173a3
                                  0x004173a3
                                  0x004173a5
                                  0x004173aa
                                  0x004173ba
                                  0x004173c0
                                  0x004173c6
                                  0x004173c8
                                  0x004173cb
                                  0x004173cc
                                  0x004173cf
                                  0x00000000
                                  0x004173d7
                                  0x004173db
                                  0x0041746e
                                  0x00417471
                                  0x00417473
                                  0x004173e1
                                  0x004173e1
                                  0x004173e4
                                  0x004173e9
                                  0x004173f9
                                  0x004173fc
                                  0x00417403
                                  0x0041740a
                                  0x0041740b
                                  0x0041740e
                                  0x00417411
                                  0x00417418
                                  0x0041741a
                                  0x0041741d
                                  0x00417422
                                  0x00417429
                                  0x0041742c
                                  0x0041742f
                                  0x00417434
                                  0x00417436
                                  0x00417439
                                  0x0041743c
                                  0x00417448
                                  0x00417462
                                  0x00417465
                                  0x00417469
                                  0x00417469
                                  0x00417478
                                  0x0041747d
                                  0x00417481
                                  0x00417487
                                  0x00417488
                                  0x0041748f
                                  0x00417492
                                  0x00417495
                                  0x00417498
                                  0x0041749c
                                  0x004174a3
                                  0x004174a5
                                  0x004174a8
                                  0x004174ad
                                  0x004174af
                                  0x004174b4
                                  0x004174bd
                                  0x004174c0
                                  0x004174c3
                                  0x004174de
                                  0x004174e3
                                  0x004174e7
                                  0x004174ef
                                  0x004174f4
                                  0x004174f8
                                  0x004174fd
                                  0x004174fe
                                  0x00417501
                                  0x00417505
                                  0x00417508
                                  0x0041750f
                                  0x00417511
                                  0x00417514
                                  0x00417519
                                  0x0041751b
                                  0x00417520
                                  0x0041752d
                                  0x00417533
                                  0x00417549
                                  0x0041754b
                                  0x0041754c
                                  0x00417552
                                  0x00417556
                                  0x00417559
                                  0x0041755c
                                  0x00417560
                                  0x00417563
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004173d4
                                  0x004173d4
                                  0x00000000
                                  0x00417569
                                  0x00417569
                                  0x0041756d
                                  0x00417577
                                  0x0041757f
                                  0x00417581
                                  0x00417582
                                  0x00417585
                                  0x00417587
                                  0x0041758a
                                  0x0041758a
                                  0x00417591

                                  APIs
                                  • _rotr.MSVCRT(?,00000012,?,?,?,?,?,?,?,?,?,?,0000000F,?), ref: 00417411
                                  • _rotr.MSVCRT(?,00000007,?,00000012,?,?,?,?,?,?,?,?,?,?,0000000F,?), ref: 0041741D
                                  • _rotr.MSVCRT(?,00000013,?,00000007,?,00000012,?,?,?,?,?,?,?,?,?,?), ref: 0041742F
                                  • _rotr.MSVCRT(?,00000011,?,00000013,?,00000007,?,00000012), ref: 0041743C
                                  • _rotr.MSVCRT(?,00000019,?,0000000F,?), ref: 0041749C
                                  • _rotr.MSVCRT(?,0000000B,?,00000019,?,0000000F,?), ref: 004174A8
                                  • _rotr.MSVCRT(00000081,00000006,?,0000000B,?,00000019,?,0000000F,?), ref: 004174B4
                                  • _rotr.MSVCRT(?,00000016,00000081,00000006,?,0000000B,?,00000019,?,0000000F,?), ref: 00417508
                                  • _rotr.MSVCRT(?,0000000D,?,00000016,00000081,00000006,?,0000000B,?,00000019,?,0000000F,?), ref: 00417514
                                  • _rotr.MSVCRT(00000081,00000002,?,0000000D,?,00000016,00000081,00000006,?,0000000B,?,00000019,?,0000000F,?), ref: 00417520
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: _rotr
                                  • String ID: @
                                  • API String ID: 193259503-2766056989
                                  • Opcode ID: ab5a4834a43d18dda90867b70ebe94f0a8f7162d98f32dff49b746095838f3fc
                                  • Instruction ID: db92ee418cea7d4c0734b8e6cac704b78d3ea71e8095a41914bd7aa9ee481f25
                                  • Opcode Fuzzy Hash: ab5a4834a43d18dda90867b70ebe94f0a8f7162d98f32dff49b746095838f3fc
                                  • Instruction Fuzzy Hash: 8F712C71E002099FDB04CFA9D982BDEB7F5FF88304F14846AE515EB241E778AA51CB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411957 Relevance: 1.7, APIs: 1, Instructions: 249COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 99%
                                  			E00411957(intOrPtr __ecx, signed int __edx) {
				signed int _t132;
				intOrPtr _t134;
				signed int _t135;
				signed int _t136;
				signed int _t148;
				intOrPtr _t159;
				signed int _t160;
				intOrPtr _t162;
				void* _t164;
				signed int _t167;
				intOrPtr _t175;
				signed int _t177;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr _t202;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				intOrPtr _t218;
				signed int _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				signed int _t224;
				intOrPtr _t225;
				void* _t227;

				_t212 = __edx;
				E004182C0(E0041A3BC, _t227);
				_t175 = __ecx;
				 *((intOrPtr*)(_t227 - 0x14)) = __ecx;
				E00405898();
				_t224 =  *(_t227 + 8);
				E004058F1( *((intOrPtr*)(_t227 + 0xc)),  *(_t224 + 8));
				while(1) {
					_t132 = E00410F9F( *((intOrPtr*)(_t175 + 0x18)), _t212);
					_t183 = _t212;
					 *(_t227 - 0x1c) = _t132;
					 *(_t227 - 0x18) = _t183;
					if(_t132 != 0xd) {
						goto L6;
					}
					L2:
					_t212 = 0;
					if(_t183 != 0) {
						L7:
						__eflags = _t132 - 0xa;
						if(_t132 != 0xa) {
							L9:
							__eflags = _t132 - 9;
							if(_t132 != 9) {
								L11:
								__eflags = _t132 | _t183;
								if((_t132 | _t183) == 0) {
									L13:
									_t134 =  *((intOrPtr*)(_t227 + 0xc));
									__eflags =  *((intOrPtr*)(_t134 + 8)) - _t212;
									if( *((intOrPtr*)(_t134 + 8)) != _t212) {
										L17:
										_t184 =  *((intOrPtr*)(_t227 + 0xc));
										_t214 = 0;
										 *(_t227 - 0x10) = 0;
										__eflags =  *((intOrPtr*)(_t184 + 8)) - _t212;
										if( *((intOrPtr*)(_t184 + 8)) <= _t212) {
											L27:
											__eflags =  *(_t227 - 0x1c) - 9;
											if( *(_t227 - 0x1c) == 9) {
												__eflags =  *(_t227 - 0x18) - _t212;
												if( *(_t227 - 0x18) == _t212) {
													_t160 = E00410F9F( *((intOrPtr*)(_t175 + 0x18)), _t212);
													_t184 =  *((intOrPtr*)(_t227 + 0xc));
													 *(_t227 - 0x18) = _t212;
													 *(_t227 - 0x1c) = _t160;
													_t212 = 0;
													__eflags = 0;
												}
											}
											_t215 =  *(_t224 + 8);
											 *(_t227 + 8) = _t212;
											__eflags = _t215 - _t212;
											 *(_t227 - 0x10) = _t212;
											if(_t215 <= _t212) {
												L37:
												_t135 =  *(_t227 - 0x1c);
												__eflags = _t135 - 0xa;
												if(_t135 != 0xa) {
													L48:
													_t136 = _t135 |  *(_t227 - 0x18);
													__eflags = _t136;
													if(_t136 == 0) {
														_t225 =  *((intOrPtr*)(_t227 + 0x14));
														__eflags =  *((intOrPtr*)(_t225 + 8)) - _t212;
														if( *((intOrPtr*)(_t225 + 8)) != _t212) {
															L54:
															 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
															return _t136;
														}
														E00405898();
														_t136 = E00405898();
														_t217 =  *(_t227 - 0x10);
														__eflags = _t217;
														if(_t217 <= 0) {
															goto L54;
														} else {
															goto L53;
														}
														do {
															L53:
															E0040FCC5(_t225, _t212, 0);
															_t136 = E0040DCD2( *((intOrPtr*)(_t227 + 0x18)), _t212, 0);
															_t217 = _t217 - 1;
															__eflags = _t217;
														} while (_t217 != 0);
														goto L54;
													}
													E00410F8C( *((intOrPtr*)(_t175 + 0x18)), _t212);
													L50:
													 *(_t227 - 0x1c) = E00410F9F( *((intOrPtr*)(_t175 + 0x18)), _t212);
													 *(_t227 - 0x18) = _t212;
													goto L36;
												}
												__eflags =  *(_t227 - 0x18) - _t212;
												if(__eflags != 0) {
													goto L48;
												}
												 *(_t227 - 0x48) = _t212;
												 *(_t227 - 0x44) = _t212;
												 *(_t227 - 0x40) = _t212;
												 *((intOrPtr*)(_t227 - 0x3c)) = 1;
												 *((intOrPtr*)(_t227 - 0x4c)) = 0x41b828;
												 *(_t227 - 4) = _t212;
												 *(_t227 - 0x34) = _t212;
												 *(_t227 - 0x30) = _t212;
												 *(_t227 - 0x2c) = _t212;
												 *((intOrPtr*)(_t227 - 0x28)) = 4;
												 *((intOrPtr*)(_t227 - 0x38)) = 0x41b65c;
												 *(_t227 - 4) = 1;
												E004115E3(_t175, _t212, __eflags,  *(_t227 + 8), _t227 - 0x4c, _t227 - 0x38);
												_t177 = 0;
												__eflags =  *(_t224 + 8);
												 *(_t227 + 0x10) = 0;
												if( *(_t224 + 8) <= 0) {
													L47:
													 *(_t227 - 4) =  *(_t227 - 4) & 0x00000000;
													E00405858(_t227 - 0x38);
													 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
													E00405858(_t227 - 0x4c);
													_t175 =  *((intOrPtr*)(_t227 - 0x14));
													goto L50;
												} else {
													goto L40;
												}
												do {
													L40:
													_t218 =  *((intOrPtr*)( *((intOrPtr*)(_t224 + 0xc)) + _t177 * 4));
													_t148 =  *( *((intOrPtr*)( *((intOrPtr*)(_t227 + 0xc)) + 0xc)) + _t177 * 4);
													__eflags = _t148 - 1;
													if(_t148 != 1) {
														L43:
														__eflags = _t148;
														if(_t148 <= 0) {
															goto L46;
														}
														_t219 = _t148;
														do {
															E0040FCC5( *((intOrPtr*)(_t227 + 0x14)), _t212,  *((intOrPtr*)( *(_t227 - 0x40) +  *(_t227 + 0x10))));
															E0040DCD2( *((intOrPtr*)(_t227 + 0x18)), _t212,  *((intOrPtr*)( *(_t227 - 0x2c) +  *(_t227 + 0x10) * 4)));
															 *(_t227 + 0x10) =  *(_t227 + 0x10) + 1;
															_t219 = _t219 - 1;
															__eflags = _t219;
														} while (_t219 != 0);
														goto L46;
													}
													__eflags =  *((char*)(_t218 + 0x54));
													if( *((char*)(_t218 + 0x54)) == 0) {
														goto L43;
													}
													E0040FCC5( *((intOrPtr*)(_t227 + 0x14)), _t212, _t148);
													E0040DCD2( *((intOrPtr*)(_t227 + 0x18)), _t212,  *((intOrPtr*)(_t218 + 0x50)));
													L46:
													_t177 = _t177 + 1;
													__eflags = _t177 -  *(_t224 + 8);
												} while (_t177 <  *(_t224 + 8));
												goto L47;
											} else {
												 *(_t227 + 0x10) =  *(_t184 + 0xc);
												do {
													_t202 =  *((intOrPtr*)( *(_t227 + 0x10) + _t212 * 4));
													__eflags = _t202 - 1;
													if(_t202 != 1) {
														L34:
														_t64 = _t227 + 8;
														 *_t64 =  *(_t227 + 8) + _t202;
														__eflags =  *_t64;
														goto L35;
													}
													_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t224 + 0xc)) + _t212 * 4));
													__eflags =  *((char*)(_t159 + 0x54));
													if( *((char*)(_t159 + 0x54)) != 0) {
														goto L35;
													}
													goto L34;
													L35:
													 *(_t227 - 0x10) =  *(_t227 - 0x10) + _t202;
													_t212 = _t212 + 1;
													__eflags = _t212 - _t215;
												} while (_t212 < _t215);
												L36:
												_t212 = 0;
												__eflags = 0;
												goto L37;
											}
										} else {
											goto L18;
										}
										do {
											L18:
											_t162 =  *((intOrPtr*)( *(_t184 + 0xc) + _t214 * 4));
											__eflags = _t162 - _t212;
											if(_t162 == _t212) {
												goto L26;
											}
											__eflags = _t162 - 1;
											 *(_t227 - 0x24) = _t212;
											 *(_t227 - 0x20) = _t212;
											if(_t162 <= 1) {
												L25:
												_t164 = E0040FB33( *((intOrPtr*)( *((intOrPtr*)(_t224 + 0xc)) + _t214 * 4)));
												asm("sbb edx, [ebp-0x20]");
												E00412D31( *(_t227 + 0x10), _t212, _t164 -  *(_t227 - 0x24), _t212);
												_t184 =  *((intOrPtr*)(_t227 + 0xc));
												_t212 = 0;
												__eflags = 0;
												goto L26;
											}
											_t167 = _t162 - 1;
											__eflags = _t167;
											 *(_t227 + 8) = _t167;
											do {
												__eflags =  *(_t227 - 0x1c) - 9;
												if( *(_t227 - 0x1c) == 9) {
													__eflags =  *(_t227 - 0x18) - _t212;
													if( *(_t227 - 0x18) == _t212) {
														_t220 = E00410F9F( *((intOrPtr*)(_t175 + 0x18)), _t212);
														E00412D31( *(_t227 + 0x10), _t212, _t220, _t212);
														 *(_t227 - 0x24) =  *(_t227 - 0x24) + _t220;
														_t214 =  *(_t227 - 0x10);
														asm("adc [ebp-0x20], ebx");
														_t175 =  *((intOrPtr*)(_t227 - 0x14));
														_t212 = 0;
														__eflags = 0;
													}
												}
												_t36 = _t227 + 8;
												 *_t36 =  *(_t227 + 8) - 1;
												__eflags =  *_t36;
											} while ( *_t36 != 0);
											goto L25;
											L26:
											_t214 = _t214 + 1;
											__eflags = _t214 -  *((intOrPtr*)(_t184 + 8));
											 *(_t227 - 0x10) = _t214;
										} while (_t214 <  *((intOrPtr*)(_t184 + 8)));
										goto L27;
									}
									_t221 = 0;
									__eflags =  *(_t224 + 8) - _t212;
									if( *(_t224 + 8) <= _t212) {
										goto L17;
									} else {
										goto L15;
									}
									do {
										L15:
										E0040DCD2( *((intOrPtr*)(_t227 + 0xc)), _t212, 1);
										_t221 = _t221 + 1;
										__eflags = _t221 -  *(_t224 + 8);
									} while (_t221 <  *(_t224 + 8));
									_t212 = 0;
									__eflags = 0;
									goto L17;
								}
								E00410F8C( *((intOrPtr*)(_t175 + 0x18)), _t212);
								while(1) {
									_t132 = E00410F9F( *((intOrPtr*)(_t175 + 0x18)), _t212);
									_t183 = _t212;
									 *(_t227 - 0x1c) = _t132;
									 *(_t227 - 0x18) = _t183;
									if(_t132 != 0xd) {
										goto L6;
									}
									goto L2;
								}
								goto L6;
							}
							__eflags = _t183 - _t212;
							if(_t183 == _t212) {
								goto L13;
							}
							goto L11;
						}
						__eflags = _t183 - _t212;
						if(_t183 == _t212) {
							goto L13;
						}
						goto L9;
					}
					_t222 = 0;
					if( *(_t224 + 8) <= 0) {
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E0040DCD2( *((intOrPtr*)(_t227 + 0xc)), 0, E0041103B(0));
						_t222 = _t222 + 1;
					} while (_t222 <  *(_t224 + 8));
					continue;
					L6:
					_t212 = 0;
					__eflags = 0;
					goto L7;
				}
			}






























                                  0x00411957
                                  0x0041195c
                                  0x00411965
                                  0x0041196c
                                  0x0041196f
                                  0x00411974
                                  0x0041197d
                                  0x00411982
                                  0x00411985
                                  0x0041198a
                                  0x0041198f
                                  0x00411992
                                  0x00411995
                                  0x00000000
                                  0x00000000
                                  0x00411997
                                  0x00411997
                                  0x0041199b
                                  0x004119bf
                                  0x004119bf
                                  0x004119c2
                                  0x004119c8
                                  0x004119c8
                                  0x004119cb
                                  0x004119d1
                                  0x004119d1
                                  0x004119d3
                                  0x004119df
                                  0x004119df
                                  0x004119e2
                                  0x004119e5
                                  0x00411a00
                                  0x00411a00
                                  0x00411a03
                                  0x00411a05
                                  0x00411a08
                                  0x00411a0b
                                  0x00411a83
                                  0x00411a83
                                  0x00411a87
                                  0x00411a89
                                  0x00411a8c
                                  0x00411a91
                                  0x00411a96
                                  0x00411a99
                                  0x00411a9c
                                  0x00411a9f
                                  0x00411a9f
                                  0x00411a9f
                                  0x00411a8c
                                  0x00411aa1
                                  0x00411aa4
                                  0x00411aa7
                                  0x00411aa9
                                  0x00411aac
                                  0x00411ad8
                                  0x00411ad8
                                  0x00411adb
                                  0x00411ade
                                  0x00411bc0
                                  0x00411bc0
                                  0x00411bc0
                                  0x00411bc3
                                  0x00411be0
                                  0x00411be3
                                  0x00411be6
                                  0x00411c14
                                  0x00411c1a
                                  0x00411c22
                                  0x00411c22
                                  0x00411bea
                                  0x00411bf2
                                  0x00411bf7
                                  0x00411bfa
                                  0x00411bfc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411bfe
                                  0x00411bfe
                                  0x00411c02
                                  0x00411c0c
                                  0x00411c11
                                  0x00411c11
                                  0x00411c11
                                  0x00000000
                                  0x00411bfe
                                  0x00411bc8
                                  0x00411bcd
                                  0x00411bd5
                                  0x00411bd8
                                  0x00000000
                                  0x00411bd8
                                  0x00411ae4
                                  0x00411ae7
                                  0x00000000
                                  0x00000000
                                  0x00411aed
                                  0x00411af0
                                  0x00411af3
                                  0x00411af6
                                  0x00411afd
                                  0x00411b04
                                  0x00411b07
                                  0x00411b0a
                                  0x00411b0d
                                  0x00411b10
                                  0x00411b17
                                  0x00411b28
                                  0x00411b2f
                                  0x00411b34
                                  0x00411b36
                                  0x00411b39
                                  0x00411b3c
                                  0x00411ba3
                                  0x00411ba3
                                  0x00411baa
                                  0x00411baf
                                  0x00411bb6
                                  0x00411bbb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411b3e
                                  0x00411b3e
                                  0x00411b47
                                  0x00411b4a
                                  0x00411b4d
                                  0x00411b50
                                  0x00411b6e
                                  0x00411b6e
                                  0x00411b70
                                  0x00000000
                                  0x00000000
                                  0x00411b72
                                  0x00411b74
                                  0x00411b81
                                  0x00411b92
                                  0x00411b97
                                  0x00411b9a
                                  0x00411b9a
                                  0x00411b9a
                                  0x00000000
                                  0x00411b74
                                  0x00411b52
                                  0x00411b56
                                  0x00000000
                                  0x00000000
                                  0x00411b5c
                                  0x00411b67
                                  0x00411b9d
                                  0x00411b9d
                                  0x00411b9e
                                  0x00411b9e
                                  0x00000000
                                  0x00411aae
                                  0x00411ab1
                                  0x00411ab4
                                  0x00411ab7
                                  0x00411aba
                                  0x00411abd
                                  0x00411acb
                                  0x00411acb
                                  0x00411acb
                                  0x00411acb
                                  0x00000000
                                  0x00411acb
                                  0x00411ac2
                                  0x00411ac5
                                  0x00411ac9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411ace
                                  0x00411ace
                                  0x00411ad1
                                  0x00411ad2
                                  0x00411ad2
                                  0x00411ad6
                                  0x00411ad6
                                  0x00411ad6
                                  0x00000000
                                  0x00411ad6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411a0d
                                  0x00411a0d
                                  0x00411a10
                                  0x00411a13
                                  0x00411a15
                                  0x00000000
                                  0x00000000
                                  0x00411a17
                                  0x00411a1a
                                  0x00411a1d
                                  0x00411a20
                                  0x00411a5a
                                  0x00411a60
                                  0x00411a6b
                                  0x00411a70
                                  0x00411a75
                                  0x00411a78
                                  0x00411a78
                                  0x00000000
                                  0x00411a78
                                  0x00411a22
                                  0x00411a22
                                  0x00411a23
                                  0x00411a26
                                  0x00411a26
                                  0x00411a2a
                                  0x00411a2c
                                  0x00411a2f
                                  0x00411a3e
                                  0x00411a42
                                  0x00411a47
                                  0x00411a4a
                                  0x00411a4d
                                  0x00411a50
                                  0x00411a53
                                  0x00411a53
                                  0x00411a53
                                  0x00411a2f
                                  0x00411a55
                                  0x00411a55
                                  0x00411a55
                                  0x00411a55
                                  0x00000000
                                  0x00411a7a
                                  0x00411a7a
                                  0x00411a7b
                                  0x00411a7e
                                  0x00411a7e
                                  0x00000000
                                  0x00411a0d
                                  0x004119e7
                                  0x004119e9
                                  0x004119ec
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004119ee
                                  0x004119ee
                                  0x004119f3
                                  0x004119f8
                                  0x004119f9
                                  0x004119f9
                                  0x004119fe
                                  0x004119fe
                                  0x00000000
                                  0x004119fe
                                  0x004119d8
                                  0x00411982
                                  0x00411985
                                  0x0041198a
                                  0x0041198f
                                  0x00411992
                                  0x00411995
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411995
                                  0x00000000
                                  0x00411982
                                  0x004119cd
                                  0x004119cf
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004119cf
                                  0x004119c4
                                  0x004119c6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004119c6
                                  0x0041199d
                                  0x004119a2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004119a4
                                  0x004119a4
                                  0x004119b0
                                  0x004119b5
                                  0x004119b6
                                  0x00000000
                                  0x004119bd
                                  0x004119bd
                                  0x004119bd
                                  0x00000000
                                  0x004119bd

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0041195C
                                    • Part of subcall function 004058F1: _CxxThrowException.MSVCRT(?,0041C9B8), ref: 0040591D
                                    • Part of subcall function 004058F1: _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405944
                                    • Part of subcall function 004058F1: _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405966
                                    • Part of subcall function 004058F1: memmove.MSVCRT ref: 00405977
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$H_prologmemmove
                                  • String ID:
                                  • API String ID: 3763263730-0
                                  • Opcode ID: f729af51dd5b815e6a4b60b639ca76d28a5162b114168d49421da5863d00ff47
                                  • Instruction ID: b7d72ca417b935310c840248906b6b8e24b20e16e8d24461bb1135df4a4af604
                                  • Opcode Fuzzy Hash: f729af51dd5b815e6a4b60b639ca76d28a5162b114168d49421da5863d00ff47
                                  • Instruction Fuzzy Hash: 2FA12A70E006099FCB18DF55C4919EEBBB2FF94354F14842FE916A7261D778AD82CB88
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004155D7 Relevance: .3, Instructions: 343COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004155D7(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v32;
				signed int _v36;
				signed int _v38;
				signed char _v39;
				char _v40;
				void* __ebx;
				unsigned int _t145;
				void* _t146;
				unsigned int _t147;
				unsigned int _t150;
				signed short* _t158;
				void* _t159;
				signed int _t161;
				signed int _t162;
				intOrPtr _t165;
				unsigned int _t167;
				void* _t180;
				void* _t184;
				signed int _t187;
				signed short* _t189;
				unsigned int _t190;
				unsigned int _t191;
				intOrPtr _t193;
				short* _t194;
				signed int _t196;
				signed short* _t201;
				signed int _t204;
				unsigned int _t205;
				signed char _t209;
				signed int _t210;
				char _t217;
				signed int _t229;
				unsigned int _t232;
				intOrPtr _t240;
				intOrPtr _t241;
				intOrPtr _t245;
				signed short* _t246;
				void* _t248;
				intOrPtr _t250;
				intOrPtr _t251;
				signed int _t263;
				signed int _t277;
				signed short* _t278;
				signed int _t281;
				signed int _t288;

				_t196 = __ecx;
				asm("movsd");
				asm("movsw");
				_t198 = 0;
				if(_v39 >= 0x1f) {
					L13:
					if( *((intOrPtr*)(_t196 + 0x7b4)) != 0) {
						_t242 = _v40;
						 *((char*)( *((intOrPtr*)(_t196 + 0x154)))) = _v40;
						 *((intOrPtr*)(_t196 + 0x154)) =  *((intOrPtr*)(_t196 + 0x154)) + 1;
						_t145 =  *((intOrPtr*)(_t196 + 0x154));
						_v20 = _t145;
						if(_t145 >=  *((intOrPtr*)(_t196 + 0x158))) {
							L66:
							_t146 = E00414E85(_t196, _t242);
							 *(_t196 + 0xbc4) =  *(_t196 + 0xbc4) & 0x00000000;
							 *(_t196 + 0xbc5) =  *(_t196 + 0xbc5) | 0x000000ff;
							return _t146;
						}
						_t242 = (_v36 & 0x0000ffff) << 0x00000010 | _v38 & 0x0000ffff;
						if(_t242 == 0) {
							_t147 = _t145 -  *((intOrPtr*)(_t196 + 0x144));
							_t245 =  *((intOrPtr*)(_t196 + 0x7a8));
							 *(_t245 + 2) = _t147;
							 *((short*)(_t245 + 4)) = _t147 >> 0x10;
							_t150 =  *(_t196 + 0x7a0) -  *((intOrPtr*)(_t196 + 0x144));
							_v38 = _t150;
							_v36 = _t150 >> 0x10;
							L33:
							_t201 =  *(_t196 + 0x7a0);
							_t242 = _v39 & 0x000000ff;
							_t277 =  *_t201 & 0x0000ffff;
							_v16 = _t277;
							_t278 =  *(_t196 + 0x7a4);
							_v24 = _t242;
							_v32 = (_t201[1] & 0x0000ffff) - _t242 - _t277 + 1;
							_v8 = _t278;
							if(_t278 == _t201) {
								L64:
								_t204 = (_v36 & 0x0000ffff) << 0x00000010 | _v38 & 0x0000ffff;
								if(_t204 != 0) {
									_t158 =  *((intOrPtr*)(_t196 + 0x144)) + _t204;
								} else {
									_t158 = 0;
								}
								 *(_t196 + 0x7a0) = _t158;
								 *(_t196 + 0x7a4) = _t158;
								return _t158;
							}
							while(1) {
								_t205 =  *_t278 & 0x0000ffff;
								_v12 = _t205;
								if(_t205 == 1) {
									goto L47;
								}
								if((_t205 & 0x00000001) != 0) {
									L46:
									_t246 =  &(_t278[1]);
									asm("sbb eax, eax");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									 *_t246 = _t278[1] +  ~(_v12 + _v12) + ((_t205 << 0x00000003) + 0x00000001 & (_v12 << 0x00000002) + 0x00000001) * 2;
									L52:
									_t161 =  *_t246 & 0x0000ffff;
									_t162 = _t161 + _v32;
									if((_t161 + 6) * _v24 << 1 >= _t162 + _t162 * 2 << 1) {
										asm("sbb esi, esi");
										asm("sbb edi, edi");
										asm("sbb eax, eax");
										_t217 = 1 + _t162 * 0xf + (_t162 + _t162 * 2 << 2) + 1 + _t162 + _t162 * 8 + 5;
										 *_t246 =  *_t246 + _t217;
										_t281 = _v8;
									} else {
										asm("sbb edi, edi");
										asm("sbb eax, eax");
										_t217 = (_t162 << 2) + 1 +  ~_t162 + 1;
										 *_t246 =  *_t246 + 3;
									}
									_t165 =  *((intOrPtr*)(_t281 + 4));
									if(_t165 != 0) {
										_t248 =  *((intOrPtr*)(_t196 + 0x144)) + _t165;
									} else {
										_t248 = 0;
									}
									_t263 = _v12;
									_t242 = _t248 + (_t263 + _t263 * 2) * 2;
									_t167 = _v20;
									if(_t167 != 0) {
										_t167 = _t167 -  *((intOrPtr*)(_t196 + 0x144));
									}
									 *(_t242 + 2) = _t167;
									 *((char*)(_t242 + 1)) = _t217;
									 *((short*)(_t242 + 4)) = _t167 >> 0x10;
									 *_t242 = _v40;
									 *_t281 = _t263 + 1;
									_t288 =  *(_t281 + 8);
									if(_t288 != 0) {
										_v8 =  *((intOrPtr*)(_t196 + 0x144)) + _t288;
									} else {
										_v8 = _v8 & _t288;
									}
									if(_v8 !=  *(_t196 + 0x7a0)) {
										_t278 = _v8;
										continue;
									} else {
										goto L64;
									}
								}
								_t242 = _t278[2];
								if(_t242 != 0) {
									_t179 =  *((intOrPtr*)(_t196 + 0x144)) + _t242;
								} else {
									_t179 = 0;
								}
								_t180 = E004159C9(_t196, _t179, _t205 >> 1);
								if(_t180 != 0) {
									_t229 = _t180 -  *((intOrPtr*)(_t196 + 0x144));
								} else {
									_t229 = 0;
								}
								_t278[2] = _t229;
								if(_t180 == 0) {
									goto L66;
								} else {
									_t205 = _v12;
									goto L46;
								}
								L47:
								_t159 = E004150BB(_t196, 1);
								if(_t159 == 0) {
									goto L66;
								}
								_t246 =  &(_t278[1]);
								asm("movsd");
								asm("movsw");
								 *((intOrPtr*)(_v8 + 4)) = _t159 -  *((intOrPtr*)(_t196 + 0x144));
								_t209 =  *(_t159 + 1);
								if(_t209 >= 0x1e) {
									 *(_t159 + 1) = 0x78;
								} else {
									 *(_t159 + 1) = _t209 << 1;
								}
								_t281 = _v8;
								_t210 = 3;
								asm("sbb ecx, ecx");
								 *_t246 =  ~_t210 +  *((intOrPtr*)(_t196 + 0x7b0)) + ( *(_t159 + 1) & 0x000000ff);
								goto L52;
							}
						}
						if(_t242 == 0 ||  *((intOrPtr*)(_t196 + 0x144)) + _t242 <= _t145) {
							_t184 = E00415A2F(_t196, _t196, 0, _t198);
							if(_t184 != 0) {
								_t232 = _t184 -  *((intOrPtr*)(_t196 + 0x144));
							} else {
								_t232 = 0;
							}
							_v38 = _t232;
							_v36 = _t232 >> 0x10;
							if(_t184 == 0) {
								goto L66;
							} else {
								goto L27;
							}
						} else {
							L27:
							_t44 = _t196 + 0x7b4;
							 *_t44 =  *((intOrPtr*)(_t196 + 0x7b4)) - 1;
							if( *_t44 == 0) {
								_t187 = (_v36 & 0x0000ffff) << 0x00000010 | _v38 & 0x0000ffff;
								if(_t187 != 0) {
									_v20 =  *((intOrPtr*)(_t196 + 0x144)) + _t187;
								} else {
									_v20 = 0;
								}
								 *((intOrPtr*)(_t196 + 0x154)) =  *((intOrPtr*)(_t196 + 0x154)) - (0 |  *(_t196 + 0x7a4) !=  *(_t196 + 0x7a0));
							}
							goto L33;
						}
					}
					_t189 = E00415A2F(_t196, _t196, 1, _t198);
					 *(_t196 + 0x7a4) = _t189;
					 *(_t196 + 0x7a0) = _t189;
					if(_t189 != 0) {
						_t190 = _t189 -  *((intOrPtr*)(_t196 + 0x144));
					} else {
						_t190 = 0;
					}
					_t240 =  *((intOrPtr*)(_t196 + 0x7a8));
					 *(_t240 + 2) = _t190;
					_t191 = _t190 >> 0x10;
					 *(_t240 + 4) = _t191;
					if( *(_t196 + 0x7a0) == 0) {
						goto L66;
					} else {
						return _t191;
					}
				}
				_t193 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x7a0)) + 8));
				if(_t193 == 0) {
					goto L13;
				}
				_t241 =  *((intOrPtr*)(__ecx + 0x144));
				_t194 = _t193 + _t241;
				if( *_t194 == 1) {
					_t198 = _t194 + 2;
					 *(_t194 + 3) = _t242;
					goto L13;
				}
				_t250 =  *((intOrPtr*)(_t194 + 4));
				if(_t250 != 0) {
					_t198 = _t241 + _t250;
				} else {
					_t198 = 0;
				}
				_t251 = _v40;
				if( *_t198 == _t251) {
					L10:
					_t242 =  *(_t198 + 1);
					if(_t242 < 0x73) {
						 *(_t198 + 1) = _t242;
						 *((short*)(_t194 + 2)) =  *((short*)(_t194 + 2)) + 2;
					}
					goto L13;
				} else {
					goto L7;
					L7:
					_t198 = _t198 + 6;
					if( *_t198 != _t251) {
						goto L7;
					} else {
						if( *(_t198 + 1) >=  *((intOrPtr*)(_t198 - 5))) {
							asm("movsd");
							_t12 = _t198 - 6; // -12
							asm("movsw");
							asm("movsd");
							asm("movsw");
							asm("movsd");
							asm("movsw");
							_t198 = _t12;
						}
						goto L10;
					}
				}
			}





















































                                  0x004155de
                                  0x004155eb
                                  0x004155ec
                                  0x004155ee
                                  0x004155f4
                                  0x00415675
                                  0x0041567d
                                  0x004156cb
                                  0x004156ce
                                  0x004156d0
                                  0x004156d6
                                  0x004156e2
                                  0x004156e5
                                  0x00415999
                                  0x0041599b
                                  0x004159a0
                                  0x004159a7
                                  0x00000000
                                  0x004159a7
                                  0x004156f6
                                  0x004156f8
                                  0x00415776
                                  0x0041577c
                                  0x00415788
                                  0x0041578f
                                  0x00415799
                                  0x0041579b
                                  0x004157a2
                                  0x004157a6
                                  0x004157a6
                                  0x004157ac
                                  0x004157b4
                                  0x004157b9
                                  0x004157be
                                  0x004157c7
                                  0x004157ca
                                  0x004157cd
                                  0x004157d0
                                  0x00415986
                                  0x00415991
                                  0x00415993
                                  0x004159b6
                                  0x00415995
                                  0x00415995
                                  0x00415995
                                  0x004159b8
                                  0x004159be
                                  0x00000000
                                  0x004159be
                                  0x004157db
                                  0x004157db
                                  0x004157e1
                                  0x004157e4
                                  0x00000000
                                  0x00000000
                                  0x004157e9
                                  0x00415827
                                  0x0041582b
                                  0x0041583b
                                  0x00415844
                                  0x00415851
                                  0x0041585a
                                  0x004158b9
                                  0x004158b9
                                  0x004158c2
                                  0x004158d1
                                  0x004158ff
                                  0x00415907
                                  0x0041590e
                                  0x00415911
                                  0x0041591a
                                  0x0041591d
                                  0x004158d3
                                  0x004158da
                                  0x004158df
                                  0x004158e3
                                  0x004158ed
                                  0x004158ed
                                  0x00415920
                                  0x00415925
                                  0x00415931
                                  0x00415927
                                  0x00415927
                                  0x00415927
                                  0x00415933
                                  0x00415939
                                  0x0041593c
                                  0x00415941
                                  0x00415943
                                  0x00415943
                                  0x00415949
                                  0x0041594d
                                  0x00415953
                                  0x0041595b
                                  0x0041595d
                                  0x00415960
                                  0x00415965
                                  0x00415974
                                  0x00415967
                                  0x00415967
                                  0x00415967
                                  0x00415980
                                  0x004157d8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00415980
                                  0x004157eb
                                  0x004157f0
                                  0x004157fc
                                  0x004157f2
                                  0x004157f2
                                  0x004157f2
                                  0x00415804
                                  0x0041580b
                                  0x00415813
                                  0x0041580d
                                  0x0041580d
                                  0x0041580d
                                  0x0041581b
                                  0x0041581e
                                  0x00000000
                                  0x00415824
                                  0x00415824
                                  0x00000000
                                  0x00415824
                                  0x0041585f
                                  0x00415863
                                  0x0041586a
                                  0x00000000
                                  0x00000000
                                  0x00415870
                                  0x00415879
                                  0x0041587a
                                  0x00415885
                                  0x00415888
                                  0x0041588e
                                  0x00415897
                                  0x00415890
                                  0x00415892
                                  0x00415892
                                  0x0041589d
                                  0x004158a0
                                  0x004158a9
                                  0x004158b6
                                  0x00000000
                                  0x004158b6
                                  0x004157db
                                  0x004156fc
                                  0x0041570e
                                  0x00415715
                                  0x0041571d
                                  0x00415717
                                  0x00415717
                                  0x00415717
                                  0x00415723
                                  0x0041572c
                                  0x00415730
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00415736
                                  0x00415736
                                  0x00415736
                                  0x00415736
                                  0x0041573c
                                  0x00415749
                                  0x0041574b
                                  0x0041575a
                                  0x0041574d
                                  0x0041574d
                                  0x0041574d
                                  0x0041576e
                                  0x0041576e
                                  0x00000000
                                  0x0041573c
                                  0x004156fc
                                  0x00415684
                                  0x0041568b
                                  0x00415691
                                  0x00415697
                                  0x0041569d
                                  0x00415699
                                  0x00415699
                                  0x00415699
                                  0x004156a3
                                  0x004156a9
                                  0x004156ad
                                  0x004156b0
                                  0x004156ba
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004156ba
                                  0x004155fc
                                  0x00415601
                                  0x00000000
                                  0x00000000
                                  0x00415603
                                  0x00415609
                                  0x0041560f
                                  0x00415665
                                  0x00415672
                                  0x00000000
                                  0x00415672
                                  0x00415611
                                  0x00415616
                                  0x0041561c
                                  0x00415618
                                  0x00415618
                                  0x00415618
                                  0x0041561e
                                  0x00415623
                                  0x00415650
                                  0x00415650
                                  0x00415656
                                  0x0041565b
                                  0x0041565e
                                  0x0041565e
                                  0x00000000
                                  0x00415625
                                  0x00000000
                                  0x00415625
                                  0x00415625
                                  0x0041562a
                                  0x00000000
                                  0x0041562c
                                  0x00415632
                                  0x00415639
                                  0x0041563a
                                  0x0041563d
                                  0x00415643
                                  0x00415644
                                  0x0041564b
                                  0x0041564c
                                  0x0041564e
                                  0x0041564e
                                  0x00000000
                                  0x00415632
                                  0x0041562a

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
                                  • Instruction ID: 50c4907fdb5686041013ba1699d33e211b5cd1502c5386425acfd33d69a34cf9
                                  • Opcode Fuzzy Hash: 07e337b5a94b9f233629b808c44dd0c8168d5e53dcb01da2cf7c8b99d02b393c
                                  • Instruction Fuzzy Hash: B7D1CE31A14651CFCB18CF28C5916FEB7B1EF84304F1945BAC84A9F346E778A885CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00417D65 Relevance: .3, Instructions: 280COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00417D65(signed int* __ecx, signed int* __edx, intOrPtr _a4, signed int _a8) {
				signed int* _v8;
				void* _v10;
				void* _v11;
				signed int _v12;
				void* _v14;
				void* _v15;
				unsigned int _v16;
				void* _v18;
				void* _v19;
				signed int _v20;
				void* _v22;
				signed int _v24;
				void* _v26;
				signed int _v28;
				void* _v30;
				void* _v31;
				signed int _v32;
				void* _v34;
				signed int _v36;
				void* _v38;
				void* _v39;
				signed int _v40;
				signed int _t215;
				signed int _t222;
				unsigned int _t234;
				signed int _t330;
				signed int* _t338;
				signed int* _t349;
				unsigned int _t367;
				signed int _t389;
				signed int _t398;
				signed int _t427;
				signed int _t438;
				signed int _t444;
				signed int* _t448;
				signed int* _t449;

				_t448 = _a4 + (_a8 << 5);
				_v8 = __edx;
				_t389 = __ecx[3] ^ _t448[3];
				_t234 = __ecx[1] ^ _t448[1];
				_v32 = __ecx[2] ^ _t448[2];
				_t444 =  *__ecx ^  *_t448;
				_v36 = _t234;
				_v40 = _t444;
				_t449 = _t448 - 0x20;
				_v28 = _t389;
				_t215 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_t234 >> 0x18) * 4) ^  *(0x4234a0 + (_t444 & 0x000000ff) * 4) ^ _t449[4];
				_v24 = _t215;
				_v16 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_t389 >> 0x18) * 4) ^  *(0x4234a0 + (_v32 & 0x000000ff) * 4) ^ _t449[6];
				_v12 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_v40 >> 0x18) * 4) ^  *(0x4234a0 + (_t389 & 0x000000ff) * 4) ^ _t449[7];
				_t330 =  *0x00423CA0 ^  *0x004238A0 ^  *(0x4240a0 + (_v32 >> 0x18) * 4) ^  *(0x4234a0 + (_v36 & 0x000000ff) * 4) ^ _t449[5];
				_t398 = _a8 - 1;
				_v20 = _t330;
				if(_t398 != 0) {
					_a8 = _t398;
					do {
						_t427 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_t330 >> 0x18) * 4) ^  *(0x4234a0 + (_t215 & 0x000000ff) * 4) ^  *_t449;
						_t449 = _t449 - 0x20;
						_v40 = _t427;
						_v32 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_v12 >> 0x18) * 4) ^  *(0x4234a0 + (_v16 & 0x000000ff) * 4) ^ _t449[0xa];
						_t438 =  *0x00423CA0 ^  *0x004238A0 ^  *(0x4240a0 + (_t215 >> 0x18) * 4) ^  *(0x4234a0 + (_v12 & 0x000000ff) * 4) ^ _t449[0xb];
						_v28 = _t438;
						_t367 =  *0x00423CA0 ^  *0x004238A0 ^  *(0x4240a0 + (_v16 >> 0x18) * 4) ^  *(0x4234a0 + (_v20 & 0x000000ff) * 4) ^ _t449[9];
						_v36 = _t367;
						_t215 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_t367 >> 0x18) * 4) ^  *(0x4234a0 + (_v40 & 0x000000ff) * 4) ^ _t449[4];
						_v24 = _t215;
						_v16 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_t438 >> 0x18) * 4) ^  *(0x4234a0 + (_v32 & 0x000000ff) * 4) ^ _t449[6];
						_v12 =  *0x004238A0 ^  *0x00423CA0 ^  *(0x4240a0 + (_v40 >> 0x18) * 4) ^  *(0x4234a0 + (_t438 & 0x000000ff) * 4) ^ _t449[7];
						_t166 =  &_a8;
						 *_t166 = _a8 - 1;
						_t330 =  *0x00423CA0 ^  *0x004238A0 ^  *(0x4240a0 + (_v32 >> 0x18) * 4) ^  *(0x4234a0 + (_v36 & 0x000000ff) * 4) ^ _t449[5];
						_v20 = _t330;
					} while ( *_t166 != 0);
				}
				_t338 = _v8;
				 *_t338 = ((0 << 0x00000008 |  *0x004254A0 & 0x000000ff) << 0x00000008 |  *((_t215 & 0x000000ff) + 0x4254a0) & 0x000000ff) ^  *_t449;
				_t338[1] = ((0 << 0x00000008 |  *0x004254A0 & 0x000000ff) << 0x00000008 |  *((_v20 & 0x000000ff) + 0x4254a0) & 0x000000ff) ^ _t449[1];
				_t349 = _v8;
				_t349[2] = ((0 << 0x00000008 |  *0x004254A0 & 0x000000ff) << 0x00000008 |  *((_v16 & 0x000000ff) + 0x4254a0) & 0x000000ff) ^ _t449[2];
				_t222 =  *((_v12 & 0x000000ff) + 0x4254a0) & 0x000000ff;
				_t349[3] = ((0 << 0x00000008 |  *0x004254A0 & 0x000000ff) << 0x00000008 | _t222) ^ _t449[3];
				return _t222;
			}







































                                  0x00417d76
                                  0x00417d7e
                                  0x00417d87
                                  0x00417d8a
                                  0x00417d8d
                                  0x00417d9c
                                  0x00417da5
                                  0x00417db4
                                  0x00417db7
                                  0x00417dc8
                                  0x00417ddd
                                  0x00417df5
                                  0x00417e13
                                  0x00417e45
                                  0x00417e77
                                  0x00417e7a
                                  0x00417e7b
                                  0x00417e7e
                                  0x00417e84
                                  0x00417e87
                                  0x00417ebb
                                  0x00417ebd
                                  0x00417ec0
                                  0x00417ef6
                                  0x00417f33
                                  0x00417f49
                                  0x00417f63
                                  0x00417f79
                                  0x00417f98
                                  0x00417fae
                                  0x00417fd5
                                  0x00418000
                                  0x00418032
                                  0x00418032
                                  0x00418035
                                  0x00418037
                                  0x00418037
                                  0x00417e87
                                  0x0041807c
                                  0x00418081
                                  0x004180c0
                                  0x004180fe
                                  0x00418104
                                  0x00418132
                                  0x0041813f
                                  0x00418144

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21999edf9f68e47339310fbafa29f484992db34507cc70728053a3d1349e4b36
                                  • Instruction ID: 982be74e866e64969346f64a47763df6e2377029c9df503871eaabc4add09989
                                  • Opcode Fuzzy Hash: 21999edf9f68e47339310fbafa29f484992db34507cc70728053a3d1349e4b36
                                  • Instruction Fuzzy Hash: CBD1A434B002959FCB18DFA9E8E14AEBBF2FF8E3117C9816DC6469B351C6346612CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004172D2 Relevance: .1, Instructions: 144COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E004172D2() {
				signed int _v4;
				signed int _v8;
				char _t17;
				signed int _t24;
				signed int _t26;
				signed int _t30;
				signed char _t42;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t70;
				signed int _t89;
				signed int _t92;
				signed int _t93;
				signed int _t95;
				signed int _t98;
				signed int _t101;
				signed int _t110;

				_t17 = 0;
				do {
					_t1 = _t17 + 0x421134; // 0x7b777c63
					 *((char*)(( *_t1 & 0x000000ff) + 0x4254a0)) = _t17;
					_t17 = _t17 + 1;
				} while (_t17 < 0x100);
				_t26 = 0;
				do {
					_t3 = _t26 + 0x421134; // 0x7b777c63
					_t98 =  *_t3 & 0x000000ff;
					asm("sbb eax, eax");
					_t30 =  ~(_t98 & 0x00000080) & 0x1b ^ (_t98 & 0x0000007f) << 0x00000001;
					_t92 = _t30 ^ _t98;
					_t24 = _t26 << 2;
					 *(_t24 + 0x4244a0) = ((_t92 << 0x00000008 | _t98) << 0x00000008 | _t98) << 0x00000008 | _t30;
					_t70 = _t98 << 8;
					 *(_t24 + 0x4248a0) = ((_t70 | _t98) << 0x00000008 | _t30) << 0x00000008 | _t92;
					_t6 = _t26 + 0x4254a0; // 0xd56a0952
					_t110 =  *_t6 & 0x000000ff;
					 *(_t24 + 0x424ca0) = ((_t70 | _t30) << 0x00000008 | _t92) << 0x00000008 | _t98;
					 *(_t24 + 0x4250a0) = ((_t30 << 0x00000008 | _t92) << 0x00000008 | _t98) << 0x00000008 | _t98;
					asm("sbb ecx, ecx");
					_t42 =  ~(_t110 & 0x00000080) & 0x1b ^ (_t110 & 0x0000007f) << 0x00000001;
					_t93 = _t42;
					asm("sbb ecx, ecx");
					_v4 = _t93;
					_t47 =  ~(_t42 & 0x00000080) & 0x1b ^ (_t93 & 0x0000007f) << 0x00000001;
					_v8 = _t47;
					asm("sbb edx, edx");
					_t50 = (_t47 & 0x0000007f) << 0x00000001 ^  ~(_t47 & 0x00000080) & 0x1b;
					_t101 = _t50 ^ _t110;
					_t51 = _t50 ^ _v8;
					_t89 = _t50 ^ _t93 ^ _t110;
					_t95 = _t51 ^ _t110;
					_t52 = _t51 ^ _v4;
					 *(_t24 + 0x4234a0) = ((_t89 << 0x00000008 | _t95) << 0x00000008 | _t101) << 0x00000008 | _t52;
					 *(_t24 + 0x4238a0) = ((_t95 << 0x00000008 | _t101) << 0x00000008 | _t52) << 0x00000008 | _t89;
					_t26 = _t26 + 1;
					 *(_t24 + 0x423ca0) = ((_t101 << 0x00000008 | _t52) << 0x00000008 | _t89) << 0x00000008 | _t95;
					 *(_t24 + 0x4240a0) = ((_t52 << 0x00000008 | _t89) << 0x00000008 | _t95) << 0x00000008 | _t101;
				} while (_t26 < 0x100);
				return _t24;
			}






















                                  0x00417a26
                                  0x00417a28
                                  0x00417a28
                                  0x00417a2f
                                  0x00417a35
                                  0x00417a36
                                  0x00417a41
                                  0x00417a43
                                  0x00417a43
                                  0x00417a43
                                  0x00417a52
                                  0x00417a65
                                  0x00417a69
                                  0x00417a7a
                                  0x00417a7f
                                  0x00417a87
                                  0x00417aa9
                                  0x00417aaf
                                  0x00417aaf
                                  0x00417ac0
                                  0x00417ac6
                                  0x00417ada
                                  0x00417ae6
                                  0x00417ae8
                                  0x00417aef
                                  0x00417afb
                                  0x00417b01
                                  0x00417b05
                                  0x00417b0e
                                  0x00417b1a
                                  0x00417b1e
                                  0x00417b22
                                  0x00417b2a
                                  0x00417b2c
                                  0x00417b30
                                  0x00417b43
                                  0x00417b5a
                                  0x00417b80
                                  0x00417b81
                                  0x00417b8d
                                  0x00417b8d
                                  0x00417b9f

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26538aa9156fd5c9028c989121068367fb96e12860e6253e27be078388d9d6c0
                                  • Instruction ID: 6b8654dbbfcec4c91f4a35cf7066e1ffbce39b51eb31b9098bc33f83cd043fc0
                                  • Opcode Fuzzy Hash: 26538aa9156fd5c9028c989121068367fb96e12860e6253e27be078388d9d6c0
                                  • Instruction Fuzzy Hash: AD410A32F18A380E770C9D5D5C5917A7BC3DBCC692B89837ED2668A2C5EDF40415E29C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004187A0 Relevance: .1, Instructions: 71COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004187A0(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed char _t46;
				signed char _t47;
				signed int _t51;
				signed int _t52;
				signed int _t59;
				signed int _t66;
				signed int _t69;
				intOrPtr _t71;
				signed int _t73;
				void* _t74;
				signed int _t75;
				intOrPtr _t76;

				_t39 = __ecx;
				_t75 = __edx;
				_t71 = _a4;
				_t76 = _a8;
				if(_t71 != 0) {
					while((_t75 & 0x00000007) != 0) {
						_t69 =  *_t75 & 0x000000ff;
						_t75 = _t75 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t69 ^ _t39 & 0x000000ff) * 4);
						_t71 = _t71 - 1;
						if(_t71 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				if(_t71 >= 0x10) {
					_a4 = _t71;
					_t73 = _t71 - 0x00000008 & 0xfffffff8;
					_a4 = _a4 - _t73;
					_t74 = _t73 + _t75;
					_t41 = _t39 ^  *_t75;
					_t46 =  *(_t75 + 4);
					_t51 = _t46 & 0x000000ff;
					do {
						_t52 = _t46 & 0x000000ff;
						_t47 = _t46 >> 0x10;
						_t46 =  *(_t75 + 0xc);
						_t66 =  *(_t76 + 0xc00 + _t51 * 4) ^  *(_t76 + 0x800 + _t52 * 4) ^  *(_t76 + 0x400 + (_t47 & 0x000000ff) * 4) ^  *(_t75 + 8) ^  *(_t76 + (_t47 & 0x000000ff) * 4) ^  *(_t76 + 0x1c00 + (_t41 & 0x000000ff) * 4);
						_t75 = _t75 + 8;
						_t51 = _t46 & 0x000000ff;
						_t41 =  *(_t76 + 0x1000 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^ _t66 ^  *(_t76 + 0x1800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + 0x1400 + (_t41 >> 0x00000010 & 0x000000ff) * 4);
					} while (_t75 != _t74);
					_t39 = _t41 ^  *_t75;
					_t71 = _a4;
				}
				if(_t71 != 0) {
					do {
						_t59 =  *_t75 & 0x000000ff;
						_t75 = _t75 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t59 ^ _t39 & 0x000000ff) * 4);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
				}
				return _t39;
			}

















                                  0x004187a4
                                  0x004187a6
                                  0x004187a8
                                  0x004187ac
                                  0x004187b2
                                  0x004187b4
                                  0x004187bc
                                  0x004187bf
                                  0x004187c8
                                  0x004187cc
                                  0x004187cd
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004187cd
                                  0x004187b4
                                  0x004187cf
                                  0x004187d2
                                  0x004187d8
                                  0x004187df
                                  0x004187e2
                                  0x004187e6
                                  0x004187e8
                                  0x004187ea
                                  0x004187ed
                                  0x004187f0
                                  0x004187f7
                                  0x00418801
                                  0x0041881b
                                  0x0041881e
                                  0x00418828
                                  0x00418849
                                  0x0041884c
                                  0x0041884e
                                  0x00418852
                                  0x00418854
                                  0x00418854
                                  0x0041885a
                                  0x0041885c
                                  0x0041885c
                                  0x0041885f
                                  0x00418868
                                  0x0041886c
                                  0x0041886c
                                  0x0041885c
                                  0x00418873

                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
                                  • Instruction ID: 571891b8283b860a08e6b5fc1d68e73366d3ce22e077e660a38a7bec9d809f5f
                                  • Opcode Fuzzy Hash: f5dd7929ecdafffd95b1f3e926932b610952614e7737c84ca0b7b3c4964c7710
                                  • Instruction Fuzzy Hash: C521F5315006248BC716EE2EE8C05F773E2EBC4355F638A2FE9D443280D638A855C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408172 Relevance: 10.1, APIs: 8, Instructions: 143COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E00408172(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t28;
				signed int _t30;
				intOrPtr* _t36;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;
				void* _t41;
				void* _t42;
				signed int _t43;
				void* _t45;
				signed int _t46;
				signed int _t53;
				intOrPtr _t57;
				signed int _t58;

				_t57 = _a8;
				_t41 = 0x10;
				_push(_t41);
				_push(0x41b2e8);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					 *_a12 = _t39;
					L2:
					 *((intOrPtr*)( *_t39 + 4))(_t39);
					L23:
					return 0;
				}
				_push(_t41);
				_push(0x41b2b8);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					_t46 = _t39;
					_t53 = _t39 + 4;
					L13:
					asm("sbb ecx, ecx");
					 *_a12 =  ~_t46 & _t53;
					goto L2;
				}
				_push(_t41);
				_push(0x41b358);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					_t46 = _t39;
					_t53 = _t39 + 8;
					goto L13;
				}
				_push(_t41);
				_push(0x41b2a8);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					_t46 = _t39;
					_t53 = _t39 + 0xc;
					goto L13;
				}
				_push(_t41);
				_push(0x41b348);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					_t46 = _t39;
					_t53 = _t39 + 0x10;
					goto L13;
				}
				_push(_t41);
				_push(0x41b308);
				_push(_t57);
				L00418302();
				if(_t28 == 0) {
					_t39 = _a4;
					_t46 = _t39;
					_t53 = _t39 + 0x14;
					goto L13;
				}
				_push(_t41);
				_push(0x41b288);
				_push(_t57);
				L00418302();
				if(_t28 != 0) {
					_push(_t41);
					_push(0x41b2d8);
					_push(_t57);
					L00418302();
					if(_t28 != 0) {
						return 0x80004002;
					}
					_t58 = _a4;
					_t42 = _t58 + 0x54;
					if( *((intOrPtr*)(_t58 + 0x54)) != _t28) {
						L21:
						_t30 = _t58;
						_t43 = _t58 + 0x1c;
						goto L22;
					}
					_t36 =  *((intOrPtr*)(_t58 + 0x58));
					_t37 =  *((intOrPtr*)( *_t36))(_t36, 0x41b2d8, _t42);
					if(_t37 == 0) {
						goto L21;
					}
				} else {
					_t58 = _a4;
					_t45 = _t58 + 0x50;
					if( *((intOrPtr*)(_t58 + 0x50)) != _t28) {
						L17:
						_t30 = _t58;
						_t43 = _t58 + 0x18;
						L22:
						asm("sbb eax, eax");
						 *_a12 =  ~_t30 & _t43;
						 *((intOrPtr*)( *_t58 + 4))(_t58);
						goto L23;
					}
					_t38 =  *((intOrPtr*)(_t58 + 0x58));
					_t37 =  *((intOrPtr*)( *_t38))(_t38, 0x41b288, _t45);
					if(_t37 == 0) {
						goto L17;
					}
				}
				return _t37;
			}

















                                  0x00408177
                                  0x0040817d
                                  0x0040817e
                                  0x0040817f
                                  0x00408184
                                  0x00408185
                                  0x0040818f
                                  0x00408194
                                  0x00408197
                                  0x00408199
                                  0x0040819c
                                  0x004082ba
                                  0x00000000
                                  0x004082ba
                                  0x004081a4
                                  0x004081a5
                                  0x004081aa
                                  0x004081ab
                                  0x004081b5
                                  0x004081b7
                                  0x004081ba
                                  0x004081bc
                                  0x00408233
                                  0x00408235
                                  0x0040823c
                                  0x00000000
                                  0x0040823c
                                  0x004081c1
                                  0x004081c2
                                  0x004081c7
                                  0x004081c8
                                  0x004081d2
                                  0x004081d4
                                  0x004081d7
                                  0x004081d9
                                  0x00000000
                                  0x004081d9
                                  0x004081de
                                  0x004081df
                                  0x004081e4
                                  0x004081e5
                                  0x004081ef
                                  0x004081f1
                                  0x004081f4
                                  0x004081f6
                                  0x00000000
                                  0x004081f6
                                  0x004081fb
                                  0x004081fc
                                  0x00408201
                                  0x00408202
                                  0x0040820c
                                  0x0040820e
                                  0x00408211
                                  0x00408213
                                  0x00000000
                                  0x00408213
                                  0x00408218
                                  0x00408219
                                  0x0040821e
                                  0x0040821f
                                  0x00408229
                                  0x0040822b
                                  0x0040822e
                                  0x00408230
                                  0x00000000
                                  0x00408230
                                  0x00408248
                                  0x00408249
                                  0x0040824a
                                  0x0040824b
                                  0x00408255
                                  0x0040827c
                                  0x0040827d
                                  0x0040827e
                                  0x0040827f
                                  0x00408289
                                  0x00000000
                                  0x004082be
                                  0x0040828b
                                  0x00408291
                                  0x00408294
                                  0x004082a4
                                  0x004082a4
                                  0x004082a6
                                  0x00000000
                                  0x004082a6
                                  0x00408296
                                  0x0040829e
                                  0x004082a2
                                  0x00000000
                                  0x00000000
                                  0x00408257
                                  0x00408257
                                  0x0040825d
                                  0x00408260
                                  0x00408270
                                  0x00408270
                                  0x00408272
                                  0x004082a9
                                  0x004082ab
                                  0x004082b3
                                  0x004082b7
                                  0x00000000
                                  0x004082b7
                                  0x00408262
                                  0x0040826a
                                  0x0040826e
                                  0x00000000
                                  0x00000000
                                  0x0040826e
                                  0x004082c7

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: memcmp
                                  • String ID:
                                  • API String ID: 1475443563-0
                                  • Opcode ID: 8750fcf5eb5b5cdfdc18e7f07f8582a922fc7bcd6371f36f22ad418cf9ff850b
                                  • Instruction ID: c89adc62cd645fe3c47e95865000ac7c325ff294760868f42c01f48ee5ab8fb5
                                  • Opcode Fuzzy Hash: 8750fcf5eb5b5cdfdc18e7f07f8582a922fc7bcd6371f36f22ad418cf9ff850b
                                  • Instruction Fuzzy Hash: D041BF72600604AFD714CF21CD85EAB33A8EF60744714456EFC86DB380EB78EE458799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004057A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E004057A5(void* __edi) {
				short* _t31;
				int _t37;
				void* _t51;
				short** _t55;
				void* _t58;

				E004182C0(E00418F58, _t58);
				 *((intOrPtr*)(_t58 - 0x10)) = 0;
				 *(_t58 - 0x1c) = 0;
				 *(_t58 - 0x18) = 0;
				 *((intOrPtr*)(_t58 - 0x14)) = 0;
				E00404630(_t58 - 0x1c, 0xf);
				_t55 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t58 - 4)) = 0;
				_t31 = _t55[1];
				if(_t31 != 0) {
					_t51 = _t31 + _t31;
					 *(_t58 + 0xf) = 0x5f;
					if(_t51 >=  *((intOrPtr*)(_t58 - 0x14))) {
						E00404630(_t58 - 0x1c, _t51 + 1);
					}
					_t37 = WideCharToMultiByte( *(_t58 + 0x10), 0,  *_t55, _t55[1],  *(_t58 - 0x1c), _t51 + 1, _t58 + 0xf, 0);
					if(_t37 == 0) {
						_t37 = _t58 + 8;
						_push(0x41c9b8);
						_push(_t37);
						 *(_t58 + 8) = 0x44e75;
						L004182FC();
					}
					( *(_t58 - 0x1c))[_t37] = 0;
					 *(_t58 - 0x18) = _t37;
				}
				E00405205(E00404569( *(_t58 + 8), _t58 - 0x1c),  *(_t58 - 0x1c));
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return  *(_t58 + 8);
			}








                                  0x004057aa
                                  0x004057bb
                                  0x004057be
                                  0x004057c1
                                  0x004057c4
                                  0x004057c7
                                  0x004057cc
                                  0x004057cf
                                  0x004057d2
                                  0x004057d7
                                  0x004057da
                                  0x004057e0
                                  0x004057e4
                                  0x004057ed
                                  0x004057ed
                                  0x00405807
                                  0x00405810
                                  0x00405812
                                  0x00405815
                                  0x0040581a
                                  0x0040581b
                                  0x00405822
                                  0x00405822
                                  0x0040582a
                                  0x0040582d
                                  0x0040582d
                                  0x0040583f
                                  0x0040584d
                                  0x00405855

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004057AA
                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000003,?,?,0000005F,00000000,U @,0000000F,?,00000000,?,?,?,?), ref: 00405807
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405822
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ByteCharExceptionH_prologMultiThrowWide
                                  • String ID: U @$_
                                  • API String ID: 3835594019-3963959451
                                  • Opcode ID: 2829a60c5044020084b8241e491b9007ac5c84edafe6d68c9c97b4735c49af35
                                  • Instruction ID: 4b3f7305aa6a0e7144da191a8e6dbb194a667bbfcc7c172d56d4ab6d186bbb2d
                                  • Opcode Fuzzy Hash: 2829a60c5044020084b8241e491b9007ac5c84edafe6d68c9c97b4735c49af35
                                  • Instruction Fuzzy Hash: AF212CB190014AEFCB10DF95D8819EFBBB9FF44344F50842EE915A7281C738AA45CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402D9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E00402D9E(char* _a4) {
				char _v12;
				char _v44;
				short* _t11;
				FILETIME* _t22;

				_t1 =  &_a4; // 0x75e80a6a
				_t11 =  *_t1;
				if( *_t11 != 0x40) {
					_t2 =  &_a4; // 0x75e80a6a
					_t11 = _t2;
					_push(0x41c200);
					_push(_t11);
					_a4 = "incorrect item";
					L004182FC();
				}
				_t4 = _t11 + 8; // 0x8
				_t22 = _t4;
				if(E00402D85(_t22) != 0) {
					L7:
					_push( *0x4206f0);
				} else {
					_t5 =  &_v12; // 0x75e80a6a
					if(FileTimeToLocalFileTime(_t22, _t5) == 0) {
						_t6 =  &_a4; // 0x75e80a6a
						_push(0x41c200);
						_a4 = "FileTimeToLocalFileTime error";
						L004182FC();
					}
					_t9 =  &_v12; // 0x75e80a6a
					if(E0040776A(_t9,  &_v44, 1, 1) == 0) {
						goto L7;
					} else {
						_push( &_v44);
					}
				}
				return E0040541C(0x421290);
			}







                                  0x00402da4
                                  0x00402da4
                                  0x00402dac
                                  0x00402dae
                                  0x00402dae
                                  0x00402db1
                                  0x00402db6
                                  0x00402db7
                                  0x00402dbe
                                  0x00402dbe
                                  0x00402dc3
                                  0x00402dc3
                                  0x00402dce
                                  0x00402e0f
                                  0x00402e0f
                                  0x00402dd0
                                  0x00402dd0
                                  0x00402ddd
                                  0x00402ddf
                                  0x00402de2
                                  0x00402de8
                                  0x00402def
                                  0x00402def
                                  0x00402dfc
                                  0x00402e07
                                  0x00000000
                                  0x00402e09
                                  0x00402e0c
                                  0x00402e0c
                                  0x00402e07
                                  0x00402e21

                                  APIs
                                  • _CxxThrowException.MSVCRT(ju,0041C200), ref: 00402DBE
                                  • FileTimeToLocalFileTime.KERNEL32(?,ju,?,0040540E,?,?,?,?,?,00402F0D,00000000,?,75E80A6A, = ), ref: 00402DD5
                                  • _CxxThrowException.MSVCRT(ju,0041C200), ref: 00402DEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionFileThrowTime$Local
                                  • String ID: ju$ju
                                  • API String ID: 2485030866-2926819687
                                  • Opcode ID: b93541c4add7907b2bfcae4dacf93811addccdb6fcfa06a7b9eebdb8b5522b82
                                  • Instruction ID: 0de38bce6e39b93f9aeb1f929d93bd6b4b4c49a596eb269ce06402985fa1602a
                                  • Opcode Fuzzy Hash: b93541c4add7907b2bfcae4dacf93811addccdb6fcfa06a7b9eebdb8b5522b82
                                  • Instruction Fuzzy Hash: D6014C71540118AACB10EB91DD89EDE3BACAF08344F408067F900B61C2E7B89A9587ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404A27 Relevance: 7.7, APIs: 5, Instructions: 249COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00404A27(signed int* __ecx) {
				signed int _t113;
				signed int _t118;
				short* _t128;
				signed int* _t129;
				signed int _t130;
				void* _t131;
				signed int _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t147;
				void* _t156;
				void* _t157;
				signed int _t164;
				signed int _t167;
				intOrPtr _t171;
				intOrPtr _t172;
				signed int _t179;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				intOrPtr _t192;
				signed int _t193;
				char* _t195;
				intOrPtr* _t198;
				void* _t201;

				E004182C0(E00418E94, _t201);
				_t195 =  *(_t201 + 8);
				 *(_t201 - 0x1c) = __ecx;
				_t187 = _t195[4];
				 *(_t201 - 0x18) = _t187;
				if(_t187 == 0) {
					L2:
					_t113 = 0;
					L58:
					 *[fs:0x0] =  *((intOrPtr*)(_t201 - 0xc));
					return _t113;
				}
				_t164 = 0;
				if(E00404D10( *( *_t195)) != 0) {
					__eflags = _t187;
					if(_t187 <= 0) {
						L57:
						_t113 = 1;
						goto L58;
					} else {
						while(1) {
							_t197 =  *_t195;
							_t118 = E00404D10( *((intOrPtr*)( *_t195 + _t164 * 2)));
							__eflags = _t118;
							if(_t118 != 0) {
								_t164 = _t164 + 1;
								__eflags = _t164;
							}
							 *(_t201 - 0x14) =  *(_t201 - 0x14) | 0xffffffff;
							_t167 = 0;
							__eflags =  *( *(_t201 - 0x1c));
							 *(_t201 - 0x20) = 0;
							 *(_t201 - 0x10) = 0;
							if( *( *(_t201 - 0x1c)) <= 0) {
								break;
							}
							_t198 =  *((intOrPtr*)(_t201 + 0xc));
							do {
								_t128 =  *_t198;
								_t189 = 0;
								__eflags = 0;
								while(1) {
									__eflags =  *_t128;
									if( *_t128 == 0) {
										goto L13;
									}
									_t189 = _t189 + 1;
									_t128 = _t128 + 2;
								}
								L13:
								__eflags = _t189 -  *(_t201 - 0x14);
								if(_t189 >  *(_t201 - 0x14)) {
									__eflags = _t189 + _t164 -  *(_t201 - 0x18);
									if(_t189 + _t164 <=  *(_t201 - 0x18)) {
										E00401DBF(_t201 - 0x34,  *( *(_t201 + 8)) + _t164 * 2);
										 *(_t201 - 4) =  *(_t201 - 4) & 0x00000000;
										_t156 = E00404E3B(_t201 - 0x34, _t201 - 0x4c, _t189);
										 *(_t201 - 4) = 1;
										_t157 = E00401E63(_t201 - 0x34, _t156);
										 *(_t201 - 4) =  *(_t201 - 4) & 0x00000000;
										E00405205(_t157,  *((intOrPtr*)(_t201 - 0x4c)));
										_t159 = E00405668( *((intOrPtr*)(_t201 - 0x34)),  *_t198);
										__eflags = _t159;
										if(_t159 == 0) {
											_t159 =  *(_t201 - 0x10);
											 *(_t201 - 0x14) = _t189;
											 *(_t201 - 0x20) =  *(_t201 - 0x10);
										}
										_t35 = _t201 - 4;
										 *_t35 =  *(_t201 - 4) | 0xffffffff;
										__eflags =  *_t35;
										E00405205(_t159,  *((intOrPtr*)(_t201 - 0x34)));
										_t167 =  *(_t201 - 0x20);
									}
								}
								 *(_t201 - 0x10) =  *(_t201 - 0x10) + 1;
								_t129 =  *(_t201 - 0x1c);
								_t185 =  *(_t201 - 0x10);
								_t198 = _t198 + 0x18;
								__eflags =  *(_t201 - 0x10) -  *_t129;
							} while ( *(_t201 - 0x10) <  *_t129);
							__eflags =  *(_t201 - 0x14) - 0xffffffff;
							if( *(_t201 - 0x14) == 0xffffffff) {
								break;
							}
							_t197 = _t167 * 0x1c + _t129[1];
							_t130 = _t167 + _t167 * 2;
							_t171 =  *((intOrPtr*)(_t201 + 0xc));
							__eflags =  *((char*)(_t171 + 8 + _t130 * 8));
							_t131 = _t171 + _t130 * 8;
							if( *((char*)(_t171 + 8 + _t130 * 8)) != 0) {
								L22:
								_t164 = _t164 +  *(_t201 - 0x14);
								 *_t197 = 1;
								_t172 =  *((intOrPtr*)(_t131 + 4));
								_t191 =  *(_t201 - 0x18) - _t164;
								__eflags = _t172 - 1;
								if(__eflags == 0) {
									__eflags = _t191;
									if(_t191 != 0) {
										_t133 =  *( *(_t201 + 8));
										__eflags =  *((short*)(_t133 + _t164 * 2)) - 0x2d;
										_t134 = _t133 & 0xffffff00 |  *((short*)(_t133 + _t164 * 2)) == 0x0000002d;
										__eflags = _t134;
										 *(_t197 + 1) = _t134;
										if(_t134 != 0) {
											_t164 = _t164 + 1;
											__eflags = _t164;
										}
									} else {
										 *(_t197 + 1) =  *(_t197 + 1) & 0x00000000;
									}
									L50:
									__eflags = _t164 -  *(_t201 - 0x18);
									if(_t164 <  *(_t201 - 0x18)) {
										_t195 =  *(_t201 + 8);
										continue;
									}
									goto L57;
								}
								if(__eflags <= 0) {
									goto L50;
								}
								__eflags = _t172 - 3;
								if(_t172 <= 3) {
									_t185 =  *(_t131 + 0xc);
									__eflags = _t191 - _t185;
									 *(_t201 - 0x20) = _t185;
									if(_t191 < _t185) {
										L55:
										_push(0x41c200);
										_push(_t201 - 0x28);
										 *(_t201 - 0x28) = "switch is not full";
										L004182FC();
										L56:
										_push(E00404E1A( *(_t201 + 8), _t201 - 0x64, _t164));
										 *(_t201 - 4) = 2;
										E00405205(E00401CFC(_t197 + 4, _t185),  *((intOrPtr*)(_t201 - 0x64)));
										goto L57;
									}
									__eflags = _t172 - 3;
									if(_t172 == 3) {
										goto L56;
									}
									_t192 =  *((intOrPtr*)(_t131 + 0x10));
									_push(_t185);
									_push(_t164);
									_push(_t201 - 0x40);
									E00402521( *(_t201 + 8));
									_t137 =  *(_t201 - 0x20);
									 *(_t201 - 4) = 3;
									_t164 = _t164 + _t137;
									__eflags = _t137 - _t192;
									 *(_t201 - 0x14) = _t137;
									if(_t137 >= _t192) {
										L44:
										_t84 = _t197 + 4; // 0x8
										_push(_t201 - 0x40);
										_t139 = E00401CFC(_t84, _t185);
										_t85 = _t201 - 4;
										 *_t85 =  *(_t201 - 4) | 0xffffffff;
										__eflags =  *_t85;
										_push( *((intOrPtr*)(_t201 - 0x40)));
										L45:
										E00405205(_t139);
										goto L50;
									} else {
										goto L41;
									}
									while(1) {
										L41:
										__eflags = _t164 -  *(_t201 - 0x18);
										if(_t164 >=  *(_t201 - 0x18)) {
											goto L44;
										}
										 *(_t201 - 0x20) =  *( *( *(_t201 + 8)) + _t164 * 2);
										__eflags = E00404D10( *( *( *(_t201 + 8)) + _t164 * 2));
										if(__eflags != 0) {
											goto L44;
										}
										E00404DEF(_t201 - 0x40, _t185, __eflags,  *(_t201 - 0x20));
										 *(_t201 - 0x14) =  *(_t201 - 0x14) + 1;
										_t164 = _t164 + 1;
										__eflags =  *(_t201 - 0x14) - _t192;
										if( *(_t201 - 0x14) < _t192) {
											continue;
										}
										goto L44;
									}
									goto L44;
								}
								__eflags = _t172 - 4;
								if(_t172 != 4) {
									goto L50;
								}
								__eflags = _t191 -  *(_t131 + 0xc);
								if(_t191 <  *(_t131 + 0xc)) {
									L54:
									_push(0x41c200);
									_push(_t201 - 0x24);
									 *(_t201 - 0x24) = "switch is not full";
									L004182FC();
									goto L55;
								}
								_t139 = E00401DBF(_t201 - 0x58,  *((intOrPtr*)(_t131 + 0x14)));
								__eflags = _t191;
								_t193 =  *(_t201 - 0x58);
								if(_t191 != 0) {
									_t185 =  *_t193;
									_t147 = _t193;
									_t179 =  *( *( *(_t201 + 8)) + _t164 * 2);
									while(1) {
										__eflags = _t185 - _t179;
										if(_t185 == _t179) {
											break;
										}
										__eflags = _t185;
										if(_t185 == 0) {
											_t139 = _t147 | 0xffffffff;
											__eflags = _t139;
											L35:
											__eflags = _t139;
											if(_t139 < 0) {
												goto L28;
											}
											 *(_t197 + 0x18) = _t139;
											_t164 = _t164 + 1;
											__eflags = _t164;
											L37:
											_push(_t193);
											goto L45;
										}
										_t147 = _t147 + 2;
										_t185 =  *_t147;
									}
									_t139 = _t147 - _t193 >> 1;
									goto L35;
								}
								L28:
								 *(_t197 + 0x18) =  *(_t197 + 0x18) | 0xffffffff;
								goto L37;
							}
							__eflags =  *_t197;
							if( *_t197 != 0) {
								L53:
								_push(0x41c200);
								_push(_t201 + 8);
								 *(_t201 + 8) = "switch must be single";
								L004182FC();
								goto L54;
							}
							goto L22;
						}
						_push(0x41c200);
						_push(_t201 + 8);
						 *(_t201 + 8) = "maxLen == kNoLen";
						L004182FC();
						goto L53;
					}
				}
				goto L2;
			}





























                                  0x00404a2c
                                  0x00404a36
                                  0x00404a3a
                                  0x00404a3d
                                  0x00404a42
                                  0x00404a45
                                  0x00404a58
                                  0x00404a58
                                  0x00404cff
                                  0x00404d05
                                  0x00404d0d
                                  0x00404d0d
                                  0x00404a49
                                  0x00404a56
                                  0x00404a5f
                                  0x00404a61
                                  0x00404cfd
                                  0x00404cfd
                                  0x00000000
                                  0x00404a67
                                  0x00404a6c
                                  0x00404a6c
                                  0x00404a73
                                  0x00404a78
                                  0x00404a7a
                                  0x00404a7c
                                  0x00404a7c
                                  0x00404a7c
                                  0x00404a80
                                  0x00404a84
                                  0x00404a86
                                  0x00404a88
                                  0x00404a8b
                                  0x00404a8e
                                  0x00000000
                                  0x00000000
                                  0x00404a94
                                  0x00404a97
                                  0x00404a97
                                  0x00404a99
                                  0x00404a99
                                  0x00404a9b
                                  0x00404a9b
                                  0x00404a9f
                                  0x00000000
                                  0x00000000
                                  0x00404aa1
                                  0x00404aa3
                                  0x00404aa3
                                  0x00404aa6
                                  0x00404aa6
                                  0x00404aa9
                                  0x00404aae
                                  0x00404ab1
                                  0x00404abf
                                  0x00404ac4
                                  0x00404ad0
                                  0x00404ad9
                                  0x00404add
                                  0x00404ae5
                                  0x00404ae9
                                  0x00404af4
                                  0x00404af9
                                  0x00404afb
                                  0x00404afd
                                  0x00404b00
                                  0x00404b03
                                  0x00404b03
                                  0x00404b09
                                  0x00404b09
                                  0x00404b09
                                  0x00404b0d
                                  0x00404b13
                                  0x00404b13
                                  0x00404ab1
                                  0x00404b16
                                  0x00404b19
                                  0x00404b1c
                                  0x00404b1f
                                  0x00404b22
                                  0x00404b22
                                  0x00404b2a
                                  0x00404b2e
                                  0x00000000
                                  0x00000000
                                  0x00404b39
                                  0x00404b3c
                                  0x00404b3f
                                  0x00404b42
                                  0x00404b47
                                  0x00404b4a
                                  0x00404b55
                                  0x00404b55
                                  0x00404b5b
                                  0x00404b5e
                                  0x00404b61
                                  0x00404b63
                                  0x00404b66
                                  0x00404c59
                                  0x00404c5b
                                  0x00404c66
                                  0x00404c68
                                  0x00404c6d
                                  0x00404c70
                                  0x00404c72
                                  0x00404c75
                                  0x00404c77
                                  0x00404c77
                                  0x00404c77
                                  0x00404c5d
                                  0x00404c5d
                                  0x00404c5d
                                  0x00404c78
                                  0x00404c78
                                  0x00404c7b
                                  0x00404a69
                                  0x00000000
                                  0x00404a69
                                  0x00000000
                                  0x00404c81
                                  0x00404b6c
                                  0x00000000
                                  0x00000000
                                  0x00404b72
                                  0x00404b75
                                  0x00404bd4
                                  0x00404bd7
                                  0x00404bd9
                                  0x00404bdc
                                  0x00404cc2
                                  0x00404cc5
                                  0x00404cca
                                  0x00404ccb
                                  0x00404cd2
                                  0x00404cd7
                                  0x00404ce4
                                  0x00404ce8
                                  0x00404cf7
                                  0x00000000
                                  0x00404cfc
                                  0x00404be2
                                  0x00404be5
                                  0x00000000
                                  0x00000000
                                  0x00404beb
                                  0x00404bf1
                                  0x00404bf5
                                  0x00404bf6
                                  0x00404bf7
                                  0x00404bfc
                                  0x00404bff
                                  0x00404c06
                                  0x00404c08
                                  0x00404c0a
                                  0x00404c0d
                                  0x00404c3e
                                  0x00404c41
                                  0x00404c44
                                  0x00404c45
                                  0x00404c4a
                                  0x00404c4a
                                  0x00404c4a
                                  0x00404c4e
                                  0x00404c51
                                  0x00404c51
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404c0f
                                  0x00404c0f
                                  0x00404c0f
                                  0x00404c12
                                  0x00000000
                                  0x00000000
                                  0x00404c1e
                                  0x00404c26
                                  0x00404c28
                                  0x00000000
                                  0x00000000
                                  0x00404c30
                                  0x00404c35
                                  0x00404c38
                                  0x00404c39
                                  0x00404c3c
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00404c3c
                                  0x00000000
                                  0x00404c0f
                                  0x00404b77
                                  0x00404b7a
                                  0x00000000
                                  0x00000000
                                  0x00404b80
                                  0x00404b83
                                  0x00404cad
                                  0x00404cb0
                                  0x00404cb5
                                  0x00404cb6
                                  0x00404cbd
                                  0x00000000
                                  0x00404cbd
                                  0x00404b8f
                                  0x00404b94
                                  0x00404b96
                                  0x00404b99
                                  0x00404ba4
                                  0x00404ba9
                                  0x00404bab
                                  0x00404baf
                                  0x00404baf
                                  0x00404bb2
                                  0x00000000
                                  0x00000000
                                  0x00404bb4
                                  0x00404bb7
                                  0x00404bc6
                                  0x00404bc6
                                  0x00404bc9
                                  0x00404bc9
                                  0x00404bcb
                                  0x00000000
                                  0x00000000
                                  0x00404bcd
                                  0x00404bd0
                                  0x00404bd0
                                  0x00404bd1
                                  0x00404bd1
                                  0x00000000
                                  0x00404bd1
                                  0x00404bba
                                  0x00404bbb
                                  0x00404bbb
                                  0x00404bc2
                                  0x00000000
                                  0x00404bc2
                                  0x00404b9b
                                  0x00404b9b
                                  0x00000000
                                  0x00404b9b
                                  0x00404b4c
                                  0x00404b4f
                                  0x00404c98
                                  0x00404c9b
                                  0x00404ca0
                                  0x00404ca1
                                  0x00404ca8
                                  0x00000000
                                  0x00404ca8
                                  0x00000000
                                  0x00404b4f
                                  0x00404c86
                                  0x00404c8b
                                  0x00404c8c
                                  0x00404c93
                                  0x00000000
                                  0x00404c93
                                  0x00404a61
                                  0x00000000

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00404A2C
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 00404CD2
                                    • Part of subcall function 00402521: __EH_prolog.LIBCMT ref: 00402526
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 00404C93
                                  • _CxxThrowException.MSVCRT(00420C4C,0041C200), ref: 00404CA8
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 00404CBD
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$H_prolog
                                  • String ID:
                                  • API String ID: 206451386-0
                                  • Opcode ID: 3a16b2fc015ff1e2723470c272b77f60aac3604d14220b99de27e4bffb4a85ce
                                  • Instruction ID: db09b159117f519c61deaf3768132e33b8e03b166a3612a94a6a6986dc37c5eb
                                  • Opcode Fuzzy Hash: 3a16b2fc015ff1e2723470c272b77f60aac3604d14220b99de27e4bffb4a85ce
                                  • Instruction Fuzzy Hash: 97919FB19012099FDF14DF94C880AEEB7B5FF84318F21416FE955B72A1D738AA41CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054FA Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004054FA(void* __ecx, short _a4) {
				char _v12;
				short _t13;
				short _t28;
				int _t30;
				void* _t31;

				if(_a4 != 0) {
					_t28 = CharUpperW(_a4 & 0x0000ffff);
					if(_t28 != 0 || GetLastError() != 0x78) {
						_t13 = _t28;
					} else {
						_t30 = WideCharToMultiByte(0, 0,  &_a4, 1,  &_v12, 4, 0, 0);
						if(_t30 != 0 && _t30 <= 4) {
							 *((char*)(_t31 + _t30 - 8)) = 0;
							CharUpperA( &_v12);
							MultiByteToWideChar(0, 0,  &_v12, _t30,  &_a4, 1);
						}
						_t13 = _a4;
					}
				} else {
					_t13 = 0;
				}
				return _t13;
			}








                                  0x00405507
                                  0x00405519
                                  0x0040551d
                                  0x00405572
                                  0x0040552a
                                  0x00405540
                                  0x00405544
                                  0x0040554e
                                  0x00405553
                                  0x00405566
                                  0x00405566
                                  0x0040556c
                                  0x0040556c
                                  0x00405509
                                  0x00405509
                                  0x00405509
                                  0x00405578

                                  APIs
                                  • CharUpperW.USER32(?,?,?,?,?,?,0040568B,000000FF,000000FF,?,00000000,?,00404AF9,?,?,00000000), ref: 00405513
                                  • GetLastError.KERNEL32(?,0040568B,000000FF,000000FF,?,00000000,?,00404AF9,?,?,00000000,?,000000FF,?,00000000,?), ref: 0040551F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,0040568B,000000FF,000000FF,?,00000000,?,00404AF9), ref: 0040553A
                                  • CharUpperA.USER32(?,?,0040568B,000000FF,000000FF,?,00000000,?,00404AF9,?,?,00000000,?,000000FF,?,00000000), ref: 00405553
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,0040568B,000000FF,000000FF,?,00000000,?,00404AF9,?,?), ref: 00405566
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: Char$ByteMultiUpperWide$ErrorLast
                                  • String ID:
                                  • API String ID: 3939315453-0
                                  • Opcode ID: 4798b371dd56cd1fa1f895a0ce38c8ad1fda522631ef179baaafc77be4bbcf1b
                                  • Instruction ID: 9519b6de2f072135b84017171e86ecb4502bd6c9b619a04fcbacab007b5a99f0
                                  • Opcode Fuzzy Hash: 4798b371dd56cd1fa1f895a0ce38c8ad1fda522631ef179baaafc77be4bbcf1b
                                  • Instruction Fuzzy Hash: A40156BA84021CBBDB106FA0DCC8DEF7A6DD705394F118532FA42E7140E674DE808AB8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004058F1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 31%
                                  			E004058F1(void* __ecx, signed int _a4) {
				void* _t20;
				void* _t27;
				signed int _t31;
				void* _t32;
				signed int _t35;
				signed int _t39;
				void* _t40;

				_t39 = _a4;
				_t40 = __ecx;
				if(_t39 >  *((intOrPtr*)(__ecx + 4))) {
					if(_t39 >= 0x80000000) {
						_push(0x41c9b8);
						_push( &_a4);
						_a4 = 0x100ec1;
						L004182FC();
					}
					_t31 =  *(_t40 + 0x10);
					_t35 = _t31 * _t39;
					if(_t35 / _t31 != _t39) {
						_push(0x41c9b8);
						_push( &_a4);
						_a4 = 0x100ec2;
						L004182FC();
					}
					_push(_t35);
					_t32 = E004051DE();
					if(_t32 == 0) {
						_push(0x41c9b8);
						_push( &_a4);
						_a4 = 0x100ec3;
						L004182FC();
					}
					_t27 = E00405205(memmove(_t32,  *(_t40 + 0xc),  *(_t40 + 0x10) *  *(_t40 + 4)),  *(_t40 + 0xc));
					 *(_t40 + 0xc) = _t32;
					 *(_t40 + 4) = _t39;
					return _t27;
				}
				return _t20;
			}










                                  0x004058f7
                                  0x004058fa
                                  0x004058ff
                                  0x0040590b
                                  0x00405910
                                  0x00405915
                                  0x00405916
                                  0x0040591d
                                  0x0040591d
                                  0x00405922
                                  0x00405929
                                  0x00405932
                                  0x00405937
                                  0x0040593c
                                  0x0040593d
                                  0x00405944
                                  0x00405944
                                  0x00405949
                                  0x0040594f
                                  0x00405954
                                  0x00405959
                                  0x0040595e
                                  0x0040595f
                                  0x00405966
                                  0x00405966
                                  0x00405980
                                  0x00405988
                                  0x0040598b
                                  0x00000000
                                  0x0040598b
                                  0x00405992

                                  APIs
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 0040591D
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405944
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 00405966
                                  • memmove.MSVCRT ref: 00405977
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$memmove
                                  • String ID: U @
                                  • API String ID: 265668421-1986941051
                                  • Opcode ID: 2cef3717452cbcbb684d15c62bb8e5f6cc04d3c0f99e76946e2b2b81a56c8c18
                                  • Instruction ID: 6027172dc3a0cdca72816a40b8bf8b99f387fdd09a48253e1f60bc246fd7f6cd
                                  • Opcode Fuzzy Hash: 2cef3717452cbcbb684d15c62bb8e5f6cc04d3c0f99e76946e2b2b81a56c8c18
                                  • Instruction Fuzzy Hash: 3E11A3B1240A04AFC714EF55C881E8BBB9DEB58354B10842FB909EB192C775E5448F58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004056FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 89%
                                  			E004056FD() {
				signed int _t34;
				char* _t47;
				char** _t51;
				void* _t54;

				E004182C0(E00418F44, _t54);
				 *((intOrPtr*)(_t54 - 0x10)) = 0;
				 *(_t54 - 0x1c) = 0;
				 *(_t54 - 0x18) = 0;
				 *((intOrPtr*)(_t54 - 0x14)) = 0;
				E0040247E(_t54 - 0x1c, 0xf);
				_t51 =  *(_t54 + 0xc);
				 *((intOrPtr*)(_t54 - 4)) = 0;
				_t47 = _t51[1];
				if(_t47 != 0) {
					if(_t47 >=  *((intOrPtr*)(_t54 - 0x14))) {
						E0040247E(_t54 - 0x1c,  &(_t47[1]));
					}
					_t34 = MultiByteToWideChar( *(_t54 + 0x10), 0,  *_t51, _t51[1],  *(_t54 - 0x1c),  &(_t47[1]));
					if(_t34 == 0) {
						_t34 = _t54 + 8;
						_push(0x41c9b8);
						_push(_t34);
						 *(_t54 + 8) = 0x44e74;
						L004182FC();
					}
					( *(_t54 - 0x1c))[_t34] = 0;
					 *(_t54 - 0x18) = _t34;
				}
				E00405205(E00401E20( *(_t54 + 8), _t54 - 0x1c),  *(_t54 - 0x1c));
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return  *(_t54 + 8);
			}







                                  0x00405702
                                  0x00405714
                                  0x00405717
                                  0x0040571a
                                  0x0040571d
                                  0x00405720
                                  0x00405725
                                  0x00405728
                                  0x0040572b
                                  0x00405730
                                  0x00405735
                                  0x0040573e
                                  0x0040573e
                                  0x00405753
                                  0x0040575b
                                  0x0040575d
                                  0x00405760
                                  0x00405765
                                  0x00405766
                                  0x0040576d
                                  0x0040576d
                                  0x00405775
                                  0x00405779
                                  0x00405779
                                  0x0040578b
                                  0x0040579a
                                  0x004057a2

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00405702
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000002,?,?,0000000F,U @,?,00000000), ref: 00405753
                                  • _CxxThrowException.MSVCRT(?,0041C9B8), ref: 0040576D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ByteCharExceptionH_prologMultiThrowWide
                                  • String ID: U @
                                  • API String ID: 3835594019-1986941051
                                  • Opcode ID: d1d8087ad77d8951342288aafae24b71659b96d78aee4c12ab481c06529f9562
                                  • Instruction ID: fd89307b84f593b48920516021116b60b6b0a4ca82145e7e1447e221e4f81837
                                  • Opcode Fuzzy Hash: d1d8087ad77d8951342288aafae24b71659b96d78aee4c12ab481c06529f9562
                                  • Instruction Fuzzy Hash: 7F112CB190010AEFCB10DF95C8819EFBBB9FF48354F10846EE915B7291C738AA41CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414D4D Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00414D4D(void* __ecx, intOrPtr _a4) {
				intOrPtr _t33;
				char _t39;
				void* _t43;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t51;
				char _t52;
				intOrPtr _t56;
				void* _t57;
				char _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				char _t62;
				void* _t64;

				_t33 = _a4;
				_t64 = __ecx;
				_t52 = 1;
				 *((char*)(__ecx + 0xbc5)) = _t52;
				 *((char*)(__ecx + 0xbc4)) = _t52;
				if(_t33 >= 2) {
					 *((intOrPtr*)(__ecx + 0x7c0)) = _t33;
					E00414E85(__ecx, _t57);
					 *(__ecx + 0x9c4) =  *(__ecx + 0x9c4) & 0x00000000;
					 *((char*)(__ecx + 0x9c5)) = 2;
					memset(__ecx + 0x9c6, 4, 9);
					memset(_t64 + 0x9cf, 6, 0xf5);
					_t39 = 0;
					do {
						 *((char*)(_t64 + _t39 + 0x8c4)) = _t39;
						_t39 = _t39 + 1;
					} while (_t39 < 3);
					_t58 = _t39;
					_t62 = _t52;
					while(_t39 < 0x100) {
						_t62 = _t62 - 1;
						 *((char*)(_t64 + _t39 + 0x8c4)) = _t58;
						if(_t62 == 0) {
							_t52 = _t52 + 1;
							_t58 = _t58 + 1;
							_t62 = _t52;
						}
						_t39 = _t39 + 1;
					}
					memset(_t64 + 0xac4, 0, 0x40);
					_t43 = memset(_t64 + 0xb04, 8, 0xc0);
					 *((char*)(_t64 + 0x79e)) = 7;
					return _t43;
				}
				memset(__ecx + 0x7c4, 0, 0x100);
				_t56 =  *((intOrPtr*)(_t64 + 0x7a4));
				 *((intOrPtr*)(_t64 + 0x7b4)) =  *((intOrPtr*)(_t64 + 0x7c0));
				 *((intOrPtr*)(_t64 + 0x7a0)) = _t56;
				_t47 =  *((intOrPtr*)(_t56 + 8));
				if(_t47 == 0) {
					L4:
					_t59 =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x7a0)) + 4));
					if(_t59 != 0) {
						_t50 =  *((intOrPtr*)(_t64 + 0x144)) + _t59;
					} else {
						_t50 = 0;
					}
					 *((intOrPtr*)(_t64 + 0x7a8)) = _t50;
					 *((intOrPtr*)(_t64 + 0x7a0)) = _t56;
					return _t50;
				}
				_t60 =  *((intOrPtr*)(_t64 + 0x144));
				do {
					_t51 = _t47 + _t60;
					 *((intOrPtr*)(_t64 + 0x7b4)) =  *((intOrPtr*)(_t64 + 0x7b4)) - 1;
					 *((intOrPtr*)(_t64 + 0x7a0)) = _t51;
					_t47 =  *((intOrPtr*)(_t51 + 8));
				} while (_t47 != 0);
				goto L4;
			}

















                                  0x00414d4d
                                  0x00414d55
                                  0x00414d57
                                  0x00414d5b
                                  0x00414d61
                                  0x00414d67
                                  0x00414de5
                                  0x00414deb
                                  0x00414df0
                                  0x00414e02
                                  0x00414e09
                                  0x00414e1c
                                  0x00414e24
                                  0x00414e26
                                  0x00414e26
                                  0x00414e2d
                                  0x00414e2e
                                  0x00414e34
                                  0x00414e36
                                  0x00414e3d
                                  0x00414e41
                                  0x00414e42
                                  0x00414e49
                                  0x00414e4b
                                  0x00414e4c
                                  0x00414e4d
                                  0x00414e4d
                                  0x00414e4f
                                  0x00414e4f
                                  0x00414e5d
                                  0x00414e70
                                  0x00414e78
                                  0x00000000
                                  0x00414e7f
                                  0x00414d77
                                  0x00414d82
                                  0x00414d88
                                  0x00414d8e
                                  0x00414d94
                                  0x00414d9c
                                  0x00414db9
                                  0x00414dbf
                                  0x00414dc4
                                  0x00414dd0
                                  0x00414dc6
                                  0x00414dc6
                                  0x00414dc6
                                  0x00414dd2
                                  0x00414dd8
                                  0x00000000
                                  0x00414dd8
                                  0x00414d9e
                                  0x00414da4
                                  0x00414da4
                                  0x00414da6
                                  0x00414dac
                                  0x00414db2
                                  0x00414db5
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: memset
                                  • String ID:
                                  • API String ID: 2221118986-0
                                  • Opcode ID: 4a5e7227372dfeecf2467a420c57db5c417203e3b4200cf4420b85ac021d1905
                                  • Instruction ID: 61a6ffe5a46afa6828627abb5bf1a4ba951369e63db36c8f222bb2869574e3a1
                                  • Opcode Fuzzy Hash: 4a5e7227372dfeecf2467a420c57db5c417203e3b4200cf4420b85ac021d1905
                                  • Instruction Fuzzy Hash: 5D318F70A09B409EE720DB39C845FD7B7D8EB95708F14086EE1DEC7282D778B4818B5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040557B Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 87%
                                  			E0040557B(void* __edi) {
				WCHAR* _t19;
				void* _t24;
				intOrPtr* _t30;
				signed int _t35;
				short _t40;
				short* _t43;
				WCHAR* _t47;
				void* _t49;

				E004182C0(E00418F30, _t49);
				_t47 =  *(_t49 + 8);
				if(_t47 != 0) {
					_t35 = CharUpperW(_t47);
					if(_t35 != 0 || GetLastError() != 0x78) {
						_t19 = _t35;
					} else {
						E00401DBF(_t49 - 0x24, _t47);
						 *(_t49 - 4) =  *(_t49 - 4) & _t35;
						_t24 = E004057A5(__edi, _t49 - 0x18, _t49 - 0x24, _t35);
						 *(_t49 - 4) = 2;
						E00405205(_t24,  *((intOrPtr*)(_t49 - 0x24)));
						CharUpperA( *(_t49 - 0x18));
						_push(_t35);
						_push(_t49 - 0x18);
						_push(_t49 - 0x30);
						_t30 =  *((intOrPtr*)(E004056FD()));
						_t43 =  &(_t47[1]);
						_t40 =  *_t30;
						 *_t47 = _t40;
						while(1) {
							_t30 = _t30 + 2;
							if(_t40 == 0) {
								break;
							}
							_t40 =  *_t30;
							 *_t43 = _t40;
							_t43 =  &(_t43[1]);
						}
						E00405205(E00405205(_t30,  *((intOrPtr*)(_t49 - 0x30))),  *(_t49 - 0x18));
						_t19 = _t47;
					}
				} else {
					_t19 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t19;
			}











                                  0x00405580
                                  0x0040558a
                                  0x0040558f
                                  0x0040559f
                                  0x004055a3
                                  0x00405620
                                  0x004055b0
                                  0x004055b4
                                  0x004055b9
                                  0x004055c5
                                  0x004055cd
                                  0x004055d1
                                  0x004055da
                                  0x004055e3
                                  0x004055e4
                                  0x004055e8
                                  0x004055ee
                                  0x004055f0
                                  0x004055f3
                                  0x004055f6
                                  0x004055f9
                                  0x004055fa
                                  0x004055fe
                                  0x00000000
                                  0x00000000
                                  0x00405600
                                  0x00405603
                                  0x00405607
                                  0x00405607
                                  0x00405615
                                  0x0040561b
                                  0x0040561d
                                  0x00405591
                                  0x00405591
                                  0x00405591
                                  0x00405627
                                  0x0040562f

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00405580
                                  • CharUpperW.USER32(?,00000001,00000000), ref: 00405599
                                  • GetLastError.KERNEL32 ref: 004055A5
                                  • CharUpperA.USER32(?,?,?,00000000,?), ref: 004055DA
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: CharUpper$ErrorH_prologLast
                                  • String ID:
                                  • API String ID: 826227211-0
                                  • Opcode ID: 07a5ff181971ff87b2eee23aae669b4892da689fafad154433db8aa42b0dc283
                                  • Instruction ID: f6f366eaf0972c4baf091b9cfbca2146d167357809724ff9ce4579d31c4c1cc9
                                  • Opcode Fuzzy Hash: 07a5ff181971ff87b2eee23aae669b4892da689fafad154433db8aa42b0dc283
                                  • Instruction Fuzzy Hash: E211B431910909EACB01ABA4D8859EFB778EF09344F10447BF502F3251EB389E419F98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406784 Relevance: 6.0, APIs: 4, Instructions: 33filetimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00406784(WCHAR* _a4, FILETIME* _a8, FILETIME* _a12, FILETIME* _a16) {
				signed int _t12;
				void* _t14;
				void* _t16;

				_t12 = 0;
				_t16 =  *0x421274 - _t12; // 0x1
				if(_t16 != 0) {
					_t14 = CreateFileW(_a4, 0x40000000, 3, 0, 3, 0x2000000, 0);
					if(_t14 != 0xffffffff) {
						_t12 = 0 | SetFileTime(_t14, _a8, _a12, _a16) != 0x00000000;
						CloseHandle(_t14);
					}
					return _t12;
				}
				SetLastError(0x78);
				return 0;
			}






                                  0x00406785
                                  0x00406787
                                  0x0040678d
                                  0x004067b6
                                  0x004067bb
                                  0x004067d3
                                  0x004067d6
                                  0x004067d6
                                  0x00000000
                                  0x004067de
                                  0x00406791
                                  0x00000000

                                  APIs
                                  • SetLastError.KERNEL32(00000078), ref: 00406791
                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 004067B0
                                  • SetFileTime.KERNEL32(00000000,?,?,?), ref: 004067CA
                                  • CloseHandle.KERNEL32(00000000), ref: 004067D6
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateErrorHandleLastTime
                                  • String ID:
                                  • API String ID: 2291555494-0
                                  • Opcode ID: 6a8a098346b956395041cd80f295ce2230978d329eba9f6ccaa2b01b8fbadc7b
                                  • Instruction ID: d2a56edc5dd8bc88dda875e7d5e5de7000a6e7cc315006f6cfc190ee375cb901
                                  • Opcode Fuzzy Hash: 6a8a098346b956395041cd80f295ce2230978d329eba9f6ccaa2b01b8fbadc7b
                                  • Instruction Fuzzy Hash: 72F0E231145220BFE6211F70AC88FDB7EA8DF09754F018935F6AA660F1C3250C6AE6A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402E24 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00402E24(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t75;
				intOrPtr* _t77;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t81;
				void* _t88;
				intOrPtr _t118;
				signed int _t139;
				intOrPtr _t141;
				intOrPtr* _t144;
				intOrPtr _t145;
				void* _t146;

				_t118 = __ecx;
				E004182C0(E00418BB8, _t146);
				_t139 = 0;
				 *((intOrPtr*)(_t146 - 0x14)) = __ecx;
				 *(_t146 - 0x10) = 0;
				if( *((intOrPtr*)(__ecx + 8)) <= 0) {
					L36:
					_t75 = 0;
				} else {
					while(1) {
						_t144 =  *((intOrPtr*)( *((intOrPtr*)(_t118 + 0xc)) +  *(_t146 - 0x10) * 4));
						if( *(_t146 + 0x18) == 0) {
							_t10 = _t144 + 0x18; // 0xb12815ff
							E00402AD1( *_t10);
						}
						 *(_t146 - 0x48) = _t139;
						 *(_t146 - 0x46) = _t139;
						_t77 =  *((intOrPtr*)(_t146 + 8));
						_t137 = _t146 - 0x48;
						 *(_t146 - 4) = _t139;
						_t78 =  *((intOrPtr*)( *_t77 + 0x18))(_t77,  *((intOrPtr*)(_t146 + 0x14)),  *_t144, _t146 - 0x48);
						_t141 = _t78;
						if(_t141 != 0) {
							break;
						}
						if( *(_t146 + 0x18) != _t78) {
							_t19 = _t144 + 4; // 0x75e80a6a
							_push(" = ");
							E0040541C(E00405434(0x421290, _t141),  *_t19);
						}
						_t80 =  *_t144;
						if(_t80 != 3) {
							_t20 = _t144 + 0x1c; // 0x8b590041
							_t141 =  *_t20;
						} else {
							_t141 = 0;
						}
						if( *(_t146 - 0x48) != 0) {
							L18:
							_t81 =  *_t144;
							if(_t81 != 0xc) {
								if(_t81 != 9) {
									if( *(_t146 - 0x48) != 8) {
										_push(1);
										_push(_t81);
										_push(_t146 - 0x48);
										_push(_t146 - 0x2c);
										E0040CDCE(0x421290, _t137);
										 *(_t146 - 4) = 2;
										E00403DC4(_t146 - 0x2c, 0xa, 0x20);
										_t124 = _t146 - 0x2c;
										E00403DC4(_t146 - 0x2c, 0xd, 0x20);
										if( *(_t146 + 0x18) == 0) {
											_t54 = _t144 + 0x14; // 0xc2474ff
											_t88 = E00402AED(_t124, _t137, _t146,  *_t54, _t141, _t146 - 0x2c);
										} else {
											_push( *((intOrPtr*)(_t146 - 0x2c)));
											_t88 = E00405434(0x421290, _t141);
										}
										 *(_t146 - 4) =  *(_t146 - 4) & 0x00000000;
										_push( *((intOrPtr*)(_t146 - 0x2c)));
										goto L32;
									} else {
										_push( *((intOrPtr*)(_t146 - 0x40)));
										if( *(_t146 + 0x18) == 0) {
											E00401DBF(_t146 - 0x38);
											 *(_t146 - 4) = 1;
											_t42 = _t144 + 0x14; // 0xc2474ff
											_t88 = E00402AED(_t146 - 0x38, _t137, _t146,  *_t42, _t141, _t146 - 0x38);
											 *(_t146 - 4) =  *(_t146 - 4) & 0x00000000;
											_push( *((intOrPtr*)(_t146 - 0x38)));
											L32:
											E00405205(_t88);
										} else {
											E00405434(0x421290, _t141);
										}
									}
									goto L33;
								} else {
									if( *(_t146 - 0x48) != 0x13) {
										_push(0x41c200);
										_push(_t146 + 0x18);
										 *(_t146 + 0x18) = "incorrect item";
										L004182FC();
										break;
									} else {
										_t145 =  *((intOrPtr*)(_t146 - 0x40));
										_t141 = E0040C1F5( *((intOrPtr*)(_t146 + 8)),  *((intOrPtr*)(_t146 + 0x14)), _t146 - 0x18);
										if(_t141 != 0) {
											break;
										} else {
											E0040305B(_t145,  *((intOrPtr*)(_t146 - 0x18)), _t146 - 0x20);
											E0040541C(0x421290, _t146 - 0x20);
											goto L33;
										}
									}
								}
							} else {
								E00402D9E(_t146 - 0x48);
								L33:
								if( *(_t146 + 0x18) != 0) {
									goto L34;
								}
								goto L35;
							}
						} else {
							if(_t80 == 3) {
								E0040760A(_t146 - 0x48,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 0xc)))));
								goto L18;
							} else {
								if(_t80 == 0xc) {
									E004076B1(_t146 - 0x48,  *((intOrPtr*)(_t146 + 0x10)) + 0x14);
									goto L18;
								} else {
									if( *(_t146 + 0x18) != 0) {
										L34:
										E00405400(0x421290, E0040540E);
									} else {
										E00402AD1(_t141);
									}
									L35:
									 *(_t146 - 4) =  *(_t146 - 4) | 0xffffffff;
									E004076D9(_t146 - 0x48);
									 *(_t146 - 0x10) =  *(_t146 - 0x10) + 1;
									if( *(_t146 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t146 - 0x14)) + 8))) {
										_t118 =  *((intOrPtr*)(_t146 - 0x14));
										_t139 = 0;
										continue;
									} else {
										goto L36;
									}
								}
							}
						}
						goto L37;
					}
					 *(_t146 - 4) =  *(_t146 - 4) | 0xffffffff;
					E004076D9(_t146 - 0x48);
					_t75 = _t141;
				}
				L37:
				 *[fs:0x0] =  *((intOrPtr*)(_t146 - 0xc));
				return _t75;
			}

















                                  0x00402e24
                                  0x00402e29
                                  0x00402e34
                                  0x00402e39
                                  0x00402e3c
                                  0x00402e3f
                                  0x0040301e
                                  0x0040301e
                                  0x00402e45
                                  0x00402e51
                                  0x00402e5b
                                  0x00402e5e
                                  0x00402e60
                                  0x00402e63
                                  0x00402e63
                                  0x00402e68
                                  0x00402e6c
                                  0x00402e70
                                  0x00402e73
                                  0x00402e77
                                  0x00402e82
                                  0x00402e85
                                  0x00402e89
                                  0x00000000
                                  0x00000000
                                  0x00402e92
                                  0x00402e94
                                  0x00402e97
                                  0x00402ea6
                                  0x00402ea6
                                  0x00402eab
                                  0x00402eb0
                                  0x00402eb6
                                  0x00402eb6
                                  0x00402eb2
                                  0x00402eb2
                                  0x00402eb2
                                  0x00402ebe
                                  0x00402efd
                                  0x00402efd
                                  0x00402f02
                                  0x00402f15
                                  0x00402f60
                                  0x00402f96
                                  0x00402f98
                                  0x00402f9c
                                  0x00402fa0
                                  0x00402fa1
                                  0x00402fad
                                  0x00402fb1
                                  0x00402fba
                                  0x00402fbd
                                  0x00402fc6
                                  0x00402fd9
                                  0x00402fdc
                                  0x00402fc8
                                  0x00402fc8
                                  0x00402fcd
                                  0x00402fcd
                                  0x00402fe1
                                  0x00402fe5
                                  0x00000000
                                  0x00402f62
                                  0x00402f66
                                  0x00402f69
                                  0x00402f77
                                  0x00402f7f
                                  0x00402f85
                                  0x00402f88
                                  0x00402f8d
                                  0x00402f91
                                  0x00402fe8
                                  0x00402fe8
                                  0x00402f6b
                                  0x00402f6d
                                  0x00402f6d
                                  0x00402f69
                                  0x00000000
                                  0x00402f17
                                  0x00402f1c
                                  0x00403034
                                  0x00403039
                                  0x0040303a
                                  0x00403041
                                  0x00000000
                                  0x00402f22
                                  0x00402f25
                                  0x00402f34
                                  0x00402f38
                                  0x00000000
                                  0x00402f3e
                                  0x00402f46
                                  0x00402f51
                                  0x00000000
                                  0x00402f51
                                  0x00402f38
                                  0x00402f1c
                                  0x00402f04
                                  0x00402f08
                                  0x00402fee
                                  0x00402ff2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402ff2
                                  0x00402ec0
                                  0x00402ec3
                                  0x00402ef8
                                  0x00000000
                                  0x00402ec5
                                  0x00402ec8
                                  0x00402ee9
                                  0x00000000
                                  0x00402eca
                                  0x00402ece
                                  0x00402ff4
                                  0x00402ffb
                                  0x00402ed4
                                  0x00402ed5
                                  0x00402ed5
                                  0x00403000
                                  0x00403000
                                  0x00403007
                                  0x0040300c
                                  0x00403018
                                  0x00402e4c
                                  0x00402e4f
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00403018
                                  0x00402ec8
                                  0x00402ec3
                                  0x00000000
                                  0x00402ebe
                                  0x00403046
                                  0x0040304d
                                  0x00403052
                                  0x00403052
                                  0x00403020
                                  0x00403026
                                  0x0040302e

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00402E29
                                  • _CxxThrowException.MSVCRT(00000000,0041C200), ref: 00403041
                                    • Part of subcall function 00402D9E: _CxxThrowException.MSVCRT(ju,0041C200), ref: 00402DBE
                                    • Part of subcall function 00402D9E: FileTimeToLocalFileTime.KERNEL32(?,ju,?,0040540E,?,?,?,?,?,00402F0D,00000000,?,75E80A6A, = ), ref: 00402DD5
                                    • Part of subcall function 00402D9E: _CxxThrowException.MSVCRT(ju,0041C200), ref: 00402DEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$FileTime$H_prologLocal
                                  • String ID: =
                                  • API String ID: 3494051378-2525689732
                                  • Opcode ID: 77f4cfdd84298a60cda16e8302496276d4c2abcc0d907eda044f88e4d8760d33
                                  • Instruction ID: 8d87ee33246fb5a278ba737dd38cdfc3da62eddc91e5fa818deb9ae228516996
                                  • Opcode Fuzzy Hash: 77f4cfdd84298a60cda16e8302496276d4c2abcc0d907eda044f88e4d8760d33
                                  • Instruction Fuzzy Hash: BD6193319002099ACF21DFA5C989AEEBB75EF54354F24403FF401B32D2DB789A86DB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040712D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040712D(intOrPtr __edx, void* __eflags) {
				signed int _t45;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t71;

				_t64 = __edx;
				E004182C0(E004191D4, _t71);
				_t69 =  *((intOrPtr*)(_t71 + 8));
				_t66 =  *((intOrPtr*)(_t71 + 0xc));
				 *_t66 =  *_t69;
				 *((intOrPtr*)(_t66 + 4)) =  *((intOrPtr*)(_t69 + 4));
				 *((intOrPtr*)(_t66 + 8)) =  *((intOrPtr*)(_t69 + 8));
				 *((intOrPtr*)(_t66 + 0xc)) =  *((intOrPtr*)(_t69 + 0xc));
				 *((intOrPtr*)(_t66 + 0x10)) =  *((intOrPtr*)(_t69 + 0x10));
				 *((intOrPtr*)(_t66 + 0x14)) =  *((intOrPtr*)(_t69 + 0x14));
				 *((intOrPtr*)(_t66 + 0x18)) =  *((intOrPtr*)(_t69 + 0x18));
				 *((intOrPtr*)(_t66 + 0x20)) = E004185C0( *((intOrPtr*)(_t69 + 0x1c)), 0, 0, 1) +  *((intOrPtr*)(_t69 + 0x20));
				asm("adc edx, ebx");
				 *((intOrPtr*)(_t66 + 0x24)) = _t64;
				E004056B6(_t71 - 0x18, _t69 + 0x2c);
				 *(_t71 - 4) =  *(_t71 - 4) & 0;
				_t45 = AreFileApisANSI();
				asm("sbb eax, eax");
				_t50 = E004071E6(_t71 - 0x18, _t71 - 0x24, _t71 - 0x18,  ~_t45 + 1);
				 *(_t71 - 4) = 1;
				E00405205(E00405205(E00401E63(_t66 + 0x30, _t50),  *((intOrPtr*)(_t71 - 0x24))),  *((intOrPtr*)(_t71 - 0x18)));
				_t54 =  *((intOrPtr*)(_t69 + 0x24));
				 *((intOrPtr*)(_t66 + 0x28)) = _t54;
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t54;
			}










                                  0x0040712d
                                  0x00407132
                                  0x0040713c
                                  0x00407140
                                  0x00407149
                                  0x0040714e
                                  0x00407154
                                  0x0040715a
                                  0x00407160
                                  0x00407166
                                  0x0040716e
                                  0x00407183
                                  0x00407189
                                  0x0040718c
                                  0x0040718f
                                  0x00407194
                                  0x00407197
                                  0x0040719f
                                  0x004071ab
                                  0x004071b4
                                  0x004071c8
                                  0x004071cd
                                  0x004071d2
                                  0x004071db
                                  0x004071e3

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00407132
                                  • AreFileApisANSI.KERNEL32(?,?,00000000,00000000,00000001,U @,?,00000000), ref: 00407197
                                    • Part of subcall function 00405205: free.MSVCRT(?,004024C4,?,?,?,00000000,00401DF3,?,U @,?,00000000,?,?,004011CD,00000000), ref: 00405209
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ApisFileH_prologfree
                                  • String ID: U @
                                  • API String ID: 4245112029-1986941051
                                  • Opcode ID: 732a6753027a962c1c93ae9f3e7473242fe3937d1cacba5b65cb488616ffdc8c
                                  • Instruction ID: 97693a3070ba67fb04dd2bbe4ad600d96a3c3fff3bc891c9c2764ab2993da29c
                                  • Opcode Fuzzy Hash: 732a6753027a962c1c93ae9f3e7473242fe3937d1cacba5b65cb488616ffdc8c
                                  • Instruction Fuzzy Hash: C6210972A00A05AFC710DF69C881A9AFBF4FF18314B10862EE55AE3A81D734F954CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E0040BE2F() {
				void* _t23;
				intOrPtr* _t25;
				void* _t26;
				intOrPtr* _t29;
				signed int _t39;
				intOrPtr* _t42;
				void* _t44;

				E004182C0(E004198D8, _t44);
				 *((intOrPtr*)(_t44 - 0x10)) = 0x420f54;
				do {
					_t39 = 0;
					_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t44 - 0x10))));
					if( *_t42 != 0) {
						_t29 = _t42;
						do {
							_t39 = _t39 + 1;
							_t29 = _t29 + 2;
						} while ( *_t29 != 0);
					}
					_t35 =  *((intOrPtr*)(_t44 + 8));
					if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 8)) + 4)) < _t39) {
						goto L7;
					} else {
						_t25 = E00404E3B(_t35, _t44 - 0x1c, _t39);
						 *(_t44 - 4) = 0;
						_t26 = E00405668( *_t25, _t42);
						 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
						E00405205(_t26,  *((intOrPtr*)(_t44 - 0x1c)));
						if((0 | _t26 != 0x00000000) != 0) {
							goto L7;
						} else {
							_push(_t39);
							_push( *((intOrPtr*)(_t44 + 8)));
							if(E0040BEDE() == 0) {
								L9:
								_t23 = 0;
							} else {
								goto L7;
							}
						}
					}
					L11:
					 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
					return _t23;
					L7:
					 *((intOrPtr*)(_t44 - 0x10)) =  *((intOrPtr*)(_t44 - 0x10)) + 4;
				} while ( *((intOrPtr*)(_t44 - 0x10)) < 0x420f64);
				_push("COM");
				_push( *((intOrPtr*)(_t44 + 8)));
				if(E0040BF4C() != 0) {
					_push("LPT");
					_push( *((intOrPtr*)(_t44 + 8)));
					_t23 = E0040BF4C();
				} else {
					goto L9;
				}
				goto L11;
			}










                                  0x0040be34
                                  0x0040be3f
                                  0x0040be46
                                  0x0040be4b
                                  0x0040be4d
                                  0x0040be52
                                  0x0040be54
                                  0x0040be56
                                  0x0040be56
                                  0x0040be58
                                  0x0040be59
                                  0x0040be56
                                  0x0040be5e
                                  0x0040be64
                                  0x00000000
                                  0x0040be66
                                  0x0040be6b
                                  0x0040be71
                                  0x0040be76
                                  0x0040be83
                                  0x0040be87
                                  0x0040be8f
                                  0x00000000
                                  0x0040be91
                                  0x0040be91
                                  0x0040be92
                                  0x0040be9c
                                  0x0040bebc
                                  0x0040bebc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040be9c
                                  0x0040be8f
                                  0x0040becd
                                  0x0040bed3
                                  0x0040bedb
                                  0x0040be9e
                                  0x0040be9e
                                  0x0040bea2
                                  0x0040beab
                                  0x0040beb0
                                  0x0040beba
                                  0x0040bec0
                                  0x0040bec5
                                  0x0040bec8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: COM$LPT
                                  • API String ID: 3519838083-915345583
                                  • Opcode ID: a7d214d3614e4698020112d7abbfa110b620d1c228dcacdd5ab391101315bab1
                                  • Instruction ID: 23230ce13d1391efa6270b03457e2635290a6f730cf04ad901a3f637ad888d8c
                                  • Opcode Fuzzy Hash: a7d214d3614e4698020112d7abbfa110b620d1c228dcacdd5ab391101315bab1
                                  • Instruction Fuzzy Hash: 0211BE31A00214ABCF21AF55C9419EFB7B5EF42348B00847BE124B71D2C7794D45CADC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004050A2(signed int __edx, signed int _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed char* _t13;
				void* _t15;
				char _t16;
				signed int _t18;
				signed char* _t20;
				signed char _t24;
				signed int _t25;
				signed int _t27;
				void* _t30;
				void* _t32;

				_t25 = __edx;
				if(_a16 < 2 || _a16 > 0x24) {
					_t13 = _a12;
					 *_t13 =  *_t13 & 0x00000000;
					return _t13;
				} else {
					_t22 = _a8;
					_t27 = _a4;
					_t30 = 0;
					do {
						_t15 = E00418500(_t27, _t22, _a16, 0);
						if(_t15 >= 0xa) {
							_t16 = _t15 + 0x57;
						} else {
							_t16 = _t15 + 0x30;
						}
						 *((char*)(_t32 + _t30 - 0x48)) = _t16;
						_t30 = _t30 + 1;
						_t18 = E00418490(_t27, _t22, _a16, 0);
						_t22 = _t25;
						_t27 = _t18;
					} while ((_t18 | _t25) != 0);
					_t20 = _a12;
					do {
						_t24 =  *((intOrPtr*)(_t32 + _t30 - 0x49));
						_t30 = _t30 - 1;
						 *_t20 = _t24;
						_t20 =  &(_t20[1]);
					} while (_t30 > 0);
					 *_t20 =  *_t20 & 0x00000000;
					return _t20;
				}
			}













                                  0x004050a2
                                  0x004050ac
                                  0x0040510a
                                  0x0040510d
                                  0x00000000
                                  0x004050b4
                                  0x004050b5
                                  0x004050ba
                                  0x004050bd
                                  0x004050bf
                                  0x004050c7
                                  0x004050cf
                                  0x004050d6
                                  0x004050d1
                                  0x004050d1
                                  0x004050d1
                                  0x004050d9
                                  0x004050e0
                                  0x004050e6
                                  0x004050eb
                                  0x004050ed
                                  0x004050ef
                                  0x004050f3
                                  0x004050f6
                                  0x004050f6
                                  0x004050fa
                                  0x004050fb
                                  0x004050fd
                                  0x004050fe
                                  0x00405102
                                  0x00000000
                                  0x00405107

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: __aulldiv__aullrem
                                  • String ID: $
                                  • API String ID: 3839614884-3993045852
                                  • Opcode ID: 0ed4eb360e903790e9c4e2f729d909426fdefe61c71807b591b07ac22c2d42f0
                                  • Instruction ID: 71cd08da27e786e1fe8a9981891b1c919e2fd7f0d28883fa71c71439123411da
                                  • Opcode Fuzzy Hash: 0ed4eb360e903790e9c4e2f729d909426fdefe61c71807b591b07ac22c2d42f0
                                  • Instruction Fuzzy Hash: D5014C72504659AFEB12AE658C81AAF3B98DF1A314F050437F901E7241C174CC41C7FB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 73%
                                  			E00403278() {
				char* _t27;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t36;
				intOrPtr _t40;
				void* _t41;

				E004182C0(E00418C04, _t41);
				 *(_t41 - 0x1c) =  *(_t41 - 0x1c) & 0x00000000;
				 *(_t41 - 0x1a) =  *(_t41 - 0x1a) & 0x00000000;
				_t27 =  *(_t41 + 8);
				_t40 = _t41 - 0x1c;
				_push(_t40);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_push( *((intOrPtr*)(_t41 + 0x10)));
				_push( *((intOrPtr*)(_t41 + 0xc)));
				_push(_t27);
				if( *((intOrPtr*)( *_t27 + 0x18))() != 0) {
					_push(0x41c200);
					_push(_t41 + 8);
					 *(_t41 + 8) = "GetPropertyValue error";
					L004182FC();
				}
				if( *(_t41 - 0x1c) != 0) {
					_t30 = E00407A07(_t41 - 0x1c);
					_t36 =  *((intOrPtr*)(_t41 + 0x14));
					 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
					 *_t36 = _t30;
					 *((intOrPtr*)(_t36 + 4)) = _t40;
					E004076D9(_t41 - 0x1c);
					_t32 = 1;
				} else {
					 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
					E004076D9(_t41 - 0x1c);
					_t32 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t32;
			}









                                  0x0040327d
                                  0x00403285
                                  0x0040328a
                                  0x0040328f
                                  0x00403292
                                  0x00403295
                                  0x00403296
                                  0x0040329a
                                  0x0040329f
                                  0x004032a2
                                  0x004032a8
                                  0x004032ad
                                  0x004032b2
                                  0x004032b3
                                  0x004032ba
                                  0x004032ba
                                  0x004032c4
                                  0x004032da
                                  0x004032df
                                  0x004032e2
                                  0x004032e6
                                  0x004032e8
                                  0x004032ee
                                  0x004032f3
                                  0x004032c6
                                  0x004032c6
                                  0x004032cd
                                  0x004032d2
                                  0x004032d2
                                  0x004032f8
                                  0x00403300

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040327D
                                  • _CxxThrowException.MSVCRT(?,0041C200), ref: 004032BA
                                    • Part of subcall function 00407A07: _CxxThrowException.MSVCRT ref: 00407A2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$H_prolog
                                  • String ID: $B
                                  • API String ID: 206451386-2721644312
                                  • Opcode ID: 183c51912a5567f1f6c93ff25cd6620711d5eb3fb9ebc2ebcaf20575706abe08
                                  • Instruction ID: 7322679c6e85f6677fc1269c920607af694a53649959965fb0b51c0042357ef8
                                  • Opcode Fuzzy Hash: 183c51912a5567f1f6c93ff25cd6620711d5eb3fb9ebc2ebcaf20575706abe08
                                  • Instruction Fuzzy Hash: DF112A71D0020AEBCB00DF94C445AEE7BB4AF11318F10C56EE822A71D1D77DA646DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C998 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E0040C998(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t10;
				signed int _t11;
				signed int _t15;
				signed int _t19;
				intOrPtr _t21;

				_t21 = _a8;
				_push(0x10);
				_push(0x41bc64);
				_push(_t21);
				L00418302();
				if(_t10 != 0) {
					_push(0x10);
					_push(0x41b278);
					_push(_t21);
					L00418302();
					if(_t10 == 0) {
						goto L1;
					}
					_push(0x10);
					_push(0x41b368);
					_push(_t21);
					L00418302();
					if(_t10 != 0) {
						_push(0x10);
						_push(0x41b258);
						_push(_t21);
						L00418302();
						if(_t10 != 0) {
							return 0x80004002;
						}
						_t11 = _a4;
						_t15 = _t11;
						_t19 = _t11 + 8;
						L7:
						asm("sbb ecx, ecx");
						 *_a12 =  ~_t15 & _t19;
						 *((intOrPtr*)( *_t11 + 4))(_t11);
						return 0;
					}
					_t11 = _a4;
					_t15 = _t11;
					_t19 = _t11 + 0xc;
					goto L7;
				}
				L1:
				_t11 = _a4;
				_t15 = _t11;
				_t19 = _t11 + 4;
				goto L7;
			}








                                  0x0040c99c
                                  0x0040c99f
                                  0x0040c9a1
                                  0x0040c9a6
                                  0x0040c9a7
                                  0x0040c9b1
                                  0x0040c9bd
                                  0x0040c9bf
                                  0x0040c9c4
                                  0x0040c9c5
                                  0x0040c9cf
                                  0x00000000
                                  0x00000000
                                  0x0040c9d1
                                  0x0040c9d3
                                  0x0040c9d8
                                  0x0040c9d9
                                  0x0040c9e3
                                  0x0040c9ef
                                  0x0040c9f1
                                  0x0040c9f6
                                  0x0040c9f7
                                  0x0040ca01
                                  0x00000000
                                  0x0040ca20
                                  0x0040ca03
                                  0x0040ca06
                                  0x0040ca08
                                  0x0040ca0b
                                  0x0040ca0d
                                  0x0040ca15
                                  0x0040ca19
                                  0x00000000
                                  0x0040ca1c
                                  0x0040c9e5
                                  0x0040c9e8
                                  0x0040c9ea
                                  0x00000000
                                  0x0040c9ea
                                  0x0040c9b3
                                  0x0040c9b3
                                  0x0040c9b6
                                  0x0040c9b8
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.512339178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000004.00000002.512314535.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512412044.000000000041B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512422499.0000000000420000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000004.00000002.512435202.0000000000426000.00000002.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_400000_additional.jbxd
                                  Similarity
                                  • API ID: memcmp
                                  • String ID:
                                  • API String ID: 1475443563-0
                                  • Opcode ID: 710b04658f7b85ad07d3394e82ad1dad8ac5a7735fbc3a8d31e3e66a6cc627ab
                                  • Instruction ID: f312f63533d6efdf258c8c8f1e20b6bcb41afa66fc0af2b1aac0ff3475a3e805
                                  • Opcode Fuzzy Hash: 710b04658f7b85ad07d3394e82ad1dad8ac5a7735fbc3a8d31e3e66a6cc627ab
                                  • Instruction Fuzzy Hash: E501A1B2340208A7C7059B15D982FDA33949F24740F14862AFC05AB381FAB9EA9487DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:11.5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:3.6%
                                  Total number of Nodes:1997
                                  Total number of Limit Nodes:113
                                  execution_graph 32676 3b177b 32677 3b1787 32676->32677 32680 38e6a1 32677->32680 32679 3b17ad _wcslen 32681 38e6d1 32680->32681 32682 38e6c1 32680->32682 32690 38e72c 32681->32690 32683 38e6c9 32682->32683 32684 38e6f5 32682->32684 32698 38e83b 20 API calls std::ios_base::_Ios_base_dtor 32683->32698 32699 384a50 __CxxThrowException 32684->32699 32687 38e6e5 32687->32679 32694 38e751 std::ios_base::_Ios_base_dtor 32690->32694 32696 38e7c9 32690->32696 32691 38e835 32708 384a50 __CxxThrowException 32691->32708 32694->32691 32695 38e7c0 32694->32695 32694->32696 32700 3853fd 32695->32700 32696->32687 32698->32681 32701 385408 32700->32701 32704 385410 32700->32704 32709 3853d3 32701->32709 32703 38541c 32703->32696 32704->32703 32715 45ab63 32704->32715 32705 38540e 32705->32696 32707 38541a 32707->32696 32710 45ab63 std::_Facet_Register 2 API calls 32709->32710 32714 3853e8 32710->32714 32711 3853f3 std::ios_base::_Ios_base_dtor 32711->32705 32714->32711 32720 460b6b 17 API calls 3 library calls 32714->32720 32721 460c13 IsProcessorFeaturePresent 32714->32721 32717 45ab68 ___std_exception_copy 32715->32717 32716 45ab82 32716->32707 32717->32716 32718 45b919 __CxxThrowException IsProcessorFeaturePresent 32717->32718 32719 45b94e 32718->32719 32719->32707 32720->32714 32722 460c1e 32721->32722 32725 460a1c 32722->32725 32726 460a38 _Atexit 32725->32726 32727 460a64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 32726->32727 32730 460b35 32727->32730 32729 460b53 GetCurrentProcess TerminateProcess 32729->32714 32731 45ab44 32730->32731 32732 45ab4d 32731->32732 32733 45ab4f IsProcessorFeaturePresent 32731->32733 32732->32729 32735 45b2e6 32733->32735 32736 45b2eb ___raise_securityfailure 32733->32736 32735->32736 32736->32729 32737 38befa 32738 38bf06 32737->32738 32739 38bf17 32738->32739 32741 38bbfe __EH_prolog3_GS 32738->32741 32742 38bc26 EnterCriticalSection 32741->32742 32743 38bc16 32741->32743 32744 38bc60 32742->32744 32749 38be72 32742->32749 32743->32742 32746 38bc1f 32743->32746 32747 38bcaf GetModuleFileNameW 32744->32747 32751 38bcff 32744->32751 32745 38bede LeaveCriticalSection 32745->32746 32746->32739 32748 38bcd0 32747->32748 32747->32749 32748->32749 32750 38bcd8 LoadTypeLib 32748->32750 32749->32745 32750->32751 32751->32749 32755 45b24a 32751->32755 32754 38be1c EnterCriticalSection LeaveCriticalSection 32754->32749 32756 45ab63 std::_Facet_Register 2 API calls 32755->32756 32757 38be10 32756->32757 32757->32749 32757->32754 32758 3d39fe __EH_prolog3 32759 3d3a35 32758->32759 32760 3d3a1f 32758->32760 32759->32760 32764 3d3aa2 __EH_prolog3_catch 32759->32764 32762 3d3a53 32763 3d3a5d __Init_thread_footer 32762->32763 32763->32760 32765 3d3ad8 32764->32765 32765->32762 32766 41a208 __EH_prolog3 32767 41a222 32766->32767 32770 41a251 32767->32770 32811 386de8 __EH_prolog3 32767->32811 32778 416b08 __EH_prolog3 32770->32778 32771 41a28a _wcsrchr 32787 38ce6d __EH_prolog3 32771->32787 32773 41a2fa 32789 386e54 __EH_prolog3 32773->32789 32775 41a30e 32791 41a78c __EH_prolog3_GS 32775->32791 32777 41a399 32779 38ce6d __EH_prolog3 32778->32779 32785 416b25 32779->32785 32780 416e25 32827 386de8 __EH_prolog3 32780->32827 32782 416e39 32782->32771 32783 38ce6d __EH_prolog3 32783->32785 32785->32780 32785->32783 32786 390f2f __EH_prolog3 32785->32786 32812 416eeb __EH_prolog3_GS 32785->32812 32786->32785 32788 38ce83 32787->32788 32788->32773 32790 386e78 32789->32790 32790->32775 32792 41a7c1 32791->32792 32793 38ce6d __EH_prolog3 32792->32793 32794 41a7cc 32793->32794 32828 41aa08 __EH_prolog3_GS 32794->32828 32796 41a7fd 32798 41a82c _wcslen _Atexit 32796->32798 32840 3f06a0 32796->32840 32799 41a849 32798->32799 32844 390f2f 32798->32844 32799->32777 32801 41a89d 32802 41a8a8 32801->32802 32803 41a8bc FindFirstFileW FindNextFileW 32801->32803 32802->32803 32804 41a981 32803->32804 32805 41a8f7 32803->32805 32806 41a9a3 32804->32806 32807 41a995 FindClose 32804->32807 32805->32804 32808 41a96b FindNextFileW 32805->32808 32810 41a78c 49 API calls 32805->32810 32849 3d4aa6 __EH_prolog3 _wcslen 32805->32849 32806->32799 32807->32806 32808->32804 32808->32805 32810->32805 32811->32770 32813 416f0e 32812->32813 32814 416fdc SHGetFolderPathW 32813->32814 32815 417027 32813->32815 32825 416f3c _wcslen 32813->32825 32814->32825 32816 41705c GetSystemDirectoryW 32815->32816 32817 417070 32815->32817 32816->32825 32818 4170a5 GetWindowsDirectoryW 32817->32818 32819 4170cb 32817->32819 32818->32825 32820 417100 GetWindowsDirectoryW 32819->32820 32821 41711d 32819->32821 32820->32825 32822 41712f GetTempPathW 32821->32822 32823 417179 32821->32823 32822->32825 32824 41719a GetModuleFileNameW 32823->32824 32823->32825 32826 4171b3 _wcslen 32824->32826 32825->32785 32826->32825 32827->32782 32829 41aa2f 32828->32829 32830 390f2f __EH_prolog3 32829->32830 32832 41aa3d _Atexit 32830->32832 32831 41aa6c FindFirstFileW 32833 41aa98 32831->32833 32839 41aae6 32831->32839 32832->32831 32850 427914 __EH_prolog3 32833->32850 32835 41ab6b FindClose 32838 41ab79 32835->32838 32836 41aace 32859 41abe2 __EH_prolog3 __EH_prolog3 32836->32859 32838->32796 32839->32835 32839->32838 32841 3f0709 32840->32841 32842 3f06d4 32840->32842 32841->32798 32842->32841 32918 463748 32842->32918 32845 390f50 32844->32845 32846 390fb5 __EH_prolog3 32845->32846 32847 390f75 32845->32847 32848 390fd3 32846->32848 32847->32801 32848->32801 32849->32805 32860 4275fb __EH_prolog3_GS 32850->32860 32852 427939 GetFileVersionInfoSizeW 32853 427951 32852->32853 32854 4279b5 GetLastError 32852->32854 32856 427966 GetFileVersionInfoW 32853->32856 32857 427961 32853->32857 32854->32857 32855 4279c7 DeleteFileW 32858 4279d0 32855->32858 32856->32854 32856->32857 32857->32855 32857->32858 32858->32836 32859->32839 32873 3f3c90 32860->32873 32862 427619 _Atexit 32863 42764b GetTempPathW 32862->32863 32872 4276fa 32862->32872 32877 45e9a0 32863->32877 32866 42769b 32879 424591 32866->32879 32870 4276dd 32871 424591 6 API calls 32870->32871 32870->32872 32871->32872 32872->32852 32874 3f3d32 32873->32874 32875 3f3cbb _Atexit 32873->32875 32874->32862 32887 3f4250 RegOpenKeyExW 32875->32887 32878 427670 GetTempFileNameW 32877->32878 32878->32866 32880 4245a2 LoadLibraryW 32879->32880 32881 424625 CopyFileW 32879->32881 32914 3f8310 32880->32914 32881->32870 32884 4245c1 GetProcAddress GetProcAddress GetProcAddress 32885 42460c 32884->32885 32886 4245ff GetCurrentProcess 32884->32886 32885->32881 32886->32885 32888 3f42bd RegQueryValueExW RegQueryValueExW 32887->32888 32889 3f44e4 32887->32889 32892 3f437c RegQueryValueExW 32888->32892 32893 3f4320 RegQueryValueExW 32888->32893 32890 3f44ff RegCloseKey 32889->32890 32891 3f4510 32889->32891 32890->32891 32896 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 32891->32896 32894 3f43bf 32892->32894 32895 3f43e4 RegQueryValueExW 32892->32895 32893->32892 32897 3f4354 32893->32897 32894->32895 32899 3f4411 32895->32899 32898 3f4526 32896->32898 32897->32892 32897->32897 32898->32874 32900 3f4473 GetModuleHandleW GetProcAddress 32899->32900 32901 3f44a1 32899->32901 32900->32901 32902 3f44aa GetCurrentProcess 32901->32902 32903 3f44c8 32901->32903 32902->32903 32905 3f4530 RegOpenKeyExW 32903->32905 32906 3f45b2 RegQueryValueExW 32905->32906 32910 3f4664 32905->32910 32909 3f4633 RegQueryValueExW 32906->32909 32913 3f45e5 32906->32913 32907 3f488e 32911 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 32907->32911 32908 3f487d RegCloseKey 32908->32907 32909->32910 32910->32907 32910->32908 32912 3f48a5 32911->32912 32912->32889 32913->32909 32915 3f831f 32914->32915 32916 3f8331 32914->32916 32915->32916 32917 3f8323 FreeLibrary 32915->32917 32916->32881 32916->32884 32917->32916 32919 463753 32918->32919 32920 46376c 32919->32920 32922 46377b 32919->32922 32936 460d84 11 API calls _free 32920->32936 32925 46f795 32922->32925 32924 463771 _Atexit 32924->32841 32926 46f7a2 32925->32926 32927 46f7ad 32925->32927 32937 46e6d9 32926->32937 32929 46f7b5 32927->32929 32930 46f7be _free 32927->32930 32943 46e727 32929->32943 32931 46f7c3 32930->32931 32932 46f7e8 RtlReAllocateHeap 32930->32932 32949 460d84 11 API calls _free 32931->32949 32932->32930 32935 46f7aa 32932->32935 32935->32924 32936->32924 32938 46e717 32937->32938 32942 46e6e7 _free 32937->32942 32950 460d84 11 API calls _free 32938->32950 32940 46e702 RtlAllocateHeap 32941 46e715 32940->32941 32940->32942 32941->32935 32942->32938 32942->32940 32944 46e732 RtlFreeHeap 32943->32944 32945 46e75b _free 32943->32945 32944->32945 32946 46e747 32944->32946 32945->32935 32951 460d84 11 API calls _free 32946->32951 32948 46e74d GetLastError 32948->32945 32949->32935 32950->32941 32951->32948 32952 46a04c 32953 46a062 32952->32953 32958 46aa0e 32953->32958 32955 46a075 32957 46a085 32955->32957 32976 472d4a 11 API calls _free 32955->32976 32959 46aa5a 32958->32959 32960 46aa39 32958->32960 32963 46abe7 32959->32963 32970 46abd9 32959->32970 32973 46aa9c 32959->32973 32966 46aa45 32960->32966 33016 46acf3 40 API calls 4 library calls 32960->33016 33018 46a43d 35 API calls 2 library calls 32963->33018 32965 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 32967 46acdd 32965->32967 32966->32965 32967->32955 32968 46ac03 32968->32966 32968->32970 33019 46acf3 40 API calls 4 library calls 32968->33019 32970->32966 32977 46a875 32970->32977 32971 46ace1 32972 460c13 __cftoe 8 API calls 32971->32972 32974 46acf2 32972->32974 32973->32966 32973->32970 32973->32971 33017 46acf3 40 API calls 4 library calls 32973->33017 32976->32957 32978 46e6d9 12 API calls 32977->32978 32979 46a88f 32978->32979 33008 46a99c 32979->33008 33020 46a7b4 32979->33020 32982 46aa01 32983 460c13 __cftoe 8 API calls 32982->32983 32984 46aa0d 32983->32984 32987 46aa39 32984->32987 32998 46aa5a 32984->32998 32985 46a8c8 32985->32982 32986 46a7b4 21 API calls 32985->32986 32990 46a965 32985->32990 33036 472aeb 32985->33036 32986->32985 32988 46aa45 32987->32988 33045 46acf3 40 API calls 4 library calls 32987->33045 32997 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 32988->32997 32989 46abd9 32989->32988 32992 46a875 40 API calls 32989->32992 32995 46a9b5 32990->32995 32996 46a96b 32990->32996 32992->32988 32993 46abe7 33047 46a43d 35 API calls 2 library calls 32993->33047 32999 46e727 _free 11 API calls 32995->32999 33000 46a985 32996->33000 33004 46e727 _free 11 API calls 32996->33004 33001 46acdd 32997->33001 32998->32989 32998->32993 33013 46aa9c 32998->33013 33002 46a9bb 32999->33002 33005 46e727 _free 11 API calls 33000->33005 33000->33008 33001->32966 33003 46a9d6 33002->33003 33007 46e727 _free 11 API calls 33002->33007 33003->33008 33009 46e727 _free 11 API calls 33003->33009 33004->33000 33005->33008 33006 46ac03 33006->32988 33006->32989 33048 46acf3 40 API calls 4 library calls 33006->33048 33007->33003 33008->32966 33009->33008 33011 46ace1 33012 460c13 __cftoe 8 API calls 33011->33012 33014 46acf2 33012->33014 33013->32988 33013->32989 33013->33011 33046 46acf3 40 API calls 4 library calls 33013->33046 33016->32966 33017->32973 33018->32968 33019->32968 33021 46a7e5 33020->33021 33023 46a7c4 33020->33023 33021->32985 33022 472aeb 17 API calls 33022->33023 33023->33021 33023->33022 33024 46a7ea 33023->33024 33025 460c13 __cftoe 8 API calls 33024->33025 33026 46a7f4 33025->33026 33027 46a81f 33026->33027 33028 46a80b 33026->33028 33049 46e58a GetLastError 33027->33049 33071 460d84 11 API calls _free 33028->33071 33031 46a810 33072 460be6 17 API calls __cftoe 33031->33072 33032 46a824 33067 469f4a 33032->33067 33034 46a81b 33034->32985 33037 472b08 33036->33037 33040 472afa 33036->33040 33088 460d84 11 API calls _free 33037->33088 33039 472b12 33089 460be6 17 API calls __cftoe 33039->33089 33040->33037 33043 472b38 33040->33043 33042 472b1c 33042->32985 33043->33042 33090 460d84 11 API calls _free 33043->33090 33045->32988 33046->33013 33047->33006 33048->33006 33050 46e5a0 33049->33050 33051 46e5a6 33049->33051 33073 4701f5 IsProcessorFeaturePresent ___raise_securityfailure TlsGetValue __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 33050->33073 33055 46e5f5 SetLastError 33051->33055 33074 471460 33051->33074 33055->33032 33056 46e5c0 33058 46e727 _free 11 API calls 33056->33058 33060 46e5c6 33058->33060 33059 46e5d5 33059->33056 33061 46e5dc 33059->33061 33062 46e601 SetLastError _abort 33060->33062 33081 46e3fc 11 API calls _free 33061->33081 33064 46e5e7 33065 46e727 _free 11 API calls 33064->33065 33066 46e5ee 33065->33066 33066->33055 33066->33062 33068 469f56 33067->33068 33083 469ff0 33068->33083 33070 469f62 33070->33034 33071->33031 33072->33034 33073->33051 33079 47146d _free 33074->33079 33075 4714ad 33082 460d84 11 API calls _free 33075->33082 33076 471498 RtlAllocateHeap 33077 46e5b8 33076->33077 33076->33079 33077->33056 33080 47024b IsProcessorFeaturePresent ___raise_securityfailure TlsSetValue __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 33077->33080 33079->33075 33079->33076 33080->33059 33081->33064 33082->33077 33084 471460 _free 11 API calls 33083->33084 33085 46a008 33084->33085 33086 46e727 _free 11 API calls 33085->33086 33087 46a015 33086->33087 33087->33070 33088->33039 33089->33042 33090->33039 33091 437c89 33092 437c9f 33091->33092 33093 437ca4 33091->33093 33093->33092 33095 437d28 __EH_prolog3_GS 33093->33095 33100 437d5e ~refcount_ptr 33095->33100 33096 437e92 33107 437d81 ~refcount_ptr 33096->33107 33111 4380b3 25 API calls ~refcount_ptr 33096->33111 33097 437dcf 33098 437e65 33097->33098 33099 437ddd 33097->33099 33097->33107 33098->33107 33110 438017 29 API calls _wcslen 33098->33110 33101 437e51 33099->33101 33104 437ded 33099->33104 33100->33096 33100->33097 33100->33107 33109 43a2ae 29 API calls ~refcount_ptr 33101->33109 33104->33107 33108 438042 29 API calls _wcslen 33104->33108 33107->33092 33108->33107 33109->33107 33110->33107 33111->33107 33112 46fb4c 33113 46fb5f 33112->33113 33116 46f92f 33113->33116 33117 46f94a 33116->33117 33118 46f970 MultiByteToWideChar 33117->33118 33119 46f99a 33118->33119 33136 46fa70 __freea 33118->33136 33122 46f9bb 33119->33122 33123 46e6d9 12 API calls 33119->33123 33120 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33121 46fb37 33120->33121 33124 46fa04 MultiByteToWideChar 33122->33124 33122->33136 33123->33122 33125 46fa1d 33124->33125 33124->33136 33137 4704fa 33125->33137 33128 46fa47 33130 4704fa 4 API calls 33128->33130 33128->33136 33129 46fa7f 33131 46e6d9 12 API calls 33129->33131 33133 46faa0 33129->33133 33130->33136 33131->33133 33132 4704fa 4 API calls 33134 46faf4 33132->33134 33133->33132 33133->33136 33135 46fb03 WideCharToMultiByte 33134->33135 33134->33136 33135->33136 33136->33120 33138 470521 33137->33138 33139 470551 33138->33139 33140 47052a LCMapStringEx 33138->33140 33147 470582 IsProcessorFeaturePresent ___raise_securityfailure __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 33139->33147 33144 470571 33140->33144 33143 47056a LCMapStringW 33143->33144 33145 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33144->33145 33146 46fa34 33145->33146 33146->33128 33146->33129 33146->33136 33147->33143 33148 46dfcc 33149 46dffb 33148->33149 33150 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33149->33150 33151 46e024 33150->33151 33152 42cd4f 33159 42c8ef 33152->33159 33154 42cd5e 33163 42cdfb __EH_prolog3_GS 33154->33163 33156 42cd78 33179 42d24b __EH_prolog3_GS 33156->33179 33158 42cd8a 33160 42c906 _wcslen ~refcount_ptr 33159->33160 33189 42de16 __EH_prolog3 33160->33189 33162 42c932 33162->33154 33164 42ce25 33163->33164 33165 42ce1e ~refcount_ptr 33163->33165 33166 42d079 _wcslen 33164->33166 33171 42ce3e _wcslen ~refcount_ptr 33164->33171 33165->33156 33167 392200 19 API calls 33166->33167 33168 42d08f 33167->33168 33168->33168 33169 42ceed 33191 392200 33169->33191 33171->33169 33172 392200 19 API calls 33171->33172 33172->33171 33173 42cf2e _wcslen ~refcount_ptr 33174 392200 19 API calls 33173->33174 33178 42cf77 _wcslen ~refcount_ptr 33173->33178 33175 42cf66 _wcslen 33174->33175 33176 392200 19 API calls 33175->33176 33176->33178 33177 392200 19 API calls 33177->33178 33178->33165 33178->33177 33180 42d7a0 33179->33180 33187 42d276 std::ios_base::_Ios_base_dtor ~refcount_ptr 33179->33187 33180->33158 33183 42c5ef __EH_prolog3_catch __EH_prolog3_catch __EH_prolog3_catch 33183->33187 33187->33180 33187->33183 33196 42c530 __EH_prolog3 33187->33196 33200 42cc75 __EH_prolog3 33187->33200 33209 42e4df __EH_prolog3_catch 33187->33209 33212 42df8b __EH_prolog3_catch 33187->33212 33240 42ec13 22 API calls _Atexit 33187->33240 33241 42e594 __EH_prolog3_catch 33187->33241 33190 42de27 std::ios_base::_Ios_base_dtor 33189->33190 33190->33162 33192 392246 33191->33192 33194 392215 33191->33194 33195 3922a4 19 API calls std::ios_base::_Ios_base_dtor 33192->33195 33194->33173 33195->33194 33197 42c5a2 33196->33197 33199 42c553 33196->33199 33198 42c5de __Init_thread_footer 33197->33198 33197->33199 33198->33199 33199->33187 33201 42cca2 CreateFileW 33200->33201 33202 42cca0 33200->33202 33245 38e076 33201->33245 33202->33201 33204 42ccc2 33205 42cd00 WriteFile 33204->33205 33206 42cd1b 33204->33206 33205->33204 33205->33206 33207 42cd47 33206->33207 33208 42cd3c CloseHandle 33206->33208 33207->33187 33208->33207 33249 3f7b00 33209->33249 33211 42e50a 33211->33187 33213 42e146 33212->33213 33214 42dfb4 33212->33214 33274 384a50 __CxxThrowException 33213->33274 33219 3853fd 19 API calls 33214->33219 33221 42dff9 33219->33221 33223 42e594 22 API calls 33221->33223 33225 42e027 33223->33225 33226 42e0e6 33225->33226 33227 42e046 33225->33227 33271 42e471 __EH_prolog3 33226->33271 33233 42e594 22 API calls 33227->33233 33239 42e08e std::ios_base::_Ios_base_dtor 33227->33239 33231 42e0f5 33272 42e471 __EH_prolog3 33231->33272 33233->33227 33237 42e11a 33237->33187 33273 42e409 __EH_prolog3 std::ios_base::_Ios_base_dtor 33239->33273 33240->33187 33242 42e5b1 33241->33242 33275 42eb11 __EH_prolog3_catch 33242->33275 33244 42e5cf 33244->33187 33246 38e085 33245->33246 33247 38e094 33245->33247 33246->33247 33248 38e089 CloseHandle 33246->33248 33247->33204 33248->33247 33250 3f7b27 33249->33250 33251 3f7b20 33249->33251 33252 3f7b2f 33250->33252 33253 3f7b85 33250->33253 33251->33211 33254 3f7b6b 33252->33254 33255 3f7b37 33252->33255 33264 384a50 __CxxThrowException 33253->33264 33258 45ab63 std::_Facet_Register 2 API calls 33254->33258 33257 45ab63 std::_Facet_Register 2 API calls 33255->33257 33259 3f7b48 33257->33259 33260 3f7b71 33258->33260 33262 3f7b51 33259->33262 33265 460bf6 33259->33265 33260->33211 33262->33211 33263 3f7b8f 33270 460b6b 17 API calls 3 library calls 33265->33270 33267 460c13 __cftoe 8 API calls 33268 460c05 33267->33268 33268->33265 33268->33267 33269 4a61a6 std::ios_base::_Ios_base_dtor 33268->33269 33269->33263 33270->33268 33271->33231 33272->33239 33273->33237 33276 42eb75 33275->33276 33277 42eb2d 33275->33277 33276->33244 33283 42eb9e __EH_prolog3_catch 33277->33283 33279 42eb36 33280 42eb11 20 API calls 33279->33280 33281 42eb62 33280->33281 33282 42eb11 20 API calls 33281->33282 33282->33276 33284 42ebaf 33283->33284 33289 384b8e 33284->33289 33286 42ebd3 33287 384b8e 19 API calls 33286->33287 33288 42ebec 33287->33288 33288->33279 33290 384ba1 33289->33290 33291 384ba8 33290->33291 33292 3853fd 19 API calls 33290->33292 33291->33286 33292->33291 33293 43f78e 33298 43eeb7 __EH_prolog3_GS 33293->33298 33295 43f7a4 33297 43f7af 33295->33297 33300 43bf52 __EH_prolog3_GS 33295->33300 33299 43eed7 ~refcount_ptr 33298->33299 33299->33295 33301 43bf73 33300->33301 33315 43bf6c ~refcount_ptr 33300->33315 33316 3ebc50 33301->33316 33303 43bf91 ~refcount_ptr 33304 43eeb7 __EH_prolog3_GS 33303->33304 33305 43bfaa 33304->33305 33306 43c2f0 CopyFileW 33305->33306 33307 43bfb2 ~refcount_ptr 33305->33307 33306->33307 33307->33315 33356 40c99b __EH_prolog3 33307->33356 33309 43c0fd ~refcount_ptr 33310 43c133 SetFileAttributesW 33309->33310 33311 43c14b ~refcount_ptr 33310->33311 33312 384b8e 19 API calls 33311->33312 33311->33315 33313 43c227 33312->33313 33365 3eaad0 33313->33365 33315->33297 33317 3ebca9 33316->33317 33318 3ebcd6 GetTempFileNameW 33317->33318 33319 3ebd2b _wcslen 33318->33319 33320 3ebe14 33319->33320 33322 3ebe48 33319->33322 33327 3ebea2 std::ios_base::_Ios_base_dtor 33319->33327 33323 45ab63 std::_Facet_Register 2 API calls 33320->33323 33321 460bf6 17 API calls 33325 3ebf70 33321->33325 33324 45ab63 std::_Facet_Register 2 API calls 33322->33324 33326 3ebe32 33322->33326 33323->33326 33324->33326 33328 3ec017 GetTempFileNameW 33325->33328 33326->33327 33327->33321 33329 3ec06c DeleteFileW 33328->33329 33331 3ec0c8 _wcslen 33329->33331 33330 460bf6 17 API calls 33333 3ecaee 33330->33333 33332 3ec156 33331->33332 33334 3ec187 33331->33334 33355 3eca1b ~refcount_ptr 33331->33355 33335 45ab63 std::_Facet_Register 2 API calls 33332->33335 33336 460bf6 17 API calls 33333->33336 33337 45ab63 std::_Facet_Register 2 API calls 33334->33337 33341 3ec171 std::ios_base::_Ios_base_dtor 33334->33341 33335->33341 33342 3ecaf3 33336->33342 33337->33341 33338 3eaad0 19 API calls 33339 3ec216 33338->33339 33377 3eadc0 19 API calls 2 library calls 33339->33377 33340 3ecbe0 33340->33303 33341->33338 33341->33355 33342->33340 33380 39cbed __EH_prolog3 33342->33380 33345 3ecbbd 33345->33303 33346 3ec325 PathFileExistsW 33348 3ec33d std::ios_base::_Ios_base_dtor 33346->33348 33347 3ec307 33347->33346 33348->33333 33348->33355 33378 39cbed __EH_prolog3 33348->33378 33350 3ec3c3 33379 39cbed __EH_prolog3 33350->33379 33352 45ab63 __CxxThrowException IsProcessorFeaturePresent std::_Facet_Register 33353 3ec3e1 std::ios_base::_Ios_base_dtor ~refcount_ptr 33352->33353 33353->33352 33354 3ec9f4 PathFileExistsW 33353->33354 33353->33355 33354->33353 33355->33330 33357 40c9ca GetShortPathNameW 33356->33357 33364 40c9b4 33356->33364 33358 40c9e2 33357->33358 33357->33364 33359 38ce6d __EH_prolog3 33358->33359 33360 40c9ea 33359->33360 33361 40ca04 GetShortPathNameW 33360->33361 33362 40ca14 33361->33362 33361->33364 33381 3d6767 13 API calls 33362->33381 33364->33309 33366 3eab46 33365->33366 33372 3eab36 33365->33372 33367 3eab62 33366->33367 33368 3eab96 33366->33368 33369 45ab63 std::_Facet_Register 2 API calls 33367->33369 33370 45ab63 std::_Facet_Register 2 API calls 33368->33370 33368->33372 33369->33372 33370->33372 33371 460bf6 17 API calls 33376 3eac4f std::ios_base::_Ios_base_dtor 33371->33376 33372->33371 33372->33376 33373 460bf6 17 API calls 33374 3eacde 33373->33374 33375 3eaca0 std::ios_base::_Ios_base_dtor 33375->33315 33376->33373 33376->33375 33377->33347 33378->33350 33379->33353 33380->33345 33381->33364 33382 42748d 33383 4274a1 WaitForSingleObject 33382->33383 33384 4274ac 33382->33384 33383->33384 33386 4274e3 33384->33386 33388 42750a 33384->33388 33395 413610 __EH_prolog3 33384->33395 33386->33388 33389 427524 __EH_prolog3 33386->33389 33390 427541 33389->33390 33460 3fabd0 33390->33460 33392 427582 33393 4275b6 CloseHandle 33392->33393 33394 4275c4 33392->33394 33393->33394 33394->33386 33512 41518b 33395->33512 33397 413631 33398 41518b 17 API calls 33397->33398 33411 41363c 33397->33411 33399 41364d 33398->33399 33400 41518b 17 API calls 33399->33400 33401 41366e 33400->33401 33523 3fb080 33401->33523 33403 4136a4 33404 4136b6 GetLastError 33403->33404 33405 4136d9 33403->33405 33535 41493a FormatMessageW GetLastError HeapFree __EH_prolog3 33404->33535 33529 41b2ea 33405->33529 33409 41379a 33410 41518b 17 API calls 33409->33410 33412 4137a4 33410->33412 33411->33384 33414 4137df 33412->33414 33416 41518b 17 API calls 33412->33416 33413 41370d 33413->33411 33417 38ce6d __EH_prolog3 33413->33417 33415 4137ff 33414->33415 33418 3f06a0 13 API calls 33414->33418 33419 3fabd0 31 API calls 33415->33419 33420 4137bf 33416->33420 33421 413737 _wcslen 33417->33421 33418->33415 33422 413810 CreateFileW 33419->33422 33427 41518b 17 API calls 33420->33427 33429 390f2f __EH_prolog3 33421->33429 33423 413911 33422->33423 33424 413845 GetLastError 33422->33424 33425 41518b 17 API calls 33423->33425 33537 41493a FormatMessageW GetLastError HeapFree __EH_prolog3 33424->33537 33430 413922 SetFilePointer 33425->33430 33428 4137d5 33427->33428 33536 3fa550 HeapFree 33428->33536 33437 413753 _wcslen 33429->33437 33433 41394a GetLastError 33430->33433 33436 413966 33430->33436 33431 41385e 33434 41386b GetLastError 33431->33434 33459 4138e6 33431->33459 33539 41493a FormatMessageW GetLastError HeapFree __EH_prolog3 33433->33539 33538 3f67c0 FormatMessageW GetLastError 33434->33538 33435 413a7f FindCloseChangeNotification 33435->33411 33442 41518b 17 API calls 33436->33442 33437->33411 33445 390f2f __EH_prolog3 33437->33445 33440 413878 33441 38ce6d __EH_prolog3 33440->33441 33443 413887 _wcslen 33441->33443 33444 41398c 33442->33444 33447 390f2f __EH_prolog3 33443->33447 33446 41518b 17 API calls 33444->33446 33445->33411 33456 4139a4 33446->33456 33452 4138a6 _wcslen 33447->33452 33448 4139c2 ReadFile 33450 413a4b 33448->33450 33448->33456 33449 4138bb _wcslen 33455 390f2f __EH_prolog3 33449->33455 33451 41518b 17 API calls 33450->33451 33451->33459 33452->33449 33454 390f2f __EH_prolog3 33452->33454 33453 413a03 WriteFile 33453->33450 33453->33456 33454->33449 33457 4138d1 _wcslen 33455->33457 33456->33448 33456->33450 33456->33453 33456->33459 33458 390f2f __EH_prolog3 33457->33458 33457->33459 33458->33459 33459->33411 33459->33435 33476 3fa2d0 33460->33476 33464 3fac05 33464->33392 33465 3faf77 HeapFree 33465->33464 33466 390f2f __EH_prolog3 33467 3fadb8 CreateDirectoryW 33466->33467 33468 3fac7f _wcslen 33467->33468 33469 3fadc8 GetLastError 33467->33469 33468->33464 33468->33466 33470 3fadde 33468->33470 33471 3f06a0 13 API calls 33468->33471 33472 3faf41 33468->33472 33474 390f2f __EH_prolog3 33468->33474 33475 3faf20 HeapFree 33468->33475 33469->33468 33470->33472 33473 3fae16 HeapFree 33470->33473 33471->33468 33472->33464 33472->33465 33473->33472 33474->33468 33475->33468 33501 3fa310 33476->33501 33478 3fa2f8 33478->33464 33479 3fa570 33478->33479 33480 3fa5a9 33479->33480 33483 3fa69c _wcslen 33480->33483 33511 3fa490 HeapFree 33480->33511 33482 3fa60a 33484 3fa7ba 33482->33484 33486 3fa612 33482->33486 33485 3fa6f3 HeapFree 33483->33485 33488 390f2f __EH_prolog3 33483->33488 33490 3fa8de HeapFree 33483->33490 33491 3fa903 33483->33491 33492 3f06a0 13 API calls 33483->33492 33494 3fa9ce HeapFree 33483->33494 33495 3faaaf 33483->33495 33498 3faaf4 33483->33498 33500 463748 13 API calls 33483->33500 33484->33483 33487 3fa800 HeapFree 33484->33487 33485->33483 33486->33483 33489 3fa683 HeapFree 33486->33489 33487->33483 33488->33483 33489->33483 33490->33483 33493 3fa954 HeapFree 33491->33493 33491->33495 33492->33483 33493->33495 33494->33483 33496 3faaea HeapFree 33495->33496 33495->33498 33496->33498 33497 3fab1e HeapFree 33499 3fab28 33497->33499 33498->33497 33498->33499 33499->33468 33500->33483 33502 3fa34c 33501->33502 33505 3fa354 _Atexit 33501->33505 33503 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33502->33503 33504 3fa440 33503->33504 33504->33478 33505->33502 33506 3fa444 33505->33506 33507 3fa3a2 FindFirstFileW 33505->33507 33506->33478 33508 3fa3ee GetLastError 33507->33508 33509 3fa3d1 33507->33509 33508->33509 33509->33502 33510 3fa40e FindClose 33509->33510 33510->33502 33511->33482 33513 415193 33512->33513 33514 415198 33513->33514 33515 4151ac __EH_prolog3 33513->33515 33514->33397 33516 4151c8 33515->33516 33518 4151f9 33515->33518 33517 4151d7 33516->33517 33522 415252 std::ios_base::_Ios_base_dtor 33516->33522 33517->33518 33519 463748 13 API calls 33517->33519 33518->33397 33519->33518 33520 4152c9 33520->33397 33522->33520 33540 42716a 33522->33540 33524 3fb130 33523->33524 33525 3fb0af PathFileExistsW 33524->33525 33526 3fb10f 33525->33526 33527 3fb0de 33525->33527 33526->33403 33527->33526 33528 3fb0ee HeapFree 33527->33528 33528->33403 33530 41b415 33529->33530 33534 41b30f 33529->33534 33531 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33530->33531 33532 4136e7 33531->33532 33532->33409 33532->33413 33533 41b3b5 GetDiskFreeSpaceExW 33533->33530 33533->33534 33534->33530 33534->33533 33535->33411 33536->33414 33537->33431 33538->33440 33539->33459 33541 4271a9 33540->33541 33542 42719c FindCloseChangeNotification 33540->33542 33543 4271da 33541->33543 33544 4271cd FreeLibrary 33541->33544 33542->33541 33545 427213 33543->33545 33546 427206 CloseHandle 33543->33546 33544->33543 33545->33522 33546->33545 33547 3d3b29 33550 3925e2 __EH_prolog3 33547->33550 33549 3d3b38 33551 3925f8 33550->33551 33551->33549 33552 3af16e 33553 3af184 33552->33553 33555 3af191 33552->33555 33554 3af1d3 SetEvent 33553->33554 33553->33555 33554->33555 33556 41c017 33557 41c027 33556->33557 33558 41c030 SetEvent 33557->33558 33559 41c03e 33557->33559 33560 41c06e 33558->33560 33559->33560 33561 41c047 CreateThread 33559->33561 33562 38e076 CloseHandle 33561->33562 33563 41c090 33561->33563 33562->33560 33564 41c095 WaitForSingleObject 33563->33564 33565 41c0b6 33564->33565 33566 41c0aa 33564->33566 33566->33564 33567 3c00aa 33568 3c0101 std::ios_base::_Ios_base_dtor 33567->33568 33573 3a4f0f IsWindow 33568->33573 33574 3a4f60 DestroyWindow 33573->33574 33575 3a4f69 ~refcount_ptr 33573->33575 33574->33575 33576 3a4fbe 33575->33576 33583 457f5a 33575->33583 33578 38646c 33576->33578 33606 38652b __EH_prolog3_catch_GS 33578->33606 33580 3864a9 33615 38ddd3 33580->33615 33582 3864b5 33584 457f65 33583->33584 33585 457fab 33583->33585 33586 457f9b GetProcessHeap HeapFree 33584->33586 33587 457f70 33584->33587 33589 457c3c 33584->33589 33585->33576 33586->33585 33587->33586 33590 457c59 LoadLibraryExA 33589->33590 33591 457c49 RtlDecodePointer 33589->33591 33592 457cea 33590->33592 33593 457c72 33590->33593 33591->33592 33592->33587 33603 457cf1 GetProcAddress 33593->33603 33595 457c82 33595->33592 33596 457cf1 2 API calls 33595->33596 33597 457c99 33596->33597 33597->33592 33598 457cf1 2 API calls 33597->33598 33599 457cb0 33598->33599 33599->33592 33600 457cf1 2 API calls 33599->33600 33601 457cc7 33600->33601 33601->33592 33602 457cce DecodePointer 33601->33602 33602->33592 33604 457d04 33603->33604 33605 457d08 RtlEncodePointer 33603->33605 33604->33595 33605->33595 33607 386545 33606->33607 33608 386585 IsWindow 33607->33608 33609 38659b IsWindow 33608->33609 33610 386592 33608->33610 33612 3865a8 33609->33612 33614 3865b2 33609->33614 33619 386cd6 __EH_prolog3 __EH_prolog3 SendMessageW 33610->33619 33620 386d26 __EH_prolog3 __EH_prolog3 SendMessageW 33612->33620 33614->33580 33616 38de0a 33615->33616 33617 38de31 ~refcount_ptr 33616->33617 33618 38de24 CloseHandle 33616->33618 33617->33582 33618->33617 33619->33609 33620->33614 33621 3d012b 33626 38716b CreateWindowExW 33621->33626 33623 3d0162 SendMessageW SendMessageW 33627 38889a 10 API calls 33623->33627 33625 3d0186 33626->33623 33627->33625 33628 391ba5 33629 391be2 KillTimer 33628->33629 33630 391bf6 33628->33630 33629->33630 33631 391c06 DeleteCriticalSection 33630->33631 33632 391c0d std::ios_base::_Ios_base_dtor 33630->33632 33631->33632 33633 391c57 33632->33633 33634 457f5a 7 API calls 33632->33634 33634->33633 33635 3b15e7 33636 3b1647 33635->33636 33637 3b15f8 33635->33637 33637->33636 33639 3a0100 __EH_prolog3_catch 33637->33639 33640 3a01c3 33639->33640 33641 3a0128 33639->33641 33646 384a50 __CxxThrowException 33640->33646 33644 3853fd 19 API calls 33641->33644 33645 3a0148 33644->33645 33645->33637 33647 3df620 33648 3df674 33647->33648 33649 45ab63 std::_Facet_Register 2 API calls 33648->33649 33650 3df67b 33649->33650 33657 458733 __EH_prolog3 33650->33657 33652 3df687 33666 3df8d0 33652->33666 33654 3df6a7 33655 3df6ce 33654->33655 33672 458ab2 EnterCriticalSection LeaveCriticalSection std::_Lockit::~_Lockit std::_Lockit::_Lockit 33654->33672 33673 458972 33657->33673 33659 45874a 33660 45877a 33659->33660 33682 4588b9 __CxxThrowException IsProcessorFeaturePresent std::_Facet_Register std::locale::_Locimp::_New_Locimp 33659->33682 33677 4589ca 33660->33677 33663 45875d 33663->33660 33683 45a416 7 API calls _Atexit 33663->33683 33664 4587d5 33664->33652 33667 3df915 33666->33667 33686 3dfba0 33667->33686 33671 3df95a 33671->33654 33672->33655 33674 458988 33673->33674 33675 458981 33673->33675 33674->33675 33684 45a469 EnterCriticalSection 33674->33684 33675->33659 33678 4589d4 33677->33678 33679 46b7b2 33677->33679 33680 4589e7 33678->33680 33685 45a477 LeaveCriticalSection 33678->33685 33679->33664 33680->33664 33682->33663 33683->33660 33684->33675 33685->33680 33687 458972 std::_Lockit::_Lockit EnterCriticalSection 33686->33687 33688 3dfbef 33687->33688 33689 458972 std::_Lockit::_Lockit EnterCriticalSection 33688->33689 33694 3dfc39 33688->33694 33690 3dfc11 33689->33690 33692 4589ca std::_Lockit::~_Lockit LeaveCriticalSection 33690->33692 33691 4589ca std::_Lockit::~_Lockit LeaveCriticalSection 33693 3df925 33691->33693 33692->33694 33693->33671 33701 458bca 14 API calls 2 library calls 33693->33701 33695 45ab63 std::_Facet_Register 2 API calls 33694->33695 33700 3dfc81 33694->33700 33696 3dfc8f 33695->33696 33702 3e5ae0 33696->33702 33698 3dfcc2 __Getctype 33708 4586ff __CxxThrowException IsProcessorFeaturePresent std::_Facet_Register 33698->33708 33700->33691 33701->33671 33703 458972 std::_Lockit::_Lockit EnterCriticalSection 33702->33703 33704 3e5b12 33703->33704 33705 3e5b6e std::_Locinfo::_Locinfo_ctor 33704->33705 33706 3e5ba0 __CxxThrowException 33704->33706 33705->33698 33707 3e5bec ___std_exception_destroy 33706->33707 33707->33698 33708->33700 33709 42cd9f 33710 42c8ef __EH_prolog3 33709->33710 33711 42cdae _wcslen 33710->33711 33712 42cdfb 20 API calls 33711->33712 33713 42cdd1 33712->33713 33714 42d24b 42 API calls 33713->33714 33715 42cde5 33714->33715 33716 3af2a5 33717 3af2bf 33716->33717 33720 3b020d __EH_prolog3_GS 33717->33720 33719 3af308 33721 3eb980 33720->33721 33722 3b0226 GetCurrentProcessId 33721->33722 33723 3b023d 33722->33723 33730 3b047c __EH_prolog3_GS 33723->33730 33725 3b0260 ~refcount_ptr 33726 3b029b PathFileExistsW 33725->33726 33727 3b02af ~refcount_ptr 33726->33727 33728 3b02cb CreateDirectoryW 33727->33728 33729 3b02e0 ~refcount_ptr 33727->33729 33728->33729 33729->33719 33731 384b8e 19 API calls 33730->33731 33732 3b04a3 33731->33732 33733 3eaad0 19 API calls 33732->33733 33734 3b04b2 33733->33734 33736 3b04d8 ~refcount_ptr 33734->33736 33737 3921e6 19 API calls 33734->33737 33736->33725 33737->33736 33738 3daa1f 33739 3daa2c 33738->33739 33740 3daa33 33738->33740 33753 3daa69 __EH_prolog3_GS 33739->33753 33741 3daa3f 33740->33741 33742 3daa38 33740->33742 33745 3daa4b 33741->33745 33746 3daa44 33741->33746 33760 3daacd 49 API calls 33742->33760 33748 3daa57 33745->33748 33749 3daa50 33745->33749 33761 3dab5b 45 API calls ~refcount_ptr 33746->33761 33751 3daa31 33748->33751 33763 3dac82 45 API calls ~refcount_ptr 33748->33763 33762 3dac30 49 API calls 33749->33762 33764 44241d __EH_prolog3 33753->33764 33755 3daaa2 33770 3da2fe __EH_prolog3_GS 33755->33770 33757 3daab4 33781 4425b2 CloseHandle std::ios_base::_Ios_base_dtor ~refcount_ptr 33757->33781 33759 3daac5 33759->33751 33760->33751 33761->33751 33762->33751 33763->33751 33765 44243f 33764->33765 33766 3853fd 19 API calls 33765->33766 33767 44249c 33766->33767 33782 432584 __EH_prolog3 33767->33782 33769 442559 33769->33755 33786 3da68c __EH_prolog3 33770->33786 33772 3da326 33793 437a47 33772->33793 33774 3da387 33776 3da3e5 33774->33776 33798 3dae83 __EH_prolog3_GS 33774->33798 33776->33757 33777 3da556 33777->33776 33778 3da578 SetEvent 33777->33778 33780 3da584 33777->33780 33778->33780 33779 3da5db WaitForSingleObject 33779->33776 33780->33776 33780->33779 33781->33759 33783 4325ac 33782->33783 33784 38e6a1 21 API calls 33783->33784 33785 4325d1 33784->33785 33785->33769 33811 39acdf __EH_prolog3_catch 33786->33811 33788 3da6c0 33789 38e6a1 21 API calls 33788->33789 33790 3da6e7 33789->33790 33791 38e6a1 21 API calls 33790->33791 33792 3da72f 33791->33792 33792->33772 33794 437a50 33793->33794 33795 437a57 33793->33795 33794->33774 33814 4539d4 __EH_prolog3_GS GetSystemDirectoryW 33795->33814 33797 437a66 33797->33774 33843 440e68 __EH_prolog3_GS 33798->33843 33800 3dae99 33846 3b98de GetSystemDirectoryW 33800->33846 33803 3daeef GetSystemInfo 33809 3daef9 33803->33809 33804 3daebb GetCurrentProcess 33805 3daecd 33804->33805 33805->33803 33806 3daed7 GetProcAddress 33805->33806 33806->33803 33807 3daee7 GetNativeSystemInfo 33806->33807 33807->33809 33808 3daf1c ~refcount_ptr 33808->33777 33809->33808 33856 3a692b __EH_prolog3_catch LoadStringW LoadStringW 33809->33856 33812 3853fd 19 API calls 33811->33812 33813 39acf2 33812->33813 33813->33788 33815 453a08 33814->33815 33816 453b86 33814->33816 33817 3eaad0 19 API calls 33815->33817 33818 453a3d 33817->33818 33819 3b047c 20 API calls 33818->33819 33820 453a6a ~refcount_ptr 33819->33820 33823 3ee500 33820->33823 33822 453af7 ~refcount_ptr 33822->33797 33824 3ee550 33823->33824 33826 3ee62c _Atexit 33823->33826 33825 3ee661 33824->33825 33830 3ee55c 33824->33830 33842 384a50 __CxxThrowException 33825->33842 33826->33822 33828 3ee666 33829 460bf6 17 API calls 33828->33829 33836 3ee66b 33829->33836 33831 3ee588 33830->33831 33832 3ee5bc 33830->33832 33833 45ab63 std::_Facet_Register 2 API calls 33831->33833 33835 45ab63 std::_Facet_Register 2 API calls 33832->33835 33838 3ee5b1 _Atexit 33832->33838 33834 3ee5a6 33833->33834 33834->33828 33834->33838 33835->33838 33837 3ee680 __CxxThrowException 33836->33837 33841 3ee7c0 17 API calls std::ios_base::_Ios_base_dtor 33838->33841 33840 3ee618 33840->33822 33841->33840 33857 440d39 __EH_prolog3 33843->33857 33845 440e7e _wcslen ~refcount_ptr 33845->33800 33847 3b992b _wcslen 33846->33847 33848 3b998b 33846->33848 33847->33848 33851 390f2f __EH_prolog3 33847->33851 33849 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33848->33849 33850 3b99bb GetProcAddress 33849->33850 33850->33803 33850->33804 33852 3b9956 _wcslen 33851->33852 33853 390f2f __EH_prolog3 33852->33853 33854 3b996f 33853->33854 33854->33848 33855 3b9980 LoadLibraryExW 33854->33855 33855->33848 33856->33808 33858 440d61 33857->33858 33859 440d7d 33858->33859 33860 3ee500 21 API calls 33858->33860 33859->33845 33860->33859 33861 3d40df GetClientRect 33866 3d3fdb __EH_prolog3 33861->33866 33863 3d412a 33864 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 33863->33864 33865 3d4138 33864->33865 33867 3d3ffb 33866->33867 33872 3d3ff4 33866->33872 33868 3d400f GetDC CreateCompatibleBitmap GetDC CreateCompatibleDC SelectObject 33867->33868 33869 3d4000 DeleteObject 33867->33869 33875 3d3b67 __EH_prolog3 33868->33875 33869->33868 33870 3d400c 33869->33870 33870->33868 33872->33863 33873 3d4068 33873->33872 33874 3d4072 DeleteDC 33873->33874 33874->33872 33876 3d3b7b 33875->33876 33876->33873 33877 4319e7 __EH_prolog3_GS 33878 431a0a ~refcount_ptr 33877->33878 33879 432584 22 API calls 33878->33879 33880 431a78 33879->33880 33881 384b8e 19 API calls 33880->33881 33882 431ace 33881->33882 33883 431baa 33882->33883 33884 431b0c 33882->33884 33886 431bc9 33883->33886 33887 431bbc 33883->33887 33897 4327ef __EH_prolog3_catch 33884->33897 33890 4327ef 25 API calls 33886->33890 33924 432908 __EH_prolog3 33887->33924 33889 431b2d 33891 384b8e 19 API calls 33889->33891 33896 431b78 ~refcount_ptr 33890->33896 33892 431b42 33891->33892 33913 432a88 __EH_prolog3_catch 33892->33913 33894 431b5b 33923 432b15 22 API calls 33894->33923 33898 432902 33897->33898 33900 432823 33897->33900 33934 384a50 __CxxThrowException 33898->33934 33902 3853fd 19 API calls 33900->33902 33903 432861 33902->33903 33904 432908 22 API calls 33903->33904 33905 432887 33904->33905 33906 432897 33905->33906 33907 4328a4 33905->33907 33931 432d3b 23 API calls 33906->33931 33932 432a16 __EH_prolog3 33907->33932 33910 4328b1 33933 432a16 __EH_prolog3 33910->33933 33912 4328a0 33912->33889 33914 432abd 33913->33914 33918 432aeb 33913->33918 33915 432ac4 33914->33915 33916 432b0f 33914->33916 33917 3853fd 19 API calls 33915->33917 33936 384a50 __CxxThrowException 33916->33936 33920 432acd 33917->33920 33918->33894 33935 432d3b 23 API calls 33920->33935 33923->33896 33925 384b8e 19 API calls 33924->33925 33926 43292a 33925->33926 33927 384b8e 19 API calls 33926->33927 33928 43293f 33927->33928 33937 432ea2 __EH_prolog3_catch 33928->33937 33930 432981 33930->33896 33931->33912 33932->33910 33933->33912 33935->33918 33938 432ecf 33937->33938 33939 38e72c 20 API calls 33938->33939 33940 432ef2 33939->33940 33940->33930 33941 40eaa9 __EH_prolog3 33971 423bea __EH_prolog3 33941->33971 33943 40eabd 33974 404000 33943->33974 33945 40eaef 33981 423c28 __EH_prolog3 33945->33981 33947 40eb2a 33948 423bea 2 API calls 33947->33948 33949 40eb78 33948->33949 33950 404000 2 API calls 33949->33950 33951 40eba8 33950->33951 33952 423c28 5 API calls 33951->33952 33953 40ebe3 33952->33953 33954 40ec7d 33953->33954 33955 40ec2e 33953->33955 33956 40ec8c SetEvent 33954->33956 33958 38ce6d __EH_prolog3 33955->33958 33988 423f19 __EH_prolog3 33956->33988 33959 40ec3e 33958->33959 33994 416322 __EH_prolog3 __CxxThrowException IsProcessorFeaturePresent std::_Facet_Register 33959->33994 33961 40ec53 33995 412331 __EH_prolog3 33961->33995 33962 40ecb7 33965 423f19 6 API calls 33962->33965 33966 40ec78 33962->33966 33964 40ec60 SetEvent 33964->33966 33967 40ece7 33965->33967 33967->33966 33968 38ce6d __EH_prolog3 33967->33968 33969 40ecfb 33968->33969 33970 412331 90 API calls 33969->33970 33970->33966 33972 38ce6d __EH_prolog3 33971->33972 33973 423c08 33972->33973 33973->33943 33975 40400e 33974->33975 33976 404069 33975->33976 33977 404028 WideCharToMultiByte 33975->33977 33976->33945 33978 404065 33977->33978 33979 404044 33977->33979 33978->33945 33980 40404a WideCharToMultiByte 33979->33980 33980->33978 33983 423c42 33981->33983 33987 423c3b 33981->33987 34005 4240e7 __EH_prolog3 33983->34005 33984 423c94 33985 423ca0 CreateNamedPipeW 33984->33985 33986 423ccb CreateFileW 33984->33986 33985->33986 33985->33987 33986->33987 33987->33947 33989 423f34 33988->33989 33993 423f2d 33988->33993 33990 38ce6d __EH_prolog3 33989->33990 33991 423f3c 33990->33991 34009 423fdd __EH_prolog3 33991->34009 33993->33962 33994->33961 33997 412349 33995->33997 34002 4123c8 33995->34002 33996 41238d 33999 41518b 17 API calls 33996->33999 33996->34002 33997->33996 34019 414de6 __EH_prolog3 33997->34019 34004 412412 33999->34004 34000 4123ac 34025 414ebc __EH_prolog3 34000->34025 34002->33964 34046 41294f __EH_prolog3 34004->34046 34006 42410a 34005->34006 34007 390f2f __EH_prolog3 34006->34007 34008 424124 34007->34008 34008->33984 34010 424013 ReadFile 34009->34010 34011 423ff1 ConnectNamedPipe 34009->34011 34012 424065 34010->34012 34013 42403c 34010->34013 34011->34010 34014 424000 GetLastError 34011->34014 34015 38ce6d __EH_prolog3 34012->34015 34013->34012 34018 424041 34013->34018 34014->34010 34016 42400d 34014->34016 34017 42406d 34015->34017 34016->34010 34016->34012 34017->33993 34018->34017 34020 414e22 34019->34020 34022 414e8a 34019->34022 34021 41518b 17 API calls 34020->34021 34023 414e76 34020->34023 34021->34020 34022->34000 34023->34022 34052 414b3a 34023->34052 34026 414ee2 34025->34026 34027 41b2ea 3 API calls 34026->34027 34028 414ee9 34027->34028 34029 414f84 34028->34029 34030 414f19 34028->34030 34092 3fa550 HeapFree 34028->34092 34034 3fabd0 31 API calls 34029->34034 34043 414fa0 34029->34043 34033 38ce6d __EH_prolog3 34030->34033 34040 414f5b 34030->34040 34032 414f0c 34032->34029 34032->34030 34035 414f2a _wcslen 34033->34035 34034->34043 34038 390f2f __EH_prolog3 34035->34038 34036 38ce6d __EH_prolog3 34036->34043 34037 414fdc CreateFileW 34039 3f06a0 13 API calls 34037->34039 34042 414f46 _wcslen 34038->34042 34039->34043 34040->33996 34041 415045 SetFilePointer SetEndOfFile 34041->34043 34044 41506e FindCloseChangeNotification 34041->34044 34042->34040 34045 390f2f __EH_prolog3 34042->34045 34043->34036 34043->34037 34043->34040 34043->34041 34044->34043 34045->34040 34047 412969 34046->34047 34051 412970 34046->34051 34047->34002 34048 41518b 17 API calls 34048->34051 34049 412a0b 34049->34047 34093 414085 34049->34093 34051->34047 34051->34048 34051->34049 34053 38ce6d __EH_prolog3 34052->34053 34054 414b89 34053->34054 34072 413fb6 34054->34072 34056 414dac 34057 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34056->34057 34059 414ddc 34057->34059 34059->34022 34060 414d9d 34061 42716a 3 API calls 34060->34061 34061->34056 34062 41518b 17 API calls 34069 414b98 34062->34069 34063 38ce6d __EH_prolog3 34063->34069 34065 414cca FindFirstFileW 34066 414d02 FindClose 34065->34066 34071 414c84 _Atexit 34065->34071 34066->34071 34067 38ce6d __EH_prolog3 34067->34071 34068 427295 2 API calls 34068->34071 34069->34056 34069->34060 34069->34062 34069->34063 34070 42716a 3 API calls 34069->34070 34069->34071 34084 427222 LoadLibraryW 34069->34084 34089 427295 CreateFileW 34069->34089 34070->34069 34071->34065 34071->34067 34071->34068 34071->34069 34075 413fc8 34072->34075 34073 413fdb 34073->34069 34074 41518b 17 API calls 34076 414035 34074->34076 34075->34073 34075->34074 34077 390f2f __EH_prolog3 34076->34077 34078 414043 34077->34078 34079 41518b 17 API calls 34078->34079 34080 41404c 34079->34080 34080->34073 34081 413610 52 API calls 34080->34081 34082 41406d 34081->34082 34083 3f06a0 13 API calls 34082->34083 34083->34073 34085 3f8310 FreeLibrary 34084->34085 34086 427235 34085->34086 34087 427241 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 34086->34087 34088 42723e 34086->34088 34087->34069 34088->34069 34090 38e076 CloseHandle 34089->34090 34091 4272c9 34090->34091 34091->34069 34092->34032 34094 38ce6d __EH_prolog3 34093->34094 34095 4140dd 34094->34095 34096 4140f2 34095->34096 34098 413fb6 52 API calls 34095->34098 34097 38ce6d __EH_prolog3 34096->34097 34101 4147a0 34096->34101 34099 414104 34097->34099 34098->34096 34100 38ce6d __EH_prolog3 34099->34100 34118 414110 34100->34118 34103 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34101->34103 34102 38ce6d __EH_prolog3 34130 414213 _Atexit 34102->34130 34104 414803 34103->34104 34104->34047 34105 41469d 34134 427354 __EH_prolog3 34105->34134 34107 4146e0 34109 4146f9 34107->34109 34110 4146e9 34107->34110 34108 45ab63 std::_Facet_Register 2 API calls 34108->34130 34112 414710 CloseHandle 34109->34112 34132 414723 34109->34132 34144 4267bd 7 API calls 34110->34144 34112->34132 34113 4146f4 34113->34109 34114 414738 CloseHandle 34123 414745 std::ios_base::_Ios_base_dtor 34114->34123 34116 38ce6d __EH_prolog3 34116->34130 34117 4141d2 34119 390f2f __EH_prolog3 34117->34119 34120 4141e4 34118->34120 34143 4148d2 __EH_prolog3 __EH_prolog3 34118->34143 34119->34120 34120->34102 34121 427222 6 API calls 34121->34130 34122 42716a 3 API calls 34122->34123 34123->34101 34123->34122 34124 41518b 17 API calls 34124->34130 34125 414552 FindFirstFileW 34126 414596 FindClose 34125->34126 34127 4144cf _Atexit 34125->34127 34126->34127 34127->34125 34128 427295 2 API calls 34127->34128 34127->34130 34128->34127 34129 427295 2 API calls 34129->34130 34130->34105 34130->34108 34130->34116 34130->34121 34130->34124 34130->34127 34130->34129 34131 3fabd0 31 API calls 34130->34131 34130->34132 34133 3f06a0 13 API calls 34130->34133 34131->34130 34132->34114 34132->34123 34133->34130 34135 427391 CreateThread 34134->34135 34136 427371 CreateEventW 34134->34136 34138 4273f3 WaitForSingleObject GetExitCodeThread 34135->34138 34142 4273bd 34135->34142 34137 38e076 CloseHandle 34136->34137 34140 427384 34137->34140 34139 42741f CloseHandle 34138->34139 34141 427429 34138->34141 34139->34141 34140->34135 34141->34107 34142->34138 34143->34117 34144->34113 34145 389d13 34146 389d34 34145->34146 34156 3c71fd 34146->34156 34159 42c11f 34146->34159 34169 3882f2 34146->34169 34147 389d59 34148 389d7d GetWindowLongW CallWindowProcW 34147->34148 34149 389d65 CallWindowProcW 34147->34149 34150 389dcc 34147->34150 34148->34150 34151 389db2 GetWindowLongW 34148->34151 34149->34150 34151->34150 34152 389dbe SetWindowLongW 34151->34152 34152->34150 34180 3c722d 34156->34180 34158 3c7221 34158->34147 34160 42c13b 34159->34160 34163 42c145 34159->34163 34161 42c17f 34160->34161 34160->34163 34164 42c18b 34160->34164 34220 47f53f __EH_prolog3_GS 34161->34220 34163->34147 34164->34163 34165 42c33d 34164->34165 34167 42c352 34164->34167 34231 47eecc __EH_prolog3 __EH_prolog3 34165->34231 34167->34163 34232 47ed98 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 34167->34232 34175 3883a6 34169->34175 34179 38830a 34169->34179 34170 3884b4 34171 3885fa 34170->34171 34170->34175 34176 388623 34170->34176 34243 3880f4 CallWindowProcW IsWindow SendMessageW 34171->34243 34173 388615 34173->34175 34173->34176 34174 3885d4 CallWindowProcW 34239 38cc09 __EH_prolog3 34174->34239 34175->34147 34176->34175 34244 388282 __EH_prolog3 34176->34244 34179->34170 34179->34174 34179->34175 34181 3c7243 34180->34181 34182 3c7250 34180->34182 34181->34182 34183 3c7307 34181->34183 34184 3c72c3 34181->34184 34182->34158 34185 3c730c RedrawWindow 34183->34185 34186 3c732d 34183->34186 34184->34182 34196 3880d1 34184->34196 34185->34182 34186->34182 34188 3c733b 34186->34188 34192 3c7350 34186->34192 34212 3c808d 6 API calls 34188->34212 34192->34182 34193 3c73cd 34192->34193 34213 3c8214 __EH_prolog3_catch_GS SendMessageW 34193->34213 34195 3c73df 34195->34182 34197 3880da CallWindowProcW 34196->34197 34198 3880f1 34196->34198 34197->34198 34199 3c7b6a __EH_prolog3_catch_GS 34198->34199 34214 3c8555 __EH_prolog3 34199->34214 34201 3c7b91 34202 3c7cda 34201->34202 34203 3c8555 5 API calls 34201->34203 34202->34182 34204 3c7bac 34203->34204 34205 3c8555 5 API calls 34204->34205 34206 3c7bb4 _Atexit 34205->34206 34206->34202 34207 3c7c1b GetParent GetDC 34206->34207 34208 3c7c46 34207->34208 34209 3c7c9d GetParent ReleaseDC 34208->34209 34210 3c7c4a InflateRect 34208->34210 34209->34202 34211 3c7c96 34210->34211 34211->34209 34212->34182 34213->34195 34215 3c856b EnterCriticalSection 34214->34215 34218 3c85cd 34214->34218 34216 3c85b9 LeaveCriticalSection 34215->34216 34217 3c8596 LoadLibraryW 34215->34217 34216->34218 34217->34216 34219 3c85b2 FreeLibrary 34217->34219 34218->34201 34219->34216 34233 390b79 __EH_prolog3 BeginPaint 34220->34233 34222 47f558 GetClientRect 34235 390a93 __EH_prolog3 CreateCompatibleDC CreateCompatibleBitmap SelectObject SetViewportOrgEx 34222->34235 34224 47f582 34225 47f58c GetParent SendMessageW FillRect 34224->34225 34226 47f5bb 34224->34226 34225->34226 34237 3909f1 BitBlt SelectObject DeleteObject DeleteDC 34226->34237 34228 47f5e3 34238 390b1a EndPaint DeleteDC 34228->34238 34230 47f5ef 34230->34163 34231->34163 34232->34163 34234 390baf 34233->34234 34234->34222 34236 390b17 34235->34236 34236->34224 34237->34228 34238->34230 34240 38cd4f 34239->34240 34241 38cc25 34239->34241 34240->34170 34241->34240 34242 38cd42 DestroyAcceleratorTable 34241->34242 34242->34240 34243->34173 34244->34175 34245 392414 __EH_prolog3_GS 34246 392430 34245->34246 34260 392539 ~refcount_ptr 34245->34260 34261 3b0155 __EH_prolog3 34246->34261 34248 39243f 34249 3925e2 __EH_prolog3 34248->34249 34250 392463 ~refcount_ptr 34249->34250 34265 47cbd6 34250->34265 34253 3924ab EqualRect 34254 39255f 34253->34254 34255 3924c1 34253->34255 34269 47c6f0 34254->34269 34268 3908bf __EH_prolog3 34255->34268 34258 3924f4 34259 47c6f0 16 API calls 34258->34259 34259->34260 34262 3b0172 34261->34262 34263 3b0192 34261->34263 34262->34263 34274 3b0327 __EH_prolog3_GS 34262->34274 34263->34248 34281 47cb21 __EH_prolog3 GetDC GetDeviceCaps 34265->34281 34267 3924a1 34267->34253 34267->34254 34268->34258 34272 47c709 34269->34272 34270 47c766 34270->34260 34272->34270 34283 390683 __EH_prolog3 34272->34283 34285 390bb2 15 API calls 34272->34285 34275 3b034b 34274->34275 34276 3b0356 34275->34276 34278 3b036e ~refcount_ptr 34275->34278 34277 384b8e 19 API calls 34276->34277 34280 3b0369 ~refcount_ptr 34277->34280 34279 3b0327 19 API calls 34278->34279 34278->34280 34279->34280 34280->34263 34282 47cb49 34281->34282 34282->34267 34284 3906b2 34283->34284 34284->34272 34285->34272 34293 3a02ca 34294 45ab63 std::_Facet_Register 2 API calls 34293->34294 34295 3a02f6 CreateThread 34294->34295 34296 3a0326 std::ios_base::_Ios_base_dtor 34295->34296 34297 3a0287 34295->34297 34302 45ab55 34297->34302 34299 3a029a __set_se_translator 34300 3a02c2 34299->34300 34301 3a02b0 SetUnhandledExceptionFilter 34299->34301 34301->34300 34303 45ab60 34302->34303 34303->34299 34304 457874 34305 457884 34304->34305 34306 457905 34305->34306 34307 4578e1 34305->34307 34309 457aac 34306->34309 34310 45797d LoadLibraryExA 34306->34310 34312 4579de 34306->34312 34314 4579f0 34306->34314 34308 4578ec RaiseException 34307->34308 34308->34309 34311 457990 GetLastError 34310->34311 34310->34312 34316 4579b9 34311->34316 34318 4579a3 34311->34318 34312->34314 34315 4579e9 FreeLibrary 34312->34315 34313 457a4e GetProcAddress 34313->34309 34317 457a5e GetLastError 34313->34317 34314->34309 34314->34313 34315->34314 34319 4579c4 RaiseException 34316->34319 34320 457a71 34317->34320 34318->34312 34318->34316 34319->34309 34320->34309 34321 457a92 RaiseException 34320->34321 34322 457aa9 34321->34322 34322->34309 34323 4280b3 __EH_prolog3 34324 4280d7 SendMessageW 34323->34324 34325 4280f8 34324->34325 34342 38889a 10 API calls 34325->34342 34327 42811a 34343 38716b CreateWindowExW 34327->34343 34329 428151 IsWindow 34330 428187 34329->34330 34331 42815e SendMessageW 34329->34331 34344 3f5bb0 34330->34344 34332 3c1bda 34331->34332 34332->34330 34334 428195 34349 41610d __EH_prolog3 34334->34349 34336 4281a7 SetWindowTextW 34337 4281ba 34336->34337 34338 428205 34337->34338 34341 4281f4 EnableWindow 34337->34341 34339 428242 SetEvent 34338->34339 34340 428249 34338->34340 34339->34340 34341->34338 34342->34327 34343->34329 34353 3f68d0 LoadLibraryW 34344->34353 34347 3f68d0 3 API calls 34348 3f5be0 SendMessageW SendMessageW 34347->34348 34348->34334 34350 416124 34349->34350 34352 416132 34350->34352 34358 416169 34350->34358 34352->34336 34354 3f692c GetProcAddress 34353->34354 34355 3f693c 34353->34355 34354->34355 34356 3f69aa FreeLibrary 34355->34356 34357 3f5bce 34355->34357 34356->34357 34357->34347 34361 416176 34358->34361 34359 4161be 34359->34352 34361->34359 34362 4279e8 __EH_prolog3 34361->34362 34364 427a0a 34362->34364 34363 427a26 GetFileVersionInfoSizeW 34365 427a3b 34363->34365 34369 427a48 _wcslen 34363->34369 34364->34363 34366 427a66 GetFileVersionInfoW 34365->34366 34365->34369 34367 427a7d 34366->34367 34366->34369 34368 38ce6d __EH_prolog3 34367->34368 34368->34369 34369->34359 34370 3d1d8c __EH_prolog3_GS 34373 3a4fcc __EH_prolog3_GS 34370->34373 34372 3d1d9f ~refcount_ptr 34376 3af75f __EH_prolog3_GS 34373->34376 34375 3a4fe7 ~refcount_ptr 34375->34372 34377 3af784 34376->34377 34378 3af802 34377->34378 34380 3af89b 34377->34380 34381 3af7d2 ~refcount_ptr 34377->34381 34379 384b8e 19 API calls 34378->34379 34378->34381 34379->34381 34380->34381 34388 3af9b9 ~refcount_ptr 34380->34388 34389 39cbed __EH_prolog3 34380->34389 34381->34375 34383 3af90e 34384 384b8e 19 API calls 34383->34384 34386 3af938 ~refcount_ptr 34383->34386 34384->34386 34385 39cbed __EH_prolog3 34385->34388 34386->34388 34390 39cbed __EH_prolog3 34386->34390 34388->34381 34388->34385 34389->34383 34390->34388 34391 3d1fcc IsWindow 34392 3d2022 KiUserCallbackDispatcher 34391->34392 34396 3d202c std::ios_base::_Ios_base_dtor 34391->34396 34392->34396 34395 3a4f0f 9 API calls 34397 3d20aa 34395->34397 34398 47fb15 34396->34398 34399 47fb5c std::ios_base::_Ios_base_dtor 34398->34399 34400 47fb7f IsWindow 34399->34400 34401 47fb7a DestroyWindow 34399->34401 34402 47fb91 34400->34402 34403 47fb8c DestroyWindow 34400->34403 34401->34400 34404 3d209f 34402->34404 34405 457f5a 7 API calls 34402->34405 34403->34402 34404->34395 34405->34404 34406 38984c 34407 389894 34406->34407 34408 3898ad InterlockedDecrement 34407->34408 34409 3898a4 DestroyWindow 34407->34409 34412 3897cf 34408->34412 34409->34408 34413 389810 34412->34413 34414 389832 34413->34414 34415 457f5a 7 API calls 34413->34415 34418 38aee3 DeleteCriticalSection 34414->34418 34415->34414 34417 38983e 34418->34417 34419 3a79ce 34420 3a79e6 34419->34420 34423 3a1713 __EH_prolog3_GS 34420->34423 34422 3a79f2 34424 3a180e 34423->34424 34425 3a172c 34423->34425 34424->34422 34438 3a22ea __EH_prolog3 GetDC 34425->34438 34427 3a173b GetWindowRect 34428 38f36f 34427->34428 34429 3a1768 SendMessageW 34428->34429 34430 3a178f GetSysColorBrush 34429->34430 34431 3a1784 CreatePatternBrush 34429->34431 34436 3a1797 34430->34436 34431->34436 34432 3a17f3 34440 39036c DeleteObject DeleteDC 34432->34440 34434 3a1802 34441 3a228c ReleaseDC DeleteDC 34434->34441 34436->34432 34437 3a17ec DeleteObject 34436->34437 34437->34432 34439 3a231c 34438->34439 34439->34427 34440->34434 34441->34424 34442 3e8540 34444 3e858f 34442->34444 34456 3e85ad std::ios_base::_Ios_base_dtor _wcslen 34442->34456 34443 3e89a1 34446 460bf6 17 API calls 34443->34446 34444->34443 34445 3e862a 34444->34445 34447 3e865b 34444->34447 34444->34456 34451 45ab63 std::_Facet_Register 2 API calls 34445->34451 34448 3e89ab 34446->34448 34447->34456 34458 45ab63 std::_Facet_Register 2 API calls 34447->34458 34452 460bf6 17 API calls 34448->34452 34449 3e87ae 34453 3e87d4 34449->34453 34454 3e87b3 34449->34454 34450 3e8710 34472 4002b0 34450->34472 34451->34456 34457 3e89b0 34452->34457 34460 3e8824 34453->34460 34461 3e885a 34453->34461 34469 3e87c1 std::ios_base::_Ios_base_dtor ~refcount_ptr 34453->34469 34491 39cbed __EH_prolog3 34454->34491 34456->34443 34456->34449 34456->34450 34462 3e8a19 std::ios_base::_Ios_base_dtor 34457->34462 34463 460bf6 17 API calls 34457->34463 34458->34456 34465 45ab63 std::_Facet_Register 2 API calls 34460->34465 34468 45ab63 std::_Facet_Register 2 API calls 34461->34468 34461->34469 34470 3e8a4d 34463->34470 34464 3e871e ~refcount_ptr 34464->34443 34471 3e878b std::ios_base::_Ios_base_dtor 34464->34471 34465->34469 34466 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34467 3e899b 34466->34467 34468->34469 34469->34448 34469->34471 34471->34466 34473 3edbb0 34472->34473 34474 40032d LoadStringW 34473->34474 34475 4003c0 34474->34475 34479 40034e std::ios_base::_Ios_base_dtor ~refcount_ptr 34474->34479 34476 3ee500 21 API calls 34475->34476 34477 4003d4 LoadStringW 34476->34477 34477->34475 34477->34479 34478 40044a std::ios_base::_Ios_base_dtor 34481 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34478->34481 34479->34478 34480 400487 34479->34480 34482 460bf6 17 API calls 34480->34482 34483 400483 34481->34483 34484 40048c 34482->34484 34483->34464 34485 400514 SysAllocString 34484->34485 34486 4004cc SysFreeString 34484->34486 34485->34486 34487 400524 34485->34487 34489 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34486->34489 34487->34464 34490 400510 34489->34490 34490->34464 34491->34469 34492 3a6a85 34495 3a6ab3 34492->34495 34494 3a6aa7 34496 3a6acb 34495->34496 34497 3a6bcb 34495->34497 34498 3a6adb 34496->34498 34499 3a6aec 34496->34499 34497->34494 34541 3a87b3 __EH_prolog3_catch_GS GetDC 34498->34541 34500 3a6af3 34499->34500 34501 3a6b05 34499->34501 34626 3a8bc5 21 API calls 34500->34626 34504 3a6b1d 34501->34504 34506 3a6b32 34501->34506 34627 3a8ca3 __EH_prolog3 SetBkMode GetSysColor SetTextColor GetSysColorBrush 34504->34627 34507 3a6b57 34506->34507 34508 3a6b37 34506->34508 34510 3a6b5f 34507->34510 34514 3a6b71 34507->34514 34628 3a8d3d __EH_prolog3_catch_GS SetCursor SetCursor 34508->34628 34629 3aa168 __EH_prolog3_catch_GS GetDiskFreeSpaceExW ~refcount_ptr 34510->34629 34512 3a6aea 34512->34497 34586 3ac40f 34512->34586 34514->34512 34516 3a6c22 34514->34516 34517 3a6c31 34514->34517 34515 3a6d07 34515->34497 34590 3ac0b9 __EH_prolog3_GS 34515->34590 34568 3a7b4b __EH_prolog3_catch_GS 34516->34568 34517->34497 34522 3a6c70 34517->34522 34523 3a6c64 34517->34523 34520 3a6d28 34520->34497 34521 3a6d89 34520->34521 34524 3a6d5e 34520->34524 34521->34497 34535 3a6d78 34521->34535 34526 3a6c78 34522->34526 34527 3a6c87 34522->34527 34630 3a80d4 23 API calls 34523->34630 34635 3ac5f0 __EH_prolog3_catch_GS SendMessageW std::_Hash_bytes 34524->34635 34631 3a831b __EH_prolog3_catch_GS 34526->34631 34531 3a6c8f 34527->34531 34532 3a6cb4 34527->34532 34529 3a6c6e 34529->34497 34632 3a8458 __EH_prolog3_catch LoadStringW LoadStringW __EH_prolog3_catch_GS 34531->34632 34533 3a6cce 34532->34533 34534 3a6cbc 34532->34534 34533->34512 34538 3a6cd6 34533->34538 34633 3a85ae __EH_prolog3_catch_GS IsWindow DestroyWindow 34534->34633 34535->34521 34636 392ca5 SendMessageW 34535->34636 34634 3aa58d __EH_prolog3_GS SetTimer __EH_prolog3_catch_GS 34538->34634 34542 3a87fd KiUserCallbackDispatcher 34541->34542 34543 3a87ed 34541->34543 34637 3abd71 __EH_prolog3_GS 34542->34637 34543->34542 34545 3a880d 34546 3f5bb0 5 API calls 34545->34546 34557 3a881c ~refcount_ptr 34546->34557 34547 3a893b 34549 3a894a GetDC GetDeviceCaps MulDiv 34547->34549 34548 3a88ed GetCurrentThreadId 34656 3ae06f __EH_prolog3 EnterCriticalSection LeaveCriticalSection 34548->34656 34552 3a8973 34549->34552 34551 3a88f9 34657 390bb2 15 API calls 34551->34657 34554 3a897b SendMessageW 34552->34554 34558 3a8a71 34552->34558 34559 3a8999 34554->34559 34555 3a891b 34658 390bb2 15 API calls 34555->34658 34557->34547 34557->34548 34558->34512 34560 3a89c8 SetWindowTextW 34559->34560 34561 3a89ed ~refcount_ptr 34560->34561 34659 3a932d __EH_prolog3_GS 34561->34659 34563 3a89f4 34564 384b8e 19 API calls 34563->34564 34565 3a8a2a 34564->34565 34678 42ecfa __EH_prolog3 ~refcount_ptr 34565->34678 34567 3a8a41 34567->34558 34569 3a7b74 34568->34569 35051 3b2073 __EH_prolog3_GS 34569->35051 34571 3a7c3b 35057 3aa572 KillTimer 34571->35057 34572 3a7c34 35056 3aa456 __EH_prolog3_GS SetTimer ~refcount_ptr 34572->35056 34575 3a7c39 34579 3a7c40 34575->34579 34576 3a7ba9 ~refcount_ptr 34578 3a7c00 34576->34578 35055 42ecfa __EH_prolog3 ~refcount_ptr 34576->35055 34578->34571 34578->34572 34580 3a7c7d SetWindowTextW 34579->34580 34581 3a7c9e ~refcount_ptr 34580->34581 34582 3a932d 108 API calls 34581->34582 34583 3a7ca5 KiUserCallbackDispatcher 34582->34583 34585 3a7cc2 34583->34585 34585->34497 34587 3ac41e 34586->34587 34588 3ac47d 34586->34588 34587->34515 34588->34587 34589 3ac4d2 KillTimer 34588->34589 34589->34587 34591 3ac0da ShowWindow 34590->34591 34592 3ac126 34590->34592 34595 3ac0f6 34591->34595 34593 3ac12b 34592->34593 34594 3ac16d 34592->34594 34598 3ac13f NtdllDefWindowProc_W SetWindowLongW 34593->34598 34596 3ac1bd 34594->34596 34597 3ac174 34594->34597 34605 3abd71 15 API calls 34595->34605 34599 3ac1ea 34596->34599 34600 3ac1c2 34596->34600 34603 3ac188 NtdllDefWindowProc_W SetWindowLongW 34597->34603 34625 3ac11e 34598->34625 34601 3ac1f6 34599->34601 34602 3ac214 34599->34602 34609 3abd71 15 API calls 34600->34609 35058 3acc2e __EH_prolog3 GetWindowDC NtdllDefWindowProc_W SetWindowLongW DeleteDC 34601->35058 34606 3ac253 34602->34606 34607 3ac266 34602->34607 34602->34625 34603->34625 34608 3ac105 ShowWindow 34605->34608 35059 3acbac GetWindowRect IsProcessorFeaturePresent ___raise_securityfailure __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 34606->35059 34612 3ac2b8 34607->34612 34613 3ac2d0 34607->34613 34607->34625 34608->34625 34609->34625 35060 3aca65 10 API calls 34612->35060 34615 3ac2ea 34613->34615 34616 3ac2d7 34613->34616 34618 3ac309 34615->34618 34619 3ac2f1 34615->34619 35061 3ac9d7 __EH_prolog3 GetWindowDC GetWindowDC DeleteDC 34616->35061 34622 3ac334 34618->34622 34618->34625 35063 3ac813 __EH_prolog3 GetWindowDC TrackMouseEvent DeleteDC 34618->35063 35062 3ac926 __EH_prolog3 GetWindowDC GetWindowDC SendMessageW DeleteDC 34619->35062 34621 3ac304 34621->34625 34622->34625 35064 3ac79f __EH_prolog3 GetWindowDC DeleteDC 34622->35064 34625->34520 34626->34512 34627->34512 34628->34512 34629->34512 34630->34529 34631->34497 34632->34512 34633->34529 34634->34497 34635->34535 34636->34529 34638 3abd87 34637->34638 34639 3abda8 GetWindowRect 34638->34639 34640 3abd98 SetWindowRgn 34638->34640 34642 3abdca 34639->34642 34641 3abf4f 34640->34641 34641->34545 34643 3abdce MonitorFromWindow GetMonitorInfoW CopyRect OffsetRect 34642->34643 34644 3abe26 OffsetRect 34642->34644 34652 3abe24 std::ios_base::_Ios_base_dtor 34643->34652 34645 3abe42 CreateRectRgn 34644->34645 34646 3abe60 34644->34646 34645->34652 34679 3accd6 IsProcessorFeaturePresent ___raise_securityfailure __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 34646->34679 34648 3abee0 CreateRectRgn 34649 3abeff 34648->34649 34650 3abf0f SetWindowRgn 34649->34650 34651 3abf1f 34649->34651 34650->34651 34653 3abf3a 34651->34653 34654 3abf2d DeleteObject 34651->34654 34652->34648 34653->34641 34655 3abf42 DeleteObject 34653->34655 34654->34653 34655->34641 34656->34551 34657->34555 34658->34547 34680 3d3092 SendMessageW 34659->34680 34663 3a937d 34686 3a91b2 34663->34686 34665 3a938b 34693 3a0579 __EH_prolog3 34665->34693 34668 3a93e3 34669 3a9460 std::ios_base::_Ios_base_dtor 34668->34669 34695 3a9bc3 34668->34695 34670 3a95f8 34669->34670 34671 3a95e2 CreateAcceleratorTableW 34669->34671 34705 3aa994 __EH_prolog3_GS 34670->34705 34671->34670 34673 3a9611 34674 3a9651 34673->34674 34713 3d3128 SendMessageW 34673->34713 34676 3a967e 34674->34676 34677 3a966c SendMessageW 34674->34677 34676->34563 34677->34676 34678->34567 34679->34652 34681 3a9352 34680->34681 34682 3aa958 34681->34682 34683 3aa961 34682->34683 34685 3aa990 34682->34685 34684 38e6a1 21 API calls 34683->34684 34684->34685 34685->34663 34687 3a91cf 34686->34687 34688 3a9226 std::ios_base::_Ios_base_dtor 34687->34688 34716 3c750b 34687->34716 34719 3cb842 34687->34719 34723 3c1f71 34687->34723 34726 3b4896 34687->34726 34688->34665 34694 3a05d4 34693->34694 34694->34668 34696 3a9bd6 34695->34696 34701 3a9cdb 34695->34701 34738 3a5944 __EH_prolog3_GS 34696->34738 34698 3a9bee 34698->34701 34896 3c75fc 34698->34896 34700 3a0100 21 API calls 34702 3a9c21 34700->34702 34701->34668 34702->34701 34703 3a1713 12 API calls 34702->34703 34703->34701 34709 3aa9c1 ~refcount_ptr 34705->34709 34706 3aab4f 34706->34673 34707 45ab63 std::_Facet_Register 2 API calls 34707->34709 34708 3a0100 21 API calls 34708->34709 34709->34706 34709->34707 34709->34708 34710 3aabe0 34709->34710 35050 458557 __CxxThrowException std::invalid_argument::invalid_argument 34710->35050 34714 3d3154 34713->34714 34715 3d3141 RedrawWindow 34713->34715 34714->34674 34715->34714 34732 39ba15 34716->34732 34718 3c753a std::ios_base::_Ios_base_dtor 34718->34687 34722 3cb886 std::ios_base::_Ios_base_dtor 34719->34722 34720 3a4f0f 9 API calls 34721 3cb8cc std::ios_base::_Ios_base_dtor 34720->34721 34721->34687 34722->34720 34724 3a4f0f 9 API calls 34723->34724 34725 3c1fa0 std::ios_base::_Ios_base_dtor 34724->34725 34725->34687 34727 3b48cf 34726->34727 34728 3b48e3 DeleteObject 34727->34728 34729 3b48ee 34727->34729 34728->34729 34730 3a4f0f 9 API calls 34729->34730 34731 3b4900 std::ios_base::_Ios_base_dtor 34730->34731 34731->34687 34733 39ba51 34732->34733 34734 39ba7a DeleteObject 34733->34734 34735 39ba85 ~refcount_ptr 34733->34735 34734->34735 34736 3a4f0f 9 API calls 34735->34736 34737 39bab5 34736->34737 34737->34718 34739 3a5970 34738->34739 34751 3a6432 ~refcount_ptr 34738->34751 34740 3a5989 34739->34740 34741 3a59dc 34739->34741 34742 45ab63 std::_Facet_Register 2 API calls 34740->34742 34743 3a5a3f 34741->34743 34744 3a59ec 34741->34744 34753 3a5993 34742->34753 34749 3a5a4f 34743->34749 34750 3a5aa2 34743->34750 34745 3a5a1a 34744->34745 34746 3a59f5 34744->34746 34748 45ab63 std::_Facet_Register 2 API calls 34745->34748 34747 45ab63 std::_Facet_Register 2 API calls 34746->34747 34747->34753 34748->34753 34752 45ab63 std::_Facet_Register 2 API calls 34749->34752 34755 3a5ab2 34750->34755 34756 3a5af6 34750->34756 34751->34739 34754 3a649c __Init_thread_footer 34751->34754 34752->34753 34753->34698 34754->34739 34757 45ab63 std::_Facet_Register 2 API calls 34755->34757 34758 3a5b2b 34756->34758 34759 3a5b06 34756->34759 34757->34753 34761 3a5b3b 34758->34761 34762 3a5b60 34758->34762 34760 45ab63 std::_Facet_Register 2 API calls 34759->34760 34760->34753 34763 45ab63 std::_Facet_Register 2 API calls 34761->34763 34766 3a5c18 34762->34766 34767 3a5b74 34762->34767 34764 3a5b45 34763->34764 34902 3c6d61 __EH_prolog3 34764->34902 34772 3a5c2c 34766->34772 34773 3a5cd1 34766->34773 34768 3a5b7d 34767->34768 34769 3a5bd4 34767->34769 34770 45ab63 std::_Facet_Register 2 API calls 34768->34770 34771 45ab63 std::_Facet_Register 2 API calls 34769->34771 34774 3a5b87 34770->34774 34771->34753 34775 3a5c8d 34772->34775 34776 3a5c35 34772->34776 34779 3a5ce1 34773->34779 34780 3a5d34 34773->34780 34903 392e25 GetSysColor 34774->34903 34778 45ab63 std::_Facet_Register 2 API calls 34775->34778 34777 45ab63 std::_Facet_Register 2 API calls 34776->34777 34777->34753 34782 3a5c97 34778->34782 34783 3a5cea 34779->34783 34784 3a5d0f 34779->34784 34788 3a5d69 34780->34788 34789 3a5d44 34780->34789 34904 3ce561 __EH_prolog3 __EH_prolog3 __EH_prolog3 34782->34904 34786 45ab63 std::_Facet_Register 2 API calls 34783->34786 34787 45ab63 std::_Facet_Register 2 API calls 34784->34787 34790 3a5cf4 34786->34790 34787->34753 34793 3a5d79 34788->34793 34794 3a5d9e 34788->34794 34791 45ab63 std::_Facet_Register 2 API calls 34789->34791 34905 39c424 __EH_prolog3 34790->34905 34791->34753 34795 45ab63 std::_Facet_Register 2 API calls 34793->34795 34797 3a5dae 34794->34797 34798 3a5df6 34794->34798 34796 3a5d83 34795->34796 34906 3b4834 __EH_prolog3 34796->34906 34800 45ab63 std::_Facet_Register 2 API calls 34797->34800 34801 3a5e4a 34798->34801 34802 3a5e06 34798->34802 34800->34753 34804 3a5e5a 34801->34804 34806 3a5e9e 34801->34806 34803 45ab63 std::_Facet_Register 2 API calls 34802->34803 34803->34753 34805 45ab63 std::_Facet_Register 2 API calls 34804->34805 34805->34753 34806->34753 34807 3a5ec2 34806->34807 34808 3a5ee7 34806->34808 34809 45ab63 std::_Facet_Register 2 API calls 34807->34809 34812 3a5f1c 34808->34812 34813 3a5ef7 34808->34813 34810 3a5ecc 34809->34810 34907 3bcd07 GetSysColor __EH_prolog3 __EH_prolog3 __EH_prolog3 34810->34907 34817 3a5f2c 34812->34817 34818 3a5f51 34812->34818 34814 45ab63 std::_Facet_Register 2 API calls 34813->34814 34815 3a5f01 34814->34815 34908 3c212d __EH_prolog3 34815->34908 34819 45ab63 std::_Facet_Register 2 API calls 34817->34819 34822 3a5f61 34818->34822 34824 3a5f86 34818->34824 34820 3a5f36 34819->34820 34909 3c28c9 __EH_prolog3 34820->34909 34823 45ab63 std::_Facet_Register 2 API calls 34822->34823 34823->34753 34824->34753 34825 3a5faa 34824->34825 34827 3a5fcf 34824->34827 34826 45ab63 std::_Facet_Register 2 API calls 34825->34826 34826->34753 34827->34753 34828 3a603b 34827->34828 34829 3a5ff3 34827->34829 34832 3a604b 34828->34832 34833 3a6070 34828->34833 34830 45ab63 std::_Facet_Register 2 API calls 34829->34830 34831 3a5ffd 34830->34831 34910 3ce4af __EH_prolog3 __EH_prolog3 34831->34910 34835 45ab63 std::_Facet_Register 2 API calls 34832->34835 34838 3a6080 34833->34838 34839 3a60a5 34833->34839 34836 3a6055 34835->34836 34911 3c87be __EH_prolog3 __EH_prolog3 __EH_prolog3 __EH_prolog3 34836->34911 34840 45ab63 std::_Facet_Register 2 API calls 34838->34840 34841 3a60da 34839->34841 34842 3a60b5 34839->34842 34840->34753 34844 3a60ea 34841->34844 34845 3a610f 34841->34845 34843 45ab63 std::_Facet_Register 2 API calls 34842->34843 34843->34753 34846 45ab63 std::_Facet_Register 2 API calls 34844->34846 34847 3a611f 34845->34847 34848 3a6144 34845->34848 34846->34753 34849 45ab63 std::_Facet_Register 2 API calls 34847->34849 34852 3a6179 34848->34852 34853 3a6154 34848->34853 34850 3a6129 34849->34850 34912 3c0911 __EH_prolog3 __EH_prolog3 __EH_prolog3 34850->34912 34856 3a6189 34852->34856 34857 3a61bd 34852->34857 34854 45ab63 std::_Facet_Register 2 API calls 34853->34854 34855 3a615e 34854->34855 34913 3c69c4 __EH_prolog3 34855->34913 34859 45ab63 std::_Facet_Register 2 API calls 34856->34859 34862 3a61cd 34857->34862 34863 3a61f2 34857->34863 34860 3a6193 34859->34860 34914 3bffe8 __EH_prolog3 34860->34914 34864 45ab63 std::_Facet_Register 2 API calls 34862->34864 34867 3a6202 34863->34867 34868 3a6227 34863->34868 34865 3a61d7 34864->34865 34919 3b60ed 25 API calls ~refcount_ptr 34865->34919 34869 45ab63 std::_Facet_Register 2 API calls 34867->34869 34872 3a625c 34868->34872 34873 3a6237 34868->34873 34870 3a620c 34869->34870 34920 3941a1 __EH_prolog3 34870->34920 34875 3a626c 34872->34875 34876 3a6291 34872->34876 34874 45ab63 std::_Facet_Register 2 API calls 34873->34874 34874->34753 34877 45ab63 std::_Facet_Register 2 API calls 34875->34877 34878 3a62a1 34876->34878 34879 3a62c6 34876->34879 34877->34753 34880 45ab63 std::_Facet_Register 2 API calls 34878->34880 34883 3a62fb 34879->34883 34884 3a62d6 34879->34884 34881 3a62ab 34880->34881 34921 3d27c9 __EH_prolog3 34881->34921 34886 3a630b 34883->34886 34887 3a6356 34883->34887 34885 45ab63 std::_Facet_Register 2 API calls 34884->34885 34885->34753 34888 45ab63 std::_Facet_Register 2 API calls 34886->34888 34889 3a63bd 34887->34889 34890 3a6366 34887->34890 34888->34753 34892 3a63cd 34889->34892 34894 3a63ef 34889->34894 34891 45ab63 std::_Facet_Register 2 API calls 34890->34891 34891->34753 34893 45ab63 std::_Facet_Register 2 API calls 34892->34893 34893->34753 34894->34753 34895 45ab63 std::_Facet_Register 2 API calls 34894->34895 34895->34753 35023 3d0194 __EH_prolog3_GS 34896->35023 34898 3c760b SendMessageW 34899 3c7632 34898->34899 35035 3c763f __EH_prolog3_GS 34899->35035 34901 3a9c13 34901->34700 34901->34702 34902->34753 34903->34753 34904->34753 34905->34753 34906->34753 34907->34753 34908->34753 34909->34753 34910->34753 34911->34753 34912->34753 34913->34753 34922 38633d __EH_prolog3 34914->34922 34916 3bfffe 34930 3a4d33 __EH_prolog3 34916->34930 34918 3c0013 34918->34753 34919->34753 34920->34753 34921->34753 34923 386361 34922->34923 34924 45ab63 std::_Facet_Register 2 API calls 34923->34924 34925 386392 34924->34925 34931 38dfcc __EH_prolog3_GS 34925->34931 34927 386430 34928 38643a 34927->34928 34937 38de4b __EH_prolog3_GS 34927->34937 34928->34916 34930->34918 34932 38dfe4 34931->34932 34933 38e03d ~refcount_ptr 34931->34933 34943 3ef910 34932->34943 34933->34927 34935 38e00c ~refcount_ptr 34982 3efec0 34935->34982 34938 38de64 34937->34938 34939 3ef910 24 API calls 34938->34939 34940 38de80 ~refcount_ptr 34939->34940 35016 3efe30 34940->35016 34942 38debf ~refcount_ptr 34942->34928 34944 3ef993 34943->34944 34945 3ef9d4 34944->34945 34946 3efa06 34944->34946 34948 3ef9a9 34944->34948 34947 45ab63 std::_Facet_Register 2 API calls 34945->34947 34946->34948 34951 45ab63 std::_Facet_Register 2 API calls 34946->34951 34950 3ef9f0 34947->34950 34994 3f0220 34948->34994 34950->34948 34952 3efe17 34950->34952 34951->34948 34953 460bf6 17 API calls 34952->34953 34954 3efe1c 34953->34954 34956 460bf6 17 API calls 34954->34956 34955 3efa72 ~refcount_ptr 34955->34954 34958 3efadc std::ios_base::_Ios_base_dtor 34955->34958 34957 3efe21 34956->34957 34959 460bf6 17 API calls 34957->34959 34960 3efb19 34958->34960 34973 3efb38 34958->34973 34980 3efd25 std::ios_base::_Ios_base_dtor 34958->34980 34962 3efe26 34959->34962 35015 39cbed __EH_prolog3 34960->35015 34961 3efdb9 RegOpenKeyExW 34964 3efdcb 34961->34964 34967 3efde2 34964->34967 34970 3efdd5 RegCloseKey 34964->34970 34965 3efd7b GetModuleHandleW 34965->34967 34968 3efd8a GetProcAddress 34965->34968 34966 3efdb3 34966->34961 34966->34967 34971 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34967->34971 34968->34967 34969 3efd9c 34968->34969 34969->34964 34970->34967 34975 3efe11 34971->34975 34972 3efb8f 34976 45ab63 std::_Facet_Register 2 API calls 34972->34976 34973->34972 34974 3efbc1 34973->34974 34977 3efb2a 34973->34977 34974->34977 34978 45ab63 std::_Facet_Register 2 API calls 34974->34978 34975->34935 34976->34977 34977->34957 34979 392200 19 API calls 34977->34979 34978->34977 34981 3efc31 std::ios_base::_Ios_base_dtor 34979->34981 34980->34961 34980->34965 34980->34966 34981->34957 34981->34980 34984 3eff1a RegQueryValueExW 34982->34984 34989 3eff03 std::ios_base::_Ios_base_dtor 34982->34989 34988 3eff40 34984->34988 34984->34989 34985 45ab44 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 2 API calls 34986 3f01aa 34985->34986 34986->34933 34987 3effdd RegQueryValueExW 34993 3efff7 std::ios_base::_Ios_base_dtor 34987->34993 34988->34987 34988->34989 34989->34985 34990 3f01b0 34991 460bf6 17 API calls 34990->34991 34992 3f01b5 34991->34992 34993->34989 34993->34990 34995 3f03af 34994->34995 34996 3f0260 _wcslen 34994->34996 34999 3f03bb _wcslen 34995->34999 35007 3f050d _wcslen 34995->35007 34997 3f0300 34996->34997 35000 3f0334 34996->35000 35013 3f031e 34996->35013 35014 3f028d std::ios_base::_Ios_base_dtor 34996->35014 35003 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 34997->35003 34998 460bf6 17 API calls 35001 3f0691 34998->35001 35002 3f045e 34999->35002 35004 3f0492 34999->35004 34999->35013 34999->35014 35005 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 35000->35005 35000->35013 35006 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 35002->35006 35003->35013 35010 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 35004->35010 35004->35013 35005->35013 35006->35013 35008 3f05e5 35007->35008 35009 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 35007->35009 35007->35013 35007->35014 35012 45ab63 std::_Facet_Register __CxxThrowException IsProcessorFeaturePresent 35008->35012 35008->35014 35011 3f05da 35009->35011 35010->35013 35011->35008 35011->35013 35012->35014 35013->34998 35013->35014 35014->34955 35015->34977 35017 3efe3a 35016->35017 35019 3efe5f _wcslen 35016->35019 35022 3d80a8 RegCloseKey GetModuleHandleW GetProcAddress 35017->35022 35020 3efe7b 35019->35020 35021 3efe91 RegSetValueExW 35019->35021 35020->34942 35021->34942 35022->35019 35024 3a4fcc 22 API calls 35023->35024 35025 3d01a7 35024->35025 35040 392e7c __EH_prolog3_GS 35025->35040 35027 3d01bd ~refcount_ptr 35028 3d03e6 35027->35028 35029 3d028c SetWindowPos RedrawWindow 35027->35029 35030 3d0278 35027->35030 35028->34898 35031 3d02c5 SendMessageW 35029->35031 35030->35029 35032 3d0300 _wcslen 35031->35032 35042 3f6dc0 IsProcessorFeaturePresent ___raise_securityfailure __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 35032->35042 35034 3d03d4 35034->35028 35036 3c7663 35035->35036 35037 3c766d SendMessageW SendMessageW 35036->35037 35043 3c8394 __EH_prolog3_GS 35037->35043 35039 3c76c6 35039->34901 35041 392e9d ~refcount_ptr 35040->35041 35041->35027 35042->35034 35044 3c83c0 ~refcount_ptr 35043->35044 35045 3c851f 35044->35045 35046 3c8485 SendMessageW SendMessageW 35044->35046 35045->35039 35046->35045 35047 3c84ca 35046->35047 35049 42ecfa __EH_prolog3 ~refcount_ptr 35047->35049 35049->35045 35052 3b2091 35051->35052 35053 392200 19 API calls 35052->35053 35054 3b20ab ~refcount_ptr 35053->35054 35054->34576 35055->34578 35056->34575 35057->34579 35058->34625 35059->34625 35060->34625 35061->34625 35062->34621 35063->34622 35064->34625

                                  Executed Functions

                                  Function 003DAE83 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 102libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 956 3dae83-3daeb9 __EH_prolog3_GS call 440e68 call 3b98de GetProcAddress 961 3daeef-3daef3 GetSystemInfo 956->961 962 3daebb-3daecf GetCurrentProcess 956->962 963 3daef9-3daf02 961->963 962->961 969 3daed1-3daed5 962->969 964 3daf2b-3daf2e 963->964 965 3daf04-3daf09 963->965 967 3daf1c 964->967 968 3daf30-3daf48 964->968 970 3daf0b-3daf10 965->970 971 3daf26-3daf29 965->971 974 3daf1e-3daf23 call 45b731 967->974 980 3daf4a-3daf5b call 3d985f 968->980 981 3daf71-3daf85 968->981 969->961 972 3daed7-3daee5 GetProcAddress 969->972 970->968 973 3daf12-3daf15 970->973 975 3daf1a 971->975 972->961 977 3daee7-3daeed GetNativeSystemInfo 972->977 973->967 978 3daf17 973->978 975->967 975->968 977->963 978->975 980->981 987 3daf5d-3daf6f 980->987 984 3daf87-3dafa1 call 3a692b call 38569b 981->984 984->974 987->984
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003DAE8A
                                    • Part of subcall function 00440E68: __EH_prolog3_GS.LIBCMT ref: 00440E6F
                                    • Part of subcall function 003B98DE: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003B9921
                                    • Part of subcall function 003B98DE: _wcslen.LIBCMT ref: 003B9946
                                    • Part of subcall function 003B98DE: LoadLibraryExW.KERNEL32(?,00000000,00000000,UxTheme.dll,00000000,004B9998,00000000,00000000,?,UxTheme.dll,00000000,0048C530,000000FF), ref: 003B9983
                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 003DAEAE
                                  • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 003DAEC3
                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003DAEDD
                                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 003DAEEB
                                  • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 003DAEF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: System$AddressH_prolog3_InfoProc$CurrentDirectoryLibraryLoadNativeProcess_wcslen
                                  • String ID: GetNativeSystemInfo$IsWow64Process$kernel32.dll
                                  • API String ID: 2250581848-3073145729
                                  • Opcode ID: 7da364bfe2b93a77e788add3b3629d9bb996a0dab22929ef93cca2fe6faa3142
                                  • Instruction ID: 82afe5d606d374fe2fb84288be4e9ce2eb784c09ee8c1b860cf127ce7c76fd9c
                                  • Opcode Fuzzy Hash: 7da364bfe2b93a77e788add3b3629d9bb996a0dab22929ef93cca2fe6faa3142
                                  • Instruction Fuzzy Hash: 8B31D6B2A14204ABDF259BB4ED45BFD77B8EF08315F10046BF506EB281DB748948CB66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EBC50 Relevance: 11.4, APIs: 7, Instructions: 944COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: PathTemp$_wcslen
                                  • String ID:
                                  • API String ID: 1484985558-0
                                  • Opcode ID: 35974bd4d75cc3bc7c24fa12c9306074f64688b3c7b792024ff7bb93bcdf6a03
                                  • Instruction ID: 9623b92e642d2c6371f39f6f678e2ab6ab57fc5c2dc6cfa60612e1061ab3dc38
                                  • Opcode Fuzzy Hash: 35974bd4d75cc3bc7c24fa12c9306074f64688b3c7b792024ff7bb93bcdf6a03
                                  • Instruction Fuzzy Hash: DD82A0719102698FCB26DF25CC88BAEB7B4AF44314F1003E9E419A72D1DB74AE85CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AC0B9 Relevance: 10.8, APIs: 7, Instructions: 260nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003AC0C0
                                  • ShowWindow.USER32(?,00000000,0000001C,003A6D28,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003AC0E9
                                    • Part of subcall function 003ABF55: __EH_prolog3.LIBCMT ref: 003ABF5C
                                    • Part of subcall function 003ABD71: __EH_prolog3_GS.LIBCMT ref: 003ABD78
                                    • Part of subcall function 003ABD71: SetWindowRgn.USER32(00000004,00000000,00000001), ref: 003ABD9D
                                  • ShowWindow.USER32(?,00000005,?,?), ref: 003AC115
                                  • NtdllDefWindowProc_W.NTDLL(?,0000000C,?,?,?,0000001C,003A6D28,?,?,?,?,?,?,?,?,?), ref: 003AC14D
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003AC163
                                  • NtdllDefWindowProc_W.NTDLL(?,00000080,?,?,?,0000001C,003A6D28,?,?,?,?,?,?,?,?,?), ref: 003AC19B
                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003AC1B1
                                    • Part of subcall function 003AC813: __EH_prolog3.LIBCMT ref: 003AC81A
                                    • Part of subcall function 003AC813: GetWindowDC.USER32(?,?,?), ref: 003AC8A3
                                    • Part of subcall function 003AC813: TrackMouseEvent.USER32(?,?,?), ref: 003AC900
                                    • Part of subcall function 003AC813: DeleteDC.GDI32(?), ref: 003AC916
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$H_prolog3H_prolog3_LongNtdllProc_Show$DeleteEventMouseTrack
                                  • String ID:
                                  • API String ID: 1043770805-0
                                  • Opcode ID: e9084c76eb458108dc02ec256232cbc1df6c2e54b4d47cb8857f0f1f869b0327
                                  • Instruction ID: ffabac6628e5bbf5db424c3a58762dae43b5a230639fa25354cff510dba99145
                                  • Opcode Fuzzy Hash: e9084c76eb458108dc02ec256232cbc1df6c2e54b4d47cb8857f0f1f869b0327
                                  • Instruction Fuzzy Hash: F1A1A378A20205DFDF269FA0C855BBDBBB5FF4A320F259519E802EB290DB359C40DB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003FD3A0 Relevance: 10.7, APIs: 6, Instructions: 1708memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 003FD70F
                                  • _wcslen.LIBCMT ref: 003FD748
                                  • HeapFree.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,?), ref: 003FD96F
                                  • _wcslen.LIBCMT ref: 003FDE94
                                  • _wcslen.LIBCMT ref: 003FE1EB
                                    • Part of subcall function 00384906: __EH_prolog3_catch.LIBCMT ref: 0038490D
                                  • _wcslen.LIBCMT ref: 003FE7CC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$FreeH_prolog3_catchHeap
                                  • String ID:
                                  • API String ID: 3622430539-0
                                  • Opcode ID: 8c2fb50c6cb4ceba6d10df6dd75b0d466b30d7686475f364062ab94d99413edf
                                  • Instruction ID: b2d773c8b82ab0a67e84c971be070b33edd0c0f88eb0721cccfef45596d2d3dc
                                  • Opcode Fuzzy Hash: 8c2fb50c6cb4ceba6d10df6dd75b0d466b30d7686475f364062ab94d99413edf
                                  • Instruction Fuzzy Hash: D8E2F571D0020DCFCF15DFA8C884BAEB7B6AF44314F25426EE516EB291DB34AA44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F68D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(ComCtl32.dll,36685827,?,?,00000000), ref: 003F690C
                                  • GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003F6932
                                  • FreeLibrary.KERNEL32(00000000), ref: 003F69AB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Library$AddressFreeLoadProc
                                  • String ID: ComCtl32.dll$LoadIconMetric
                                  • API String ID: 145871493-764666640
                                  • Opcode ID: 315f8cb1142f7264ec1812d31938c89fdbd5db1a487e4aaa68009128ee035a90
                                  • Instruction ID: ef070648aa5ee66d86342d397b675e8a047bf2f0538a1339191594b5f1a8fd29
                                  • Opcode Fuzzy Hash: 315f8cb1142f7264ec1812d31938c89fdbd5db1a487e4aaa68009128ee035a90
                                  • Instruction Fuzzy Hash: 10216B71A04219ABDB118F98CD15BBFBFB9EB45750F10022AF929E3290D7B95D009BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00457EAE Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000008,?,003888B1,?,0038F5D6), ref: 00457EB3
                                  • HeapAlloc.KERNEL32(00000000,?,003888B1,?,0038F5D6), ref: 00457EBA
                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,003888B1,?,0038F5D6), ref: 00457F00
                                  • HeapFree.KERNEL32(00000000,?,003888B1,?,0038F5D6), ref: 00457F07
                                    • Part of subcall function 00457D4D: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00457EF6,00000000,?,003888B1,?,0038F5D6), ref: 00457D71
                                    • Part of subcall function 00457D4D: HeapAlloc.KERNEL32(00000000,?,00457EF6,00000000,?,003888B1,?,0038F5D6), ref: 00457D78
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Heap$Process$Alloc$Free
                                  • String ID: PA8
                                  • API String ID: 1864747095-1386033528
                                  • Opcode ID: aaded6238f0805f8898a21f0947eb7e2bd025622ac0b0247379c598c3682d679
                                  • Instruction ID: e7a070e535c8d6b02b24592fc22748b0679dc808881785b1f67e0f3cb4e3f24f
                                  • Opcode Fuzzy Hash: aaded6238f0805f8898a21f0947eb7e2bd025622ac0b0247379c598c3682d679
                                  • Instruction Fuzzy Hash: 82F0B47324C71197C7312B79BC0DAAB2E699F827A3711407AF906C6391DE288C0587A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414085 Relevance: 6.6, APIs: 4, Instructions: 585COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                    • Part of subcall function 00427222: LoadLibraryW.KERNEL32(?,004142CD,?,?,00000000,?), ref: 00427224
                                  • CloseHandle.KERNEL32(?,00000000,36685827,00000000,?), ref: 0041473B
                                    • Part of subcall function 00427295: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0041461D,?,00000000,00000000,?), ref: 004272B7
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  • CloseHandle.KERNEL32(?,00000000,36685827,00000000,?), ref: 00414716
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog3Handle$CreateFileLibraryLoad
                                  • String ID:
                                  • API String ID: 2926328726-0
                                  • Opcode ID: dddef2f2069137c980861cf9b5529f074b43945c92e3c392cb9757bcbc30f234
                                  • Instruction ID: 115c2d54e3e10588f4efe1e439f7e641d7c663dc1422e83d28790694848e1e9e
                                  • Opcode Fuzzy Hash: dddef2f2069137c980861cf9b5529f074b43945c92e3c392cb9757bcbc30f234
                                  • Instruction Fuzzy Hash: 7D428C70D00249DFCF15EFA4C884BEEBBB1BF45304F1441AEE415AB291DB786A89CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003FA310 Relevance: 4.6, APIs: 3, Instructions: 119fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 003FA3AD
                                  • FindClose.KERNEL32(00000000), ref: 003FA40F
                                    • Part of subcall function 0038D89E: __CxxThrowException@8.LIBVCRUNTIME ref: 0038D870
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Find$CloseException@8FileFirstThrow
                                  • String ID:
                                  • API String ID: 721412918-0
                                  • Opcode ID: 4d010e0808686c08950e6457f3dfe497f5dc6fdc8c824c99d0d119fd8c1761ec
                                  • Instruction ID: 0cd04ae76421be00c3a9c06e5965671239c0dba92975e0ffb2481ae417d177c8
                                  • Opcode Fuzzy Hash: 4d010e0808686c08950e6457f3dfe497f5dc6fdc8c824c99d0d119fd8c1761ec
                                  • Instruction Fuzzy Hash: 8441D0B4904A08DBCB29DF56C88DB79B7F4FF05324F20829EEA1A97790D3B45944CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423C28 Relevance: 4.6, APIs: 3, Instructions: 76filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00423C2F
                                  • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000004,0040EB2A,00000001,00000000,?,?,Advinst_Estimate_), ref: 00423CB9
                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000004,0040EB2A,00000001,00000000,?,?,Advinst_Estimate_,00000078), ref: 00423CD9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Create$FileH_prolog3NamedPipe
                                  • String ID:
                                  • API String ID: 2150685081-0
                                  • Opcode ID: 3380e596c5106fc152d71bf6a71692d8912b63a2ed260b5b19cb1971efacb860
                                  • Instruction ID: 7572210a3082e40a64da585773a1c76d2c2de1da041d21f6f5476cf132f4001b
                                  • Opcode Fuzzy Hash: 3380e596c5106fc152d71bf6a71692d8912b63a2ed260b5b19cb1971efacb860
                                  • Instruction Fuzzy Hash: 2A21FE70204352BFEB15DF24D845B69BB71AB00300F40826EF865AB2D2CB38AA41CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414B3A Relevance: 3.2, APIs: 2, Instructions: 204fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  • FindFirstFileW.KERNEL32(?,00000000,00000000,?), ref: 00414CD4
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00498AB2,000000FF), ref: 00414D03
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Find$CloseFileFirstH_prolog3
                                  • String ID:
                                  • API String ID: 81873102-0
                                  • Opcode ID: df75b228d11ab7d510e746a4527e57f04e6e4ae664088a99d37d96059de0bf36
                                  • Instruction ID: 5ee6377b070a1caefeb18604566b52555b9841a36b901af56767b4cd4e515b54
                                  • Opcode Fuzzy Hash: df75b228d11ab7d510e746a4527e57f04e6e4ae664088a99d37d96059de0bf36
                                  • Instruction Fuzzy Hash: E5818D71D04258DFDF15DFA4DC85BEEBBB4BF44304F14416AE905A7282EB386A09CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045AB63 Relevance: 3.2, APIs: 2, Instructions: 158COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0045B922
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 0045B941
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Exception@8FeaturePresentProcessorThrow
                                  • String ID:
                                  • API String ID: 2073180564-0
                                  • Opcode ID: ae58005d6a1134f7e7c212c2da7cc38b1a7dc50545bf75022b0911dd37216264
                                  • Instruction ID: f06c9a43f2ca16d1b0ae7daf671f2d0c9fb9f640dac959c5c5c42ef20dbd8e2a
                                  • Opcode Fuzzy Hash: ae58005d6a1134f7e7c212c2da7cc38b1a7dc50545bf75022b0911dd37216264
                                  • Instruction Fuzzy Hash: 3851E0B19012098FDB14CFA9D885BAEB7F4FB44315F10822BD814E7351D7789D15CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A0287 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • __set_se_translator.LIBVCRUNTIME ref: 003A029F
                                  • SetUnhandledExceptionFilter.KERNEL32(003F5380), ref: 003A02B5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled__set_se_translator
                                  • String ID:
                                  • API String ID: 2480343447-0
                                  • Opcode ID: 0f9f6b78c7b0844166cb7651952f5a194a3180f327779d16a3b7a1d49f0d1e30
                                  • Instruction ID: 89aa9e6b32fd51e19e6f53cc98d56360a75992e943d7ede046c6b2e0b99943a3
                                  • Opcode Fuzzy Hash: 0f9f6b78c7b0844166cb7651952f5a194a3180f327779d16a3b7a1d49f0d1e30
                                  • Instruction Fuzzy Hash: EDE02636600200BEC3115351AD0DF4A3F548BA6711F05405AF70023152CD6558089362
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041B2EA Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,00000000,00000000), ref: 0041B3CF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DiskFreeSpace
                                  • String ID:
                                  • API String ID: 1705453755-0
                                  • Opcode ID: 12a178a07a63d93cf057aa43b1b5415dcf358f968656127391a9eebadc905078
                                  • Instruction ID: e93a2c64ffd132978b384b97c53c2f3f1d1e4d545501f1662a36707e41d5be5d
                                  • Opcode Fuzzy Hash: 12a178a07a63d93cf057aa43b1b5415dcf358f968656127391a9eebadc905078
                                  • Instruction Fuzzy Hash: D941E531904355CBCB30DF2488416EBB3E4EF90744F158A6FE8D897281E36889C9D7DA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A5944 Relevance: 102.3, APIs: 2, Strings: 56, Instructions: 790COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 3a5944-3a596a __EH_prolog3_GS 1 3a6432-3a6444 call 45afeb 0->1 2 3a5970-3a5977 0->2 7 3a644a-3a64ab call 384285 call 38569b * 2 __Init_thread_footer 1->7 8 3a5972-3a5975 1->8 6 3a5979-3a5987 call 395bc3 2->6 12 3a5989-3a59d7 call 45ab63 call 3d1884 6->12 13 3a59dc-3a59ea call 395bc3 6->13 7->6 8->6 28 3a63b4-3a63bb 12->28 21 3a5a3f-3a5a4d call 395bc3 13->21 22 3a59ec-3a59f3 13->22 34 3a5a4f-3a5a9d call 45ab63 call 3cdf08 21->34 35 3a5aa2-3a5ab0 call 395bc3 21->35 26 3a5a1a-3a5a3a call 45ab63 call 3bf9b4 22->26 27 3a59f5-3a5a15 call 45ab63 call 39b8f1 22->27 51 3a641f-3a6425 26->51 27->51 37 3a642a-3a6431 call 45b731 28->37 34->28 53 3a5ab2-3a5af1 call 45ab63 call 3cdf08 35->53 54 3a5af6-3a5b04 call 395bc3 35->54 51->37 57 3a6427 51->57 67 3a6032-3a6036 53->67 62 3a5b2b-3a5b39 call 395bc3 54->62 63 3a5b06-3a5b26 call 45ab63 call 3b4fd8 54->63 57->37 71 3a5b3b-3a5b5b call 45ab63 call 3c6d61 62->71 72 3a5b60-3a5b6e call 395bc3 62->72 63->51 67->37 71->51 79 3a5c18-3a5c26 call 395bc3 72->79 80 3a5b74-3a5b7b 72->80 89 3a5c2c-3a5c33 79->89 90 3a5cd1-3a5cdf call 395bc3 79->90 83 3a5b7d-3a5bcf call 45ab63 call 3d1c9b call 392e25 80->83 84 3a5bd4-3a5c13 call 45ab63 call 3cdf08 80->84 83->37 84->67 94 3a5c8d-3a5ccc call 45ab63 call 3ce561 89->94 95 3a5c35-3a5c88 call 45ab63 call 39b8f1 89->95 102 3a5ce1-3a5ce8 90->102 103 3a5d34-3a5d42 call 395bc3 90->103 94->67 95->67 108 3a5cea-3a5d0a call 45ab63 call 39c424 102->108 109 3a5d0f-3a5d2f call 45ab63 call 3c3131 102->109 118 3a5d69-3a5d77 call 395bc3 103->118 119 3a5d44-3a5d64 call 45ab63 call 3c7429 103->119 108->51 109->51 131 3a5d79-3a5d99 call 45ab63 call 3b4834 118->131 132 3a5d9e-3a5dac call 395bc3 118->132 119->51 131->51 138 3a5dae-3a5df1 call 45ab63 call 3d1884 132->138 139 3a5df6-3a5e04 call 395bc3 132->139 138->28 147 3a5e4a-3a5e58 call 395bc3 139->147 148 3a5e06-3a5e45 call 45ab63 call 3d1884 139->148 154 3a5e5a-3a5e99 call 45ab63 call 3d1884 147->154 155 3a5e9e-3a5eac call 395bc3 147->155 148->67 154->67 155->37 163 3a5eb2-3a5ec0 call 395bc3 155->163 167 3a5ec2-3a5ee2 call 45ab63 call 3bcd07 163->167 168 3a5ee7-3a5ef5 call 395bc3 163->168 167->51 174 3a5f1c-3a5f2a call 395bc3 168->174 175 3a5ef7-3a5f17 call 45ab63 call 3c212d 168->175 182 3a5f2c-3a5f4c call 45ab63 call 3c28c9 174->182 183 3a5f51-3a5f5f call 395bc3 174->183 175->51 182->51 190 3a5f61-3a5f81 call 45ab63 call 3b580e 183->190 191 3a5f86-3a5f94 call 395bc3 183->191 190->51 191->37 198 3a5f9a-3a5fa8 call 395bc3 191->198 202 3a5faa-3a5fca call 45ab63 call 3cbfec 198->202 203 3a5fcf-3a5fdd call 395bc3 198->203 202->51 203->37 209 3a5fe3-3a5ff1 call 395bc3 203->209 213 3a603b-3a6049 call 395bc3 209->213 214 3a5ff3-3a602b call 45ab63 call 3ce4af 209->214 219 3a604b-3a606b call 45ab63 call 3c87be 213->219 220 3a6070-3a607e call 395bc3 213->220 214->67 219->51 228 3a6080-3a60a0 call 45ab63 call 3c3fc6 220->228 229 3a60a5-3a60b3 call 395bc3 220->229 228->51 235 3a60da-3a60e8 call 395bc3 229->235 236 3a60b5-3a60d5 call 45ab63 call 397002 229->236 244 3a60ea-3a610a call 45ab63 call 3c3536 235->244 245 3a610f-3a611d call 395bc3 235->245 236->51 244->51 251 3a611f-3a613f call 45ab63 call 3c0911 245->251 252 3a6144-3a6152 call 395bc3 245->252 251->51 260 3a6179-3a6187 call 395bc3 252->260 261 3a6154-3a6174 call 45ab63 call 3c69c4 252->261 267 3a6189-3a61a4 call 45ab63 call 3bffe8 260->267 268 3a61bd-3a61cb call 395bc3 260->268 261->51 279 3a61a9-3a61af 267->279 276 3a61cd-3a61ed call 45ab63 call 3b60ed 268->276 277 3a61f2-3a6200 call 395bc3 268->277 276->51 285 3a6202-3a6222 call 45ab63 call 3941a1 277->285 286 3a6227-3a6235 call 395bc3 277->286 279->37 282 3a61b5-3a61b8 279->282 282->37 285->51 293 3a625c-3a626a call 395bc3 286->293 294 3a6237-3a6257 call 45ab63 call 39d4c2 286->294 301 3a626c-3a628c call 45ab63 call 3d1f19 293->301 302 3a6291-3a629f call 395bc3 293->302 294->51 301->51 309 3a62a1-3a62c1 call 45ab63 call 3d27c9 302->309 310 3a62c6-3a62d4 call 395bc3 302->310 309->51 317 3a62fb-3a6309 call 395bc3 310->317 318 3a62d6-3a62f6 call 45ab63 call 3934dc 310->318 325 3a630b-3a6354 call 45ab63 call 3d1c9b 317->325 326 3a6356-3a6364 call 395bc3 317->326 318->51 325->28 333 3a63bd-3a63cb call 395bc3 326->333 334 3a6366-3a63b1 call 45ab63 call 3d1c9b 326->334 341 3a63ef-3a63fd call 395bc3 333->341 342 3a63cd-3a63ed call 45ab63 call 39d050 333->342 334->28 341->37 349 3a63ff-3a641a call 45ab63 call 39323e 341->349 342->51 349->51
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A594B
                                  • __Init_thread_footer.LIBCMT ref: 003A64A5
                                    • Part of subcall function 00395BC3: _wcslen.LIBCMT ref: 00395BEB
                                    • Part of subcall function 0039B8F1: __EH_prolog3.LIBCMT ref: 0039B8F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_Init_thread_footer_wcslen
                                  • String ID: #i:$; <$; <$?$AI_CONTROL_VISUAL_STYLE$Billboard$Bitmap$C <$CheckBox$CheckList$ComboBox$CommandLinkButton$DirectUIHost$DirectoryCombo$DirectoryList$Edit$GlassIcon$GlassText$GroupBox$HtmlHost$Hyperlink$Icon$ImageAnimation$ImageButton$ImageCheckBox$InstancesList$Line$ListBox$ListView$MaskedEdit$P&9$P&9$P&9$P&9$P&9$P&9$PathEdit$PrerequisiteSelector$ProgressBar$PushButton$QuickSelectionList$QuickSelectionTree$RadioButton$RadioButtonGroup$ScrollableText$SelectionTree$StyledProgressBar$TabHost$Text$VLine$VolumeCostList$VolumeSelectCombo$s=<${7<${=<$$=
                                  • API String ID: 434531219-1608398822
                                  • Opcode ID: cc48da4e892dddb344c9b0c98f67822ae9d52c91c8f1bd4a5fb7d8facb0106f5
                                  • Instruction ID: e5866e5552d6aa6d93127d32ca03b232a3c8ca61cf51828d244d71d12318ec6f
                                  • Opcode Fuzzy Hash: cc48da4e892dddb344c9b0c98f67822ae9d52c91c8f1bd4a5fb7d8facb0106f5
                                  • Instruction Fuzzy Hash: 4552D270A04304AACF17EF65C446AED7BE2EF49744F28814EF9056F2C2CB784A46D799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F4530 Relevance: 42.2, APIs: 4, Strings: 20, Instructions: 228registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 3f4530-3f45ac RegOpenKeyExW 355 3f4862-3f487b 354->355 356 3f45b2-3f45e3 RegQueryValueExW 354->356 357 3f488e-3f48ab call 45ab44 355->357 358 3f487d-3f4884 RegCloseKey 355->358 359 3f45e5-3f45f7 call 404300 356->359 360 3f4633-3f465e RegQueryValueExW 356->360 358->357 370 3f45f9-3f4606 359->370 371 3f4608-3f461f call 404300 359->371 360->355 361 3f4664-3f467b 360->361 364 3f467d 361->364 365 3f468a-3f468c 361->365 368 3f4680-3f4688 364->368 365->355 369 3f4692-3f4699 365->369 368->365 368->368 372 3f46a0-3f46ac call 404300 369->372 373 3f462e 370->373 378 3f4626-3f462c 371->378 379 3f4621 371->379 380 3f46ae-3f46b2 372->380 381 3f46b7-3f46c9 call 404300 372->381 373->360 378->373 379->378 382 3f4829 380->382 388 3f46cb-3f46cf 381->388 389 3f46d4-3f46e6 call 404300 381->389 385 3f4830-3f4849 382->385 386 3f484b 385->386 387 3f485a-3f485c 385->387 390 3f4850-3f4858 386->390 387->355 387->372 388->382 393 3f46e8-3f46ec 389->393 394 3f46f1-3f4703 call 404300 389->394 390->387 390->390 393->382 397 3f470e-3f4720 call 404300 394->397 398 3f4705-3f4709 394->398 401 3f472b-3f473d call 404300 397->401 402 3f4722-3f4726 397->402 398->382 405 3f473f-3f4743 401->405 406 3f4748-3f475a call 404300 401->406 402->382 405->382 409 3f475c-3f4760 406->409 410 3f4765-3f4777 call 404300 406->410 409->382 413 3f4779-3f477e 410->413 414 3f4783-3f4795 call 404300 410->414 415 3f4826 413->415 418 3f4797-3f479c 414->418 419 3f47a1-3f47b3 call 404300 414->419 415->382 418->415 422 3f47bc-3f47ce call 404300 419->422 423 3f47b5-3f47ba 419->423 426 3f47d7-3f47e9 call 404300 422->426 427 3f47d0-3f47d5 422->427 423->415 430 3f47eb-3f47f0 426->430 431 3f47f2-3f4804 call 404300 426->431 427->415 430->415 434 3f480d-3f481f call 404300 431->434 435 3f4806-3f480b 431->435 434->385 438 3f4821 434->438 435->415 438->415
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000,36685827,36685827), ref: 003F45A4
                                  • RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?), ref: 003F45DF
                                  • RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 003F465A
                                  • RegCloseKey.ADVAPI32(00000000), ref: 003F487E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: QueryValue$CloseOpen
                                  • String ID: I?$BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
                                  • API String ID: 1586453840-3868538847
                                  • Opcode ID: 36dce5fac9d6f39f176902890329cc48c1526a9128bea62f2209e2941176e6ff
                                  • Instruction ID: b82b29a75bc4d5d6c20a55588d601eecd6f3daeb31fb27f34a163082d84cf7cc
                                  • Opcode Fuzzy Hash: 36dce5fac9d6f39f176902890329cc48c1526a9128bea62f2209e2941176e6ff
                                  • Instruction Fuzzy Hash: 7581C634B1035CCBDB259B15ED40BB7B3B4EB4A344F1141BADA05A7A81EB399E44CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413610 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 387COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 439 413610-41363a __EH_prolog3 call 41518b 442 413643-4136b4 call 41518b call 4149b0 call 38713a call 41518b call 3f3860 call 38d91c call 3fb080 call 38d133 439->442 443 41363c-41363e 439->443 463 4136b6-4136d4 GetLastError call 41493a 442->463 464 4136d9-4136ee call 41b2ea 442->464 444 413aa5-413aaa call 45b71c 443->444 469 413a8a-413aa2 call 38d133 * 2 463->469 470 4136f4-4136f9 464->470 471 41379a-4137b1 call 41518b 464->471 469->444 474 4136fb-413707 470->474 475 41370d-413714 470->475 483 4137b3-4137e5 call 41518b * 2 call 3fa550 471->483 484 4137e8-4137ee 471->484 474->471 474->475 477 413716-413755 call 3f3860 call 38ce6d call 460c46 call 390f2f 475->477 478 41378e-413795 475->478 517 413757-413763 call 460c46 call 390f2f 477->517 518 413768-413789 call 421ee4 call 38d133 * 2 477->518 478->469 483->484 487 4137f0-4137fa call 3f06a0 484->487 488 4137ff-41383f call 3fabd0 CreateFileW 484->488 487->488 497 413911-413948 call 41518b SetFilePointer 488->497 498 413845-413865 GetLastError call 41493a 488->498 510 413966-4139ae call 4150d4 call 41518b * 2 497->510 511 41394a-413961 GetLastError call 41493a 497->511 512 41386b-4138a8 GetLastError call 3f67c0 call 38ce6d call 460c46 call 390f2f 498->512 513 413a6d-413a7d 498->513 542 4139b1-4139b3 510->542 511->513 546 4138bb-4138d3 call 460c46 call 390f2f 512->546 547 4138aa-4138b6 call 460c46 call 390f2f 512->547 513->469 514 413a7f-413a86 FindCloseChangeNotification 513->514 514->469 517->518 518->478 544 4139c2-4139e4 ReadFile 542->544 545 4139b5-4139bc 542->545 548 4139e6-4139eb 544->548 549 413a4b-413a5a call 41518b 544->549 545->544 557 413aad-413ab4 545->557 570 4138d5-4138e1 call 460c46 call 390f2f 546->570 571 4138e6-41390c call 421ee4 call 38d133 * 2 546->571 547->546 548->549 554 4139ed-4139f1 548->554 564 413a5e-413a63 call 45b29c 549->564 559 413a03-413a16 WriteFile 554->559 560 4139f3-413a00 call 426743 554->560 557->564 559->549 562 413a18-413a1d 559->562 560->559 562->549 567 413a1f-413a31 562->567 574 413a68-413a6c 564->574 572 413a43-413a45 567->572 573 413a33-413a40 567->573 570->571 571->513 572->542 572->549 573->572 574->513
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00413617
                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000034,004274D6,00000000,?,00000000,?,?,?,?,?), ref: 004136B6
                                  • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413A80
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ChangeCloseErrorFindH_prolog3LastNotification
                                  • String ID: Error:$Failed to extract file:$Not enough disk space to extract file:
                                  • API String ID: 3773764224-4103669389
                                  • Opcode ID: e7ea81d006690143e57e8608fd711edcc041ccd58de7c543fe9dd6e2fceab2a5
                                  • Instruction ID: 97ee08fd5a19cb0cb3f726b82ede2675aae4c7ddb04e5005aaf6c14046ac0288
                                  • Opcode Fuzzy Hash: e7ea81d006690143e57e8608fd711edcc041ccd58de7c543fe9dd6e2fceab2a5
                                  • Instruction Fuzzy Hash: 42E1C371900208AFDF15EF64C885BEE7BB4AF44314F14805EF845AB292DB789E45CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F4250 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 187registrylibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 585 3f4250-3f42b7 RegOpenKeyExW 586 3f42bd-3f431e RegQueryValueExW * 2 585->586 587 3f44e4-3f44fd 585->587 590 3f437c-3f43bd RegQueryValueExW 586->590 591 3f4320-3f4352 RegQueryValueExW 586->591 588 3f44ff-3f4506 RegCloseKey 587->588 589 3f4510-3f4529 call 45ab44 587->589 588->589 592 3f43bf-3f43df call 404260 590->592 593 3f43e4-3f440f RegQueryValueExW 590->593 591->590 595 3f4354-3f435c 591->595 592->593 598 3f446a-3f4471 593->598 599 3f4411-3f4420 593->599 595->595 596 3f435e-3f4361 595->596 596->590 601 3f4363-3f4376 596->601 605 3f4473-3f449f GetModuleHandleW GetProcAddress 598->605 606 3f44a1 598->606 603 3f443f-3f444d 599->603 604 3f4422-3f442d 599->604 601->590 609 3f444f 603->609 610 3f445a-3f4465 603->610 608 3f4430-3f443d 604->608 607 3f44a6-3f44a8 605->607 606->607 611 3f44aa-3f44ca GetCurrentProcess 607->611 612 3f44d8 607->612 608->603 608->608 613 3f4450-3f4458 609->613 610->598 611->612 617 3f44cc-3f44d6 611->617 614 3f44da-3f44df call 3f4530 612->614 613->610 613->613 614->587 617->614
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000,36685827,?), ref: 003F42AF
                                  • RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?), ref: 003F42F6
                                  • RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 003F4315
                                  • RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 003F4344
                                  • RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?), ref: 003F43B9
                                  • RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 003F440B
                                  • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 003F4489
                                  • GetProcAddress.KERNEL32(00000000), ref: 003F4490
                                  • GetCurrentProcess.KERNEL32(?), ref: 003F44BB
                                  • RegCloseKey.ADVAPI32(00000000), ref: 003F4500
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: QueryValue$AddressCloseCurrentHandleModuleOpenProcProcess
                                  • String ID: I?$CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$Software\Microsoft\Windows NT\CurrentVersion$kernel32
                                  • API String ID: 3667490055-4107839500
                                  • Opcode ID: 3ff5d487dacac031ec8ab5b71bc96b9684c81f2fb71f4976c0de2f3762a0af77
                                  • Instruction ID: 6a41378c915af8c490bda9be507532dd158b2ae6b1199c79bf55a56d1d262054
                                  • Opcode Fuzzy Hash: 3ff5d487dacac031ec8ab5b71bc96b9684c81f2fb71f4976c0de2f3762a0af77
                                  • Instruction Fuzzy Hash: 437140B590021CDFDB21CF65DD45BAABBB8FB04704F0101AAE608A7191E7745A88CF59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00416EEB Relevance: 31.8, APIs: 10, Strings: 8, Instructions: 289COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 618 416eeb-416f12 __EH_prolog3_GS call 4637c0 621 416fa8-416fda call 38d91c call 387037 call 38d133 618->621 622 416f18-416f3a call 38713a call 3fba00 618->622 640 417027-41705a call 38d91c call 387037 call 38d133 621->640 641 416fdc-416ff9 SHGetFolderPathW 621->641 631 416f99-416fa3 call 38d133 622->631 632 416f3c-416f4c 622->632 631->621 635 416f7c-416f94 call 3f83b0 call 38d133 632->635 636 416f4e-416f52 632->636 656 417235-41723a call 45b731 635->656 638 416f71-416f77 call 38d89e 636->638 639 416f54-416f58 636->639 638->635 639->638 644 416f5a-416f6f call 3870e1 call 38d635 639->644 668 417070-4170a3 call 38d91c call 387037 call 38d133 640->668 669 41705c-41706e GetSystemDirectoryW 640->669 646 416fff-417022 call 460c46 call 38d89e call 3f83b0 641->646 644->635 670 417233 646->670 686 4170a5-4170b1 GetWindowsDirectoryW 668->686 687 4170cb-4170fe call 38d91c call 387037 call 38d133 668->687 671 4170b7-4170c9 669->671 670->656 673 417143-417148 671->673 676 4172e8-4172ed call 45b3cd 673->676 677 41714e-417150 673->677 678 417158-417174 call 460c46 call 38d89e 677->678 678->670 686->671 696 417100-41711b GetWindowsDirectoryW 687->696 697 41711d-41712d call 4637c0 687->697 696->678 700 417179-417189 call 4637c0 697->700 701 41712f-417141 GetTempPathW 697->701 704 417248 700->704 705 41718f-417198 700->705 701->673 706 41724a-41725a call 387037 704->706 707 417205-41720f 705->707 708 41719a-4171b1 GetModuleFileNameW 705->708 721 417262-417265 706->721 722 41725c-417260 706->722 709 417211-417215 707->709 710 417230-417232 707->710 712 4171b3-4171b5 708->712 713 4171c5-4171d1 708->713 714 417217-41721b 709->714 715 41723b-417246 call 38d89e 709->715 710->670 717 4171b6-4171be 712->717 713->676 718 4171d7-417200 call 460c46 call 38d89e 713->718 714->715 720 41721d-41722e call 3870e1 call 38d635 714->720 715->710 717->713 723 4171c0-4171c3 717->723 718->707 720->710 728 4172e1-4172e3 721->728 729 417267-41727f 721->729 722->706 722->721 723->713 723->717 728->670 736 417281-417291 call 4172ee 729->736 737 41729e-4172db 729->737 736->670 741 417293-41729c call 4173f0 736->741 737->646 737->728 741->670
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00416EF5
                                  • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,00000000,SystemFolder,0000021C,00416C72,?,00000001,?,00000000,00000000,?,00000000), ref: 00416FF9
                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00417068
                                  • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,WindowsFolder,00000000,System32Folder,00000000,SystemFolder,0000021C,00416C72,?,00000001,?,00000000,00000000,?), ref: 004170B1
                                  • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,WindowsVolume,00000000,WindowsFolder,00000000,System32Folder,00000000,SystemFolder,0000021C,00416C72,?,00000001,?,00000000), ref: 0041710C
                                  • GetTempPathW.KERNEL32(00000104,?,00000000,WindowsVolume,00000000,WindowsFolder,00000000,System32Folder,00000000,SystemFolder,0000021C,00416C72,?,00000001,?,00000000), ref: 0041713B
                                  • _wcslen.LIBCMT ref: 0041715F
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,WindowsVolume,00000000,WindowsFolder,00000000,System32Folder,00000000,SystemFolder,0000021C,00416C72,?,00000001,?), ref: 004171A8
                                  • _wcslen.LIBCMT ref: 004171E8
                                  • _wcslen.LIBCMT ref: 00417006
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                    • Part of subcall function 003FBA00: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000), ref: 003FBA0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Directory_wcslen$PathWindows$EnvironmentFileFolderH_prolog3H_prolog3_ModuleNameSystemTempVariable
                                  • String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume
                                  • API String ID: 2287091684-866398512
                                  • Opcode ID: 6bce07ee26347763451c392db3ec9785948f407e1f8f539d9fc9940112bebc92
                                  • Instruction ID: 218e3162806e4cefc6baf214f2e476c098fd038b60b0fe8932505588f5a8a3e1
                                  • Opcode Fuzzy Hash: 6bce07ee26347763451c392db3ec9785948f407e1f8f539d9fc9940112bebc92
                                  • Instruction Fuzzy Hash: CFB1D771944318ABDF25EFA0D889BEE7775AF44310F2041EAE406972E1DB388E85CF49
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003ABD71 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 179COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 746 3abd71-3abd96 __EH_prolog3_GS 748 3abda8-3abdcc GetWindowRect 746->748 749 3abd98-3abda3 SetWindowRgn 746->749 754 3abdce-3abe24 MonitorFromWindow GetMonitorInfoW CopyRect OffsetRect 748->754 755 3abe26-3abe40 OffsetRect 748->755 750 3abf4f-3abf54 call 45b731 749->750 760 3abe54-3abe5b 754->760 756 3abe42-3abe4e CreateRectRgn 755->756 757 3abe60-3abea0 call 3accd6 755->757 756->760 761 3abee0-3abf01 CreateRectRgn 757->761 765 3abea2-3abeb5 757->765 760->761 766 3abf0f-3abf1c SetWindowRgn 761->766 767 3abf03-3abf0d 761->767 769 3abecc-3abedd call 45ab55 765->769 770 3abeb7-3abecb call 38563f 765->770 768 3abf1f-3abf2b 766->768 767->766 767->768 772 3abf3a-3abf40 768->772 773 3abf2d-3abf37 DeleteObject 768->773 769->761 770->769 772->750 776 3abf42-3abf4c DeleteObject 772->776 773->772 776->750
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003ABD78
                                  • SetWindowRgn.USER32(00000004,00000000,00000001), ref: 003ABD9D
                                  • GetWindowRect.USER32(00000004,?), ref: 003ABDB4
                                  • MonitorFromWindow.USER32(?,00000002), ref: 003ABDD2
                                  • GetMonitorInfoW.USER32(00000000,?), ref: 003ABDF0
                                  • CopyRect.USER32(?,?), ref: 003ABDFE
                                  • OffsetRect.USER32(?,?,?), ref: 003ABE14
                                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 003ABEEB
                                  • SetWindowRgn.USER32(?,00000000,00000001), ref: 003ABF14
                                  • DeleteObject.GDI32(00000000), ref: 003ABF2E
                                  • DeleteObject.GDI32(00000000), ref: 003ABF43
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: RectWindow$DeleteMonitorObject$CopyCreateFromH_prolog3_InfoOffset
                                  • String ID: (
                                  • API String ID: 2239609088-3887548279
                                  • Opcode ID: bf41e25fc603deaa0fb1951b6818da4e042738f11510559c024cedb9e658932a
                                  • Instruction ID: 144c69ef203541e907278df340b9c5add666c69e2a66c58d3e2a0b385863e5f1
                                  • Opcode Fuzzy Hash: bf41e25fc603deaa0fb1951b6818da4e042738f11510559c024cedb9e658932a
                                  • Instruction Fuzzy Hash: EF614372D00218AFDB01DFA4DD48BEEBBBAEF49711F14412AF506EB291DB749904CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A87B3 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 206threadwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 003A87BD
                                  • GetDC.USER32(00000000), ref: 003A87D8
                                  • KiUserCallbackDispatcher.NTDLL(?), ref: 003A8802
                                  • GetCurrentThreadId.KERNEL32 ref: 003A88ED
                                    • Part of subcall function 003B368B: __EH_prolog3_GS.LIBCMT ref: 003B3692
                                    • Part of subcall function 003ADEC5: GetWindowLongW.USER32(00000001,000000F0), ref: 003ADEDE
                                    • Part of subcall function 003ADEC5: GetParent.USER32(00000001), ref: 003ADEF7
                                    • Part of subcall function 003ADEC5: GetWindowRect.USER32(00000001,?), ref: 003ADF14
                                    • Part of subcall function 003ADEC5: GetWindowLongW.USER32(00000000,000000F0), ref: 003ADF29
                                    • Part of subcall function 003ADEC5: MonitorFromWindow.USER32(00000001,00000002), ref: 003ADF4E
                                    • Part of subcall function 003ADEC5: GetMonitorInfoW.USER32(00000000,?), ref: 003ADF66
                                  • GetDC.USER32(00000000), ref: 003A894D
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A8956
                                  • MulDiv.KERNEL32(00000010,00000000,00000060), ref: 003A8961
                                  • SendMessageW.USER32(00000000,00000127,00030003,00000000), ref: 003A898C
                                    • Part of subcall function 003A9071: GetClientRect.USER32(00000001,?), ref: 003A90C9
                                    • Part of subcall function 003A9071: GetWindowRect.USER32(00000001,?), ref: 003A90D5
                                    • Part of subcall function 003A9071: GetWindowLongW.USER32(00000001,000000EC), ref: 003A90EA
                                    • Part of subcall function 003A9071: GetWindowRect.USER32(00000001,?), ref: 003A9134
                                  • SetWindowTextW.USER32(00000000,00000000), ref: 003A89CB
                                  Strings
                                  • AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 003A881C
                                  • AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 003A8898
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Rect$Long$Monitor$CallbackCapsClientCurrentDeviceDispatcherFromH_prolog3_H_prolog3_catch_InfoMessageParentSendTextThreadUser
                                  • String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
                                  • API String ID: 3286036512-1831360935
                                  • Opcode ID: 1ad9250141ab08a2941630b8e9e4cd5302dcd24db24526f986a35a9c7b2bba67
                                  • Instruction ID: 5e5bb4b8a24b7e933e6aeca22285d8e0e9e5d9d70a92a9a7c51bf08a211754a7
                                  • Opcode Fuzzy Hash: 1ad9250141ab08a2941630b8e9e4cd5302dcd24db24526f986a35a9c7b2bba67
                                  • Instruction Fuzzy Hash: 2F918F71A00605DFCB15EF78C995BEDBBB5FF46300F14859DE4466B2A2CB34AA08CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D0194 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 183windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003D019B
                                    • Part of subcall function 003A4FCC: __EH_prolog3_GS.LIBCMT ref: 003A4FD3
                                    • Part of subcall function 00392E7C: __EH_prolog3_GS.LIBCMT ref: 00392E83
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 003D0298
                                  • RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 003D02AA
                                  • SendMessageW.USER32(?,00000443,00000000), ref: 003D02F1
                                  • _wcslen.LIBCMT ref: 003D032C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$Window_wcslen$MessageRedrawSend
                                  • String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI$p)P
                                  • API String ID: 1874328965-2008716959
                                  • Opcode ID: 90197a320b91d6f52fe1cbeaca2b2cd85eac3081f6780601f88eb2ed86ba13e5
                                  • Instruction ID: 48392dafedbad9d4bc3480f64872d7ed945b7f2adf7cd0ab02d6a8cb7a8000d9
                                  • Opcode Fuzzy Hash: 90197a320b91d6f52fe1cbeaca2b2cd85eac3081f6780601f88eb2ed86ba13e5
                                  • Instruction Fuzzy Hash: 4961BF30700605AFDB09EB74C899BECBBB1FF88301F504259F556AB2E1DB74AA15CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00414EBC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 153fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 900 414ebc-414eed __EH_prolog3 call 3916fd call 41b2ea 905 414ef3-414efe 900->905 906 414f84-414f86 900->906 909 414f00-414f17 call 3fa550 905->909 910 414f19-414f20 905->910 907 414fa1-414fa9 906->907 908 414f88 906->908 915 415092 907->915 916 414faf-414fb7 907->916 913 414f8a-414f8c 908->913 914 414f8e-414f9b call 3fabd0 908->914 909->906 909->910 911 414f22-414f48 call 38ce6d call 460c46 call 390f2f 910->911 912 414f7c-414f7f 910->912 938 414f5b-414f78 call 421ee4 call 38d133 911->938 939 414f4a-414f56 call 460c46 call 390f2f 911->939 920 415094-415099 call 45b71c 912->920 913->907 913->914 924 414fa0 914->924 915->920 922 414fba-415019 call 38ce6d call 391714 CreateFileW call 3f06a0 916->922 941 415037-415042 922->941 942 41501b 922->942 924->907 938->912 939->938 947 415045-41506c SetFilePointer SetEndOfFile 941->947 945 415025-415035 942->945 946 41501d-415023 942->946 945->947 946->941 946->945 950 415079-41508c call 38d133 947->950 951 41506e-415075 FindCloseChangeNotification 947->951 950->915 950->922 951->950
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00414EC3
                                    • Part of subcall function 0041B2EA: GetDiskFreeSpaceExW.KERNEL32(?,?,00000000,00000000), ref: 0041B3CF
                                  • _wcslen.LIBCMT ref: 00414F36
                                  • _wcslen.LIBCMT ref: 00414F4B
                                  • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000), ref: 00414FF4
                                  • SetFilePointer.KERNEL32(00000000,7FFFFFFF,00000000,00000000,00000000,?,?,?,?,?,?,?,Advinst_Estimate_,00000078), ref: 0041504D
                                  • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,Advinst_Estimate_,00000078), ref: 00415056
                                  • FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,Advinst_Estimate_,00000078), ref: 0041506F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$_wcslen$ChangeCloseCreateDiskFindFreeH_prolog3NotificationPointerSpace
                                  • String ID: %sholder%d.aiph$Not enough disk space to extract file:
                                  • API String ID: 994655853-929304071
                                  • Opcode ID: e86e8fe5845f65bba027e324df8d763f24ab3b94ab111678c640f685b4ae4924
                                  • Instruction ID: 25807a01a284af09b1fe4c53919f9a05676b0d7c77b4e1c0b16c27a2b1d02f73
                                  • Opcode Fuzzy Hash: e86e8fe5845f65bba027e324df8d763f24ab3b94ab111678c640f685b4ae4924
                                  • Instruction Fuzzy Hash: 41518C71A0020AABDF11DFA4CC45BEF77A4BF44314F14451AF924AB3D1DB78AA44CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427222 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 32libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 991 427222-427230 LoadLibraryW call 3f8310 993 427235-42723c 991->993 994 427241-427294 GetProcAddress * 4 993->994 995 42723e-427240 993->995
                                  APIs
                                  • LoadLibraryW.KERNEL32(?,004142CD,?,?,00000000,?), ref: 00427224
                                    • Part of subcall function 003F8310: FreeLibrary.KERNEL32(00000000,?,?,00427235,00000000), ref: 003F8324
                                  • GetProcAddress.KERNEL32(00000000,InitExtraction), ref: 0042724E
                                  • GetProcAddress.KERNEL32(GetTotalFilesSize), ref: 00427260
                                  • GetProcAddress.KERNEL32(ExtractAllFiles), ref: 00427272
                                  • GetProcAddress.KERNEL32(EndExtraction), ref: 00427284
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$FreeLoad
                                  • String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
                                  • API String ID: 2449869053-3462492388
                                  • Opcode ID: e69b40003f92f1e6a24cae7b27d1f4def55304a415167a8283a5ad8f2585557e
                                  • Instruction ID: 2215b5c26b689048e0993a55a28560a260b2ed8ebe35827ba8436bba4b8b1c85
                                  • Opcode Fuzzy Hash: e69b40003f92f1e6a24cae7b27d1f4def55304a415167a8283a5ad8f2585557e
                                  • Instruction Fuzzy Hash: 15F03A7A948218AF8B509F75BEA4B263FA4EB49B51300487BE904D3230C7755429DF9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004279E8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 128COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 996 4279e8-427a16 __EH_prolog3 call 38713a 999 427a26-427a35 GetFileVersionInfoSizeW 996->999 1000 427a18-427a23 call 38d64d 996->1000 1002 427b37 999->1002 1003 427a3b-427a46 call 4150d4 999->1003 1000->999 1004 427b39-427b5b call 38d133 call 45b29c call 45b71c 1002->1004 1010 427a50-427a56 1003->1010 1011 427a48-427a4b 1003->1011 1013 427a66-427a77 GetFileVersionInfoW 1010->1013 1014 427a58-427a63 call 38d64d 1010->1014 1011->1002 1013->1002 1016 427a7d-427aa1 call 38ce6d 1013->1016 1014->1013 1024 427aa3-427aa7 1016->1024 1025 427ab5-427aba 1016->1025 1024->1025 1026 427aa9-427ab3 1024->1026 1027 427abf-427add call 391714 1025->1027 1026->1027 1030 427adf-427aea call 38d64d 1027->1030 1031 427aed-427afb 1027->1031 1030->1031 1035 427b2c-427b32 call 38d133 1031->1035 1036 427afd-427b01 1031->1036 1035->1002 1036->1035 1038 427b03-427b08 1036->1038 1039 427b0a-427b0c 1038->1039 1040 427b0e-427b14 call 460c46 1038->1040 1041 427b15-427b2a call 38d89e call 38d133 1039->1041 1040->1041 1041->1004
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004279EF
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • GetFileVersionInfoSizeW.KERNELBASE(00000000,?,?,00000024,004161BE,?,?,00416132,?,00000000,004281A7,00000000), ref: 00427A2B
                                  • GetFileVersionInfoW.KERNELBASE(00000000,?,00000000,00000004,00000000,?,00000024,004161BE,?,?,00416132,?,00000000,004281A7,00000000), ref: 00427A6F
                                  • _wcslen.LIBCMT ref: 00427B0F
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$FileInfoVersion$Size_wcslen
                                  • String ID: '~B$ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                                  • API String ID: 2100699890-1376308463
                                  • Opcode ID: bb303a71ff8841b569cba2d0b8498865121731adb6f4f74000cd954eb1ae0f9c
                                  • Instruction ID: d3dc52cc93f090c028fb2dc3921b1495001b52fa0a5b3bbadb7ca2149f9ca968
                                  • Opcode Fuzzy Hash: bb303a71ff8841b569cba2d0b8498865121731adb6f4f74000cd954eb1ae0f9c
                                  • Instruction Fuzzy Hash: 9941BF3190522ADFCF05EBA4D849EFFBBB8AF04305F50405AF511B7291DB38AA04CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C7B6A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1048 3c7b6a-3c7b93 __EH_prolog3_catch_GS call 3c8555 1051 3c7cde 1048->1051 1052 3c7b99-3c7ba1 1048->1052 1053 3c7ce0-3c7ce5 call 45b742 1051->1053 1056 3c7cda 1052->1056 1057 3c7ba7-3c7bb6 call 3c8555 * 2 1052->1057 1056->1051 1057->1056 1063 3c7bbc-3c7bcc 1057->1063 1063->1056 1065 3c7bd2-3c7bd9 1063->1065 1066 3c7bef-3c7c3f call 3f3f50 call 45e9a0 GetParent GetDC 1065->1066 1067 3c7bdb-3c7bec call 3f3d50 1065->1067 1074 3c7c46-3c7c48 1066->1074 1067->1066 1075 3c7c9d-3c7cb3 GetParent ReleaseDC 1074->1075 1076 3c7c4a-3c7c99 InflateRect call 45c260 1074->1076 1075->1053 1076->1075
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 003C7B71
                                    • Part of subcall function 003C8555: __EH_prolog3.LIBCMT ref: 003C855C
                                    • Part of subcall function 003C8555: EnterCriticalSection.KERNEL32(004FF498,00000008,003C7B91,00000078,003C72E9,?), ref: 003C8583
                                    • Part of subcall function 003C8555: LoadLibraryW.KERNEL32(uxtheme.dll), ref: 003C859B
                                    • Part of subcall function 003C8555: FreeLibrary.KERNEL32(00000000), ref: 003C85B3
                                    • Part of subcall function 003C8555: LeaveCriticalSection.KERNEL32(004FF498), ref: 003C85BA
                                  • GetParent.USER32(?), ref: 003C7C24
                                  • GetDC.USER32(00000000), ref: 003C7C2B
                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 003C7C52
                                  • GetParent.USER32(?), ref: 003C7CA0
                                  • ReleaseDC.USER32(00000000,?), ref: 003C7CAA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalLibraryParentSection$EnterFreeH_prolog3H_prolog3_catch_InflateLeaveLoadRectRelease
                                  • String ID: edit$p)P
                                  • API String ID: 2445989971-4126515195
                                  • Opcode ID: ef67ffa35c3a2ec6cc54e98c1aa323a11f11e6393587d4c730bc9e030d9085ca
                                  • Instruction ID: eba232b9f465b71261d567b7e5535b5bcb9ac52ab77fc853bac59b464f8efac0
                                  • Opcode Fuzzy Hash: ef67ffa35c3a2ec6cc54e98c1aa323a11f11e6393587d4c730bc9e030d9085ca
                                  • Instruction Fuzzy Hash: 5E419B71D00209AFCB11DFB8C949ADDBBB9BF08310F148229E919E7292DB719D05CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00457C3C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1079 457c3c-457c47 1080 457c59-457c70 LoadLibraryExA 1079->1080 1081 457c49-457c54 RtlDecodePointer 1079->1081 1083 457c72-457c7d call 457cf1 1080->1083 1084 457cea 1080->1084 1082 457ced-457cf0 1081->1082 1087 457c82-457c87 1083->1087 1085 457cec 1084->1085 1085->1082 1087->1084 1088 457c89-457c9e call 457cf1 1087->1088 1088->1084 1091 457ca0-457cb5 call 457cf1 1088->1091 1091->1084 1094 457cb7-457ccc call 457cf1 1091->1094 1094->1084 1097 457cce-457ce8 DecodePointer 1094->1097 1097->1085
                                  APIs
                                  • RtlDecodePointer.NTDLL(?,?,?,00457F37,004FE314,?,?,?,?,00390564,?,?,?,00000000,C000008C,00000001), ref: 00457C4E
                                  • LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00457F37,004FE314,?,?,?,?,00390564,?,?), ref: 00457C66
                                  • DecodePointer.KERNEL32(?), ref: 00457CE2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DecodePointer$LibraryLoad
                                  • String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
                                  • API String ID: 1423960858-1745123996
                                  • Opcode ID: 3949d173eb4d76398c6b945fb6bda17854256b59cac8df3f374d6af530df34d9
                                  • Instruction ID: 84cff3d6bbbba4e722fc4ea49f572cfa725c53b14343fe8e75a7a51f42380c1e
                                  • Opcode Fuzzy Hash: 3949d173eb4d76398c6b945fb6bda17854256b59cac8df3f374d6af530df34d9
                                  • Instruction Fuzzy Hash: D401A53194C2047BC6236722AC0AFAA3B546B12707F140077FC45673A3E65E4A0D8ADE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EF910 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 410registrylibraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1098 3ef910-3ef991 1099 3ef998-3ef9a7 1098->1099 1100 3ef993-3ef995 1098->1100 1101 3ef9b9-3ef9d2 1099->1101 1102 3ef9a9-3ef9b7 call 45c260 1099->1102 1100->1099 1104 3ef9d9-3ef9df 1101->1104 1105 3ef9d4-3ef9d7 1101->1105 1109 3efa32-3efa7d call 3f0220 1102->1109 1107 3ef9e1-3ef9f5 call 45ab63 1104->1107 1108 3efa06-3efa08 1104->1108 1105->1107 1119 3ef9fb-3efa04 1107->1119 1120 3efe17 call 460bf6 1107->1120 1111 3efa0a-3efa15 call 45ab63 1108->1111 1112 3efa17 1108->1112 1123 3efa7f-3efaa5 call 38569b call 45c260 1109->1123 1124 3efaa8-3efab2 1109->1124 1116 3efa19-3efa2f call 45c260 1111->1116 1112->1116 1116->1109 1119->1116 1129 3efe1c call 460bf6 1120->1129 1123->1124 1127 3efae6-3efaff 1124->1127 1128 3efab4-3efac6 1124->1128 1130 3efd46-3efd61 1127->1130 1131 3efb05-3efb0d 1127->1131 1133 3efadc-3efae3 call 45ab55 1128->1133 1134 3efac8-3efad6 1128->1134 1136 3efe21-3efe26 call 460bf6 1129->1136 1140 3efd65-3efd74 1130->1140 1141 3efd63 1130->1141 1137 3efb0f 1131->1137 1138 3efb11-3efb17 1131->1138 1133->1127 1134->1129 1134->1133 1137->1138 1144 3efb38-3efb4e 1138->1144 1145 3efb19-3efb33 call 39cbed 1138->1145 1147 3efdb9-3efdc5 RegOpenKeyExW 1140->1147 1148 3efd76-3efd79 1140->1148 1141->1140 1153 3efb55-3efb58 1144->1153 1154 3efb50-3efb52 1144->1154 1164 3efc00-3efc21 call 399e8f 1145->1164 1152 3efdcb-3efdcd 1147->1152 1155 3efd7b-3efd88 GetModuleHandleW 1148->1155 1156 3efdb3-3efdb7 1148->1156 1157 3efdf0-3efe14 call 45ab44 1152->1157 1159 3efdcf-3efdd3 1152->1159 1160 3efb6f-3efb8d 1153->1160 1161 3efb5a-3efb6d call 45c260 1153->1161 1154->1153 1155->1157 1162 3efd8a-3efd9a GetProcAddress 1155->1162 1156->1147 1156->1157 1165 3efdd5-3efddc RegCloseKey 1159->1165 1166 3efde2-3efded 1159->1166 1169 3efb8f-3efb92 1160->1169 1170 3efb94-3efb9a 1160->1170 1180 3efbeb-3efbfb 1161->1180 1162->1157 1163 3efd9c-3efdb1 1162->1163 1163->1152 1182 3efc25-3efc3b call 392200 1164->1182 1183 3efc23 1164->1183 1165->1166 1166->1157 1171 3efb9c-3efbb0 call 45ab63 1169->1171 1170->1171 1172 3efbc1-3efbc3 1170->1172 1171->1136 1188 3efbb6-3efbbf 1171->1188 1178 3efbc5-3efbd0 call 45ab63 1172->1178 1179 3efbd2 1172->1179 1186 3efbd4-3efbe8 call 45c260 1178->1186 1179->1186 1180->1164 1193 3efc6f-3efc8d 1182->1193 1194 3efc3d-3efc4f 1182->1194 1183->1182 1186->1180 1188->1186 1197 3efc8f-3efc9b 1193->1197 1198 3efce3-3efced 1193->1198 1195 3efc65-3efc6c call 45ab55 1194->1195 1196 3efc51-3efc5f 1194->1196 1195->1193 1196->1136 1196->1195 1202 3efccf-3efcdf 1197->1202 1203 3efc9d-3efcaf 1197->1203 1199 3efcef-3efcfb 1198->1199 1200 3efd43 1198->1200 1204 3efd2f-3efd3f 1199->1204 1205 3efcfd-3efd0f 1199->1205 1200->1130 1202->1198 1207 3efcc5-3efccc call 45ab55 1203->1207 1208 3efcb1-3efcbf 1203->1208 1204->1200 1209 3efd25-3efd2c call 45ab55 1205->1209 1210 3efd11-3efd1f 1205->1210 1207->1202 1208->1136 1208->1207 1209->1204 1210->1136 1210->1209
                                  APIs
                                  • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 003EFD80
                                  • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 003EFD90
                                  • RegOpenKeyExW.KERNEL32(?,'Xh6,00000000,00000007,00000000), ref: 003EFDC5
                                  • RegCloseKey.ADVAPI32(00000000), ref: 003EFDD6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressCloseHandleModuleOpenProc
                                  • String ID: 'Xh6$Advapi32.dll$RegOpenKeyTransactedW
                                  • API String ID: 823179699-2846445684
                                  • Opcode ID: 01b63e0f782cea3f95318556c478656d29494dac6d7797935d2b9c3f42c464c2
                                  • Instruction ID: 14932f5d3b91b5d4c01879780678c7b2790d1428ee8b18ac31b0e64e9536e3b3
                                  • Opcode Fuzzy Hash: 01b63e0f782cea3f95318556c478656d29494dac6d7797935d2b9c3f42c464c2
                                  • Instruction Fuzzy Hash: A7F1CEB1A00258DFDB15CFA5C884B9EBBB5EF48304F20462DE815EB2D1D7B4AA44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043BF52 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 270fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0043BF5C
                                    • Part of subcall function 003ED470: _wcslen.LIBCMT ref: 003ED5F5
                                  • CopyFileW.KERNEL32(?,00000000,00000000,?,?,AIE), ref: 0043C2F3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CopyFileH_prolog3__wcslen
                                  • String ID: AIE$OriginalDatabase$SourceDir$=;
                                  • API String ID: 1244746073-2750120455
                                  • Opcode ID: 5f2fce6f98b9fde9d49f5a26287eeeba813418c7f4c17abc01441583f9e55ab7
                                  • Instruction ID: 50505af1e7460585b532a5352145bb881d77f84d17cd8271fb22ea17d9c81e1e
                                  • Opcode Fuzzy Hash: 5f2fce6f98b9fde9d49f5a26287eeeba813418c7f4c17abc01441583f9e55ab7
                                  • Instruction Fuzzy Hash: 05C1813180528CDFCB0AEBA4C985BDDBB74BF15308F5444D9E042AB192DB74AB49DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003DFBA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003DFBEA
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003DFC0C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003DFC34
                                  • __Getctype.LIBCPMT ref: 003DFD07
                                  • std::_Facet_Register.LIBCPMT ref: 003DFD69
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003DFD9B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID: @r>
                                  • API String ID: 1102183713-1404260877
                                  • Opcode ID: 28ab2041651896b9628ca70da8732ef2db302349eacca8ae9a6632aeb2fe3fda
                                  • Instruction ID: a695166d539116c17fbe421d63392689a61b0993cf95ebb32415a6212954130e
                                  • Opcode Fuzzy Hash: 28ab2041651896b9628ca70da8732ef2db302349eacca8ae9a6632aeb2fe3fda
                                  • Instruction Fuzzy Hash: F261C3B1D00248DFDB12CF64D9807AAB7F4FF14314F14826ED846AB392DB74AA45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038A010 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0038A017
                                  • SetLastError.KERNEL32(0000000E,00000008,003BB06C,?,?,00000000,50009385,00000000,00000001,?,?), ref: 0038A033
                                    • Part of subcall function 00389AAD: __EH_prolog3.LIBCMT ref: 00389B46
                                    • Part of subcall function 00389AAD: EnterCriticalSection.KERNEL32(005026C4,00000078,00000004,00387B04,00000000), ref: 00389B80
                                    • Part of subcall function 00389AAD: GetClassInfoExW.USER32(00000000,?,?), ref: 00389BBC
                                    • Part of subcall function 00389AAD: GetClassInfoExW.USER32(00000000,?,?), ref: 00389BCC
                                    • Part of subcall function 00389AAD: LeaveCriticalSection.KERNEL32(005026C4), ref: 00389BDB
                                  • GetCurrentThreadId.KERNEL32 ref: 0038A06B
                                  • EnterCriticalSection.KERNEL32(005026C4), ref: 0038A085
                                  • LeaveCriticalSection.KERNEL32(005026C4), ref: 0038A0A6
                                  • CreateWindowExW.USER32(?,?,?,?,?,000000FF,?,00000000,?,?,00000000), ref: 0038A100
                                    • Part of subcall function 00457EAE: GetProcessHeap.KERNEL32(00000008,00000008,?,003888B1,?,0038F5D6), ref: 00457EB3
                                    • Part of subcall function 00457EAE: HeapAlloc.KERNEL32(00000000,?,003888B1,?,0038F5D6), ref: 00457EBA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalSection$ClassEnterH_prolog3HeapInfoLeave$AllocCreateCurrentErrorLastProcessThreadWindow
                                  • String ID: AXWIN UI Window
                                  • API String ID: 540679101-1592869507
                                  • Opcode ID: 84f1663cc2c7b30dea7fe5da41abcdb292b3d74b562ab7499287ac016678bbb5
                                  • Instruction ID: cbe260e4a77a58abff2a1818f23b3d472972a843055a7783eaf73ec0846eb748
                                  • Opcode Fuzzy Hash: 84f1663cc2c7b30dea7fe5da41abcdb292b3d74b562ab7499287ac016678bbb5
                                  • Instruction Fuzzy Hash: 8141D070600719AFEB21EF65DC48BABBBE8FF44700F11856AF9089B291D774D900CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D3FDB Relevance: 12.1, APIs: 8, Instructions: 59windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003D3FE2
                                  • DeleteObject.GDI32(?), ref: 003D4002
                                  • GetDC.USER32(00000000), ref: 003D4023
                                  • CreateCompatibleBitmap.GDI32(00000000,00000000,?), ref: 003D4028
                                  • GetDC.USER32(00000000), ref: 003D403C
                                  • CreateCompatibleDC.GDI32(00000000), ref: 003D403F
                                  • SelectObject.GDI32(00000000,?), ref: 003D404D
                                  • DeleteDC.GDI32(00000000), ref: 003D4077
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CompatibleCreateDeleteObject$BitmapH_prolog3Select
                                  • String ID:
                                  • API String ID: 3648269949-0
                                  • Opcode ID: fe466a7a6e3361a888f13d2a8dbce71943f28221a8d57b38fe05283351733557
                                  • Instruction ID: 02f676c88749752dbb768e0a831b4a9a35ccbe7ac594229cd289eb93f3b849b1
                                  • Opcode Fuzzy Hash: fe466a7a6e3361a888f13d2a8dbce71943f28221a8d57b38fe05283351733557
                                  • Instruction Fuzzy Hash: 63219772C0020AAFCF12DFA4DC48BBE7BB5FF49310F014029E910A7260CB748920EBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003FABD0 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID:
                                  • API String ID: 176396367-0
                                  • Opcode ID: 141948f5e10e88a4ccf3750cbf0751525526ae6d1421a4aeacc9803cb9cb5d4c
                                  • Instruction ID: 6655b86a940c6ae4e2b0ae90cd07b0e2b48c6026f16585bd6aa421d042983453
                                  • Opcode Fuzzy Hash: 141948f5e10e88a4ccf3750cbf0751525526ae6d1421a4aeacc9803cb9cb5d4c
                                  • Instruction Fuzzy Hash: 53C19FB1A006099FCB16DFA8C995BADFBF0FF54314F24826DE609AB391D735A900CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038BBFE Relevance: 10.7, APIs: 7, Instructions: 206COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0038BC08
                                  • EnterCriticalSection.KERNEL32(004FF498), ref: 0038BC41
                                  • GetModuleFileNameW.KERNEL32(?,00000104), ref: 0038BCC2
                                  • LoadTypeLib.OLEAUT32(?,00000000), ref: 0038BCF1
                                  • EnterCriticalSection.KERNEL32(004FF49C), ref: 0038BE3E
                                  • LeaveCriticalSection.KERNEL32(004FF49C), ref: 0038BE65
                                  • LeaveCriticalSection.KERNEL32(004FF498), ref: 0038BEE3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterLeave$FileH_prolog3_LoadModuleNameType
                                  • String ID:
                                  • API String ID: 222087261-0
                                  • Opcode ID: 5b6a665ca89cd349497d67f336307f4f29af095f7395fb78bfb55ecac3cb2675
                                  • Instruction ID: 02262e97053ddf76e5420467a3f52628949b8e48632528904ad2acbd86151cbc
                                  • Opcode Fuzzy Hash: 5b6a665ca89cd349497d67f336307f4f29af095f7395fb78bfb55ecac3cb2675
                                  • Instruction Fuzzy Hash: 1991813190131AEFDB22DF64DC88BA9B7B4AF15314F2580E8E848A7251CB75AE85CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E5AE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003E5B0D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003E5B70
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003E5BA9
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 003E5BE7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: std::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw___std_exception_destroy
                                  • String ID: u>$bad locale name
                                  • API String ID: 1472905059-4006850306
                                  • Opcode ID: f40b30f5edd0cc57fa890f863c381c2459e53c7503b005e98bbdbf3ff24b306a
                                  • Instruction ID: 8d42a989c80bfa42e4a214940526d6cf921374f69d4c644ab53086370b68fea2
                                  • Opcode Fuzzy Hash: f40b30f5edd0cc57fa890f863c381c2459e53c7503b005e98bbdbf3ff24b306a
                                  • Instruction Fuzzy Hash: EE310570804788EFD710CFA8C801B8ABFF8EB05714F1086AEE459977C1D779A608CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046F92F Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,0038CF06,00462EBA,00462EBA,?,?,?,0046FB80,00000001,00000001,C2E85006), ref: 0046F989
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0046FB80,00000001,00000001,C2E85006,?,?,?), ref: 0046FA0F
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C2E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0046FB09
                                  • __freea.LIBCMT ref: 0046FB16
                                    • Part of subcall function 0046E6D9: RtlAllocateHeap.NTDLL(00000000,00000000,00000004,?,0046F7AA,?,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 0046E70B
                                  • __freea.LIBCMT ref: 0046FB1F
                                  • __freea.LIBCMT ref: 0046FB44
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                  • String ID:
                                  • API String ID: 1414292761-0
                                  • Opcode ID: d192b568bc577cbab0d183d43b587712b1fc48eae1305ae3ac95b9e8982f13c7
                                  • Instruction ID: 17572c822d4a3235813dc462cec94a709cd90b422d072f64000fb0545d50d796
                                  • Opcode Fuzzy Hash: d192b568bc577cbab0d183d43b587712b1fc48eae1305ae3ac95b9e8982f13c7
                                  • Instruction Fuzzy Hash: ED5105B2700206ABDB248E65EC51EBB77A9EB40B54F14423EFD44D6240FB38EC58C65A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046B279 Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: deed2b77a52ccf25931a637dfd53bb7a38be02a6b79926126bbf2fee917c5439
                                  • Instruction ID: d08002acb8dcfa3c89ebfe941f5fc727458387745fe7a31bd6411c8635c6305b
                                  • Opcode Fuzzy Hash: deed2b77a52ccf25931a637dfd53bb7a38be02a6b79926126bbf2fee917c5439
                                  • Instruction Fuzzy Hash: FA51FA32900205ABDB255B5ADD85AAF77A8EF44364F10411FF815D6382FB39D9C086EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A1713 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A171A
                                    • Part of subcall function 003A1ADB: __EH_prolog3.LIBCMT ref: 003A1AE2
                                    • Part of subcall function 003A22EA: __EH_prolog3.LIBCMT ref: 003A22F1
                                    • Part of subcall function 003A22EA: GetDC.USER32(?), ref: 003A2309
                                  • GetWindowRect.USER32(?,?), ref: 003A174B
                                    • Part of subcall function 0038F36F: __EH_prolog3.LIBCMT ref: 0038F376
                                    • Part of subcall function 0038F36F: CreateCompatibleDC.GDI32(00000001), ref: 0038F3A1
                                    • Part of subcall function 0038F36F: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 0038F3BC
                                    • Part of subcall function 0038F36F: SelectObject.GDI32(?,00000000), ref: 0038F3C8
                                  • SendMessageW.USER32(?,00000317,?,00000014), ref: 003A177A
                                  • CreatePatternBrush.GDI32(?), ref: 003A1787
                                  • GetSysColorBrush.USER32(0000000F), ref: 003A1791
                                  • DeleteObject.GDI32(?), ref: 003A17ED
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CreateH_prolog3$BrushCompatibleObject$BitmapColorDeleteH_prolog3_MessagePatternRectSelectSendWindow
                                  • String ID:
                                  • API String ID: 594943665-0
                                  • Opcode ID: d18c010ce40f5736fa00ac7c2e2616316639e5bbf8f3063053cf3561a1930da4
                                  • Instruction ID: bce152b4df0375da1be7df17c74cabef4f37e25c938d19bfbf82882faa4eab66
                                  • Opcode Fuzzy Hash: d18c010ce40f5736fa00ac7c2e2616316639e5bbf8f3063053cf3561a1930da4
                                  • Instruction Fuzzy Hash: 2231A131E012089BDB06EFA4C880BAEB7B5FF1A700F158168F801AF255DB719D04DB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427354 Relevance: 9.1, APIs: 6, Instructions: 82threadsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0042735B
                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000010,004146E0,00000000,36685827,00000000,?), ref: 00427375
                                    • Part of subcall function 0038E076: CloseHandle.KERNEL32(00000000,?,?,004220EC,00000000,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:,00000000,00000104,-00000010,00000000), ref: 0038E08A
                                  • CreateThread.KERNEL32 ref: 0042739E
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,00000010,004146E0,00000000,36685827,00000000,?), ref: 004273F6
                                  • GetExitCodeThread.KERNEL32(00000000,?,?,00000000,?,00000010,004146E0,00000000,36685827,00000000,?), ref: 00427401
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000010,004146E0,00000000,36685827,00000000,?), ref: 00427420
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseCreateHandleThread$CodeEventExitH_prolog3ObjectSingleWait
                                  • String ID:
                                  • API String ID: 2885973556-0
                                  • Opcode ID: 96b90c11b82ced98d07587102d85d6599834f5645076073d67b1cf2c7c6f3e43
                                  • Instruction ID: 325e39d23b11d8e0960b6d070f84d2472418d9f49bec1b101eeb0243c468acd8
                                  • Opcode Fuzzy Hash: 96b90c11b82ced98d07587102d85d6599834f5645076073d67b1cf2c7c6f3e43
                                  • Instruction Fuzzy Hash: 4A317C71604210AFC720DF69CC8486BBBF8FF89714710455EF4569B361CB74A904CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00392E7C Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00392E83
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
                                  • API String ID: 3251556500-932585912
                                  • Opcode ID: 203be8bb02c010849d36f70ef96ed30dd5851e103aeaed726e8544c76a0db641
                                  • Instruction ID: 9622a4d9b6ec88b13d20018746fd5ce15e3742d43af5d5d9e2d7b8220e1be616
                                  • Opcode Fuzzy Hash: 203be8bb02c010849d36f70ef96ed30dd5851e103aeaed726e8544c76a0db641
                                  • Instruction Fuzzy Hash: B291A370804748DFCF19EFE8C995AEEB7B4BF15304F14459DE042AB292DB34AA49CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003DA2FE Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003DA308
                                    • Part of subcall function 003DA68C: __EH_prolog3.LIBCMT ref: 003DA693
                                    • Part of subcall function 0043501A: __EH_prolog3_GS.LIBCMT ref: 00435021
                                    • Part of subcall function 0043501A: _wcslen.LIBCMT ref: 00435063
                                    • Part of subcall function 004373F7: __EH_prolog3_GS.LIBCMT ref: 004373FE
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 003DA57E
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?), ref: 003DA5E3
                                  Strings
                                  • Unable to start installation error code: %u, xrefs: 003DA5AB
                                  • 1aC, xrefs: 003DA4A3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$EventH_prolog3ObjectSingleWait_wcslen
                                  • String ID: 1aC$Unable to start installation error code: %u
                                  • API String ID: 628248422-3467555673
                                  • Opcode ID: 9170023f1f28ac8cb32c4dc11f8e9d57ca2978ed9d911c1d9048d9d814ae4384
                                  • Instruction ID: 005ffe6b72325a932595eb047b48963da13295d231bbaca31c097ed7ff158f5a
                                  • Opcode Fuzzy Hash: 9170023f1f28ac8cb32c4dc11f8e9d57ca2978ed9d911c1d9048d9d814ae4384
                                  • Instruction Fuzzy Hash: 29B17875801219CFCB21EF64D988BDDBBB0AF19304F1481EAE44AAB351DB749B88CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EAA9 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0040EAB0
                                    • Part of subcall function 00423BEA: __EH_prolog3.LIBCMT ref: 00423BF1
                                    • Part of subcall function 0038D91C: __EH_prolog3.LIBCMT ref: 0038D923
                                    • Part of subcall function 0038D91C: _wcslen.LIBCMT ref: 0038D953
                                    • Part of subcall function 00404000: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00404038
                                    • Part of subcall function 00404000: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0040405F
                                    • Part of subcall function 003FB880: FindResourceW.KERNEL32(00000000,?,00000006,36685827,?,?,00000000,?,00000000,00482A28,000000FF,?,0040EAFB,?,Advinst_Estimate_,00000078), ref: 003FB912
                                    • Part of subcall function 003FB880: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000), ref: 003FB94B
                                    • Part of subcall function 003FB880: WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003FB989
                                    • Part of subcall function 004090A7: __EH_prolog3.LIBCMT ref: 004090AE
                                    • Part of subcall function 00423C28: __EH_prolog3.LIBCMT ref: 00423C2F
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                    • Part of subcall function 00423C28: CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000004,0040EB2A,00000001,00000000,?,?,Advinst_Estimate_), ref: 00423CB9
                                    • Part of subcall function 00423C28: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000004,0040EB2A,00000001,00000000,?,?,Advinst_Estimate_,00000078), ref: 00423CD9
                                  • SetEvent.KERNEL32(?,?,00000000,?,00000001,00000001,00000000,?,00000000,?,?,?,?,?,Advinst_Extract_,00000001), ref: 0040EC66
                                  • SetEvent.KERNEL32(?,?,00000001,00000000,?,00000000,?,?,?,?,?,Advinst_Extract_,00000001,00000000,?,?), ref: 0040ECA5
                                    • Part of subcall function 0041509C: DeleteFileW.KERNEL32(00000000,00000000,?,?,00000000,0040ECF3,?,?,?,?,?), ref: 004150BB
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                    • Part of subcall function 00416322: __EH_prolog3.LIBCMT ref: 00416329
                                    • Part of subcall function 00412331: __EH_prolog3.LIBCMT ref: 00412338
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$ByteCharMultiWide$CreateEventFile$DeleteFindNamedPipeResource_wcslen
                                  • String ID: Advinst_Estimate_$Advinst_Extract_
                                  • API String ID: 2202072997-4085305062
                                  • Opcode ID: e897024b6d07ca2f57ec3768f60f912af90714b9ed8c834aff3eb1b2f9c2882e
                                  • Instruction ID: a8f7d7c2fea9698dfe37cf2b9772ce64b8ec4441f2fb39f048194919b8a630e1
                                  • Opcode Fuzzy Hash: e897024b6d07ca2f57ec3768f60f912af90714b9ed8c834aff3eb1b2f9c2882e
                                  • Instruction Fuzzy Hash: B3914970D04249EADF0AEFA0C955BEDBBB4AF24304F50409EE4457B192DB786B08CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004275FB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00427605
                                    • Part of subcall function 00427777: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,00000000), ref: 0042779D
                                  • GetTempPathW.KERNEL32(00000104,0041740C,00000000,?,00000001,?,?,?,0041740C,?,00000000), ref: 0042765A
                                  • GetTempFileNameW.KERNEL32(0041740C,shim_clone,00000000,?,?,?,?,?,?,00000001,?,?,?,0041740C,?,00000000), ref: 00427687
                                    • Part of subcall function 00424591: LoadLibraryW.KERNEL32(kernel32.dll,?,?,0041C43A), ref: 004245A7
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(76EB0000,Wow64DisableWow64FsRedirection), ref: 004245CE
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 004245E0
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(IsWow64Process), ref: 004245F2
                                    • Part of subcall function 00424591: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,?,0041C43A), ref: 00424603
                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000001,?,?,?,0041740C,?,00000000), ref: 004276CC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressProc$FilePathTemp$CopyCurrentFolderH_prolog3_LibraryLoadNameProcess
                                  • String ID: shim_clone
                                  • API String ID: 3637544-3944563459
                                  • Opcode ID: 8a3fb3855624f09d64a64aae186c49803df490f16e47be3aaf24b0365c67cb62
                                  • Instruction ID: 752104d1bcf3c5f8ec459e28406148968f98cadf1875c1174d6c24fd361e5f8b
                                  • Opcode Fuzzy Hash: 8a3fb3855624f09d64a64aae186c49803df490f16e47be3aaf24b0365c67cb62
                                  • Instruction Fuzzy Hash: D531F8B0B042285BDB20DB609C85B9E77ACDF58314F9044DEF644D3282DB389E85CB6D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B020D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B0214
                                    • Part of subcall function 003EBC50: GetTempPathW.KERNEL32(00000000,36685827,00000001,?,36685827,00000001), ref: 003EB9E4
                                    • Part of subcall function 003EBC50: GetTempPathW.KERNEL32(?,00000001,00000001,?), ref: 003EB9FD
                                  • GetCurrentProcessId.KERNEL32(00000054,003AF308,?,?,?,003AF33A,0000007C,003AF1FC), ref: 003B0229
                                    • Part of subcall function 003DBCA0: __cftof.LIBCMT ref: 003DBCF1
                                    • Part of subcall function 003DBCA0: _wcslen.LIBCMT ref: 003DBD0D
                                    • Part of subcall function 00399E4A: __EH_prolog3.LIBCMT ref: 00399E51
                                    • Part of subcall function 00399E4A: _wcslen.LIBCMT ref: 00399E62
                                    • Part of subcall function 003B047C: __EH_prolog3_GS.LIBCMT ref: 003B0483
                                    • Part of subcall function 003ED470: _wcslen.LIBCMT ref: 003ED5F5
                                  • PathFileExistsW.SHLWAPI(00000000,?,00000000), ref: 003B029C
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 003B02CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Path_wcslen$H_prolog3_Temp$CreateCurrentDirectoryExistsFileH_prolog3Process__cftof
                                  • String ID: AI_EXTUI_BIN_
                                  • API String ID: 1369423564-1897379104
                                  • Opcode ID: 335bd87d62233adcbb0798f79a4aa26edb5bc5cae661c3a1ee5de6dd0845810f
                                  • Instruction ID: 86fff9136598f1d03a28657dced81c11bccab8802402b9c0115670a07bd7129d
                                  • Opcode Fuzzy Hash: 335bd87d62233adcbb0798f79a4aa26edb5bc5cae661c3a1ee5de6dd0845810f
                                  • Instruction Fuzzy Hash: FD31B471C05248CFCB06EBB8C9596DEB7B4AF14304F508169E412AF2A2EB349E09CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B98DE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 003B9921
                                    • Part of subcall function 0038D91C: __EH_prolog3.LIBCMT ref: 0038D923
                                    • Part of subcall function 0038D91C: _wcslen.LIBCMT ref: 0038D953
                                  • _wcslen.LIBCMT ref: 003B9946
                                  • _wcslen.LIBCMT ref: 003B995F
                                  • LoadLibraryExW.KERNEL32(?,00000000,00000000,UxTheme.dll,00000000,004B9998,00000000,00000000,?,UxTheme.dll,00000000,0048C530,000000FF), ref: 003B9983
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$DirectoryH_prolog3LibraryLoadSystem
                                  • String ID: UxTheme.dll
                                  • API String ID: 1947405184-352951104
                                  • Opcode ID: bf8317a2fb56549af7d388b8bd4001f2aaddd8f38f609a41485c9e644007267f
                                  • Instruction ID: 6f7ea3e5b68bd395ad2ff5e6012d76e825ac07a792539e26329f74255138ab3a
                                  • Opcode Fuzzy Hash: bf8317a2fb56549af7d388b8bd4001f2aaddd8f38f609a41485c9e644007267f
                                  • Instruction Fuzzy Hash: 07210272504218ABCB25EB68DC85BFF77ACEB44720F10062FFA2AD32C0EB3459048664
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046A875 Relevance: 7.7, APIs: 5, Instructions: 187COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E6D9: RtlAllocateHeap.NTDLL(00000000,00000000,00000004,?,0046F7AA,?,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 0046E70B
                                  • _free.LIBCMT ref: 0046A980
                                  • _free.LIBCMT ref: 0046A997
                                  • _free.LIBCMT ref: 0046A9B6
                                  • _free.LIBCMT ref: 0046A9D1
                                  • _free.LIBCMT ref: 0046A9E8
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID:
                                  • API String ID: 3033488037-0
                                  • Opcode ID: 482c8458a392d69b495a81d639cc8aedc1cd94d24a0cc3ac053b333bf7aaf42e
                                  • Instruction ID: b51a6e1d54b8c061394facecc33b105698c2cf49a2cc85392f6ab51c4bb29ade
                                  • Opcode Fuzzy Hash: 482c8458a392d69b495a81d639cc8aedc1cd94d24a0cc3ac053b333bf7aaf42e
                                  • Instruction Fuzzy Hash: 4651C271A00A04AFDB20DF6ACC41A6A77F4EF44314B24056FE909E7251F739D915CF5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00389D13 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 00389D72
                                  • GetWindowLongW.USER32(?,000000FC), ref: 00389D88
                                  • CallWindowProcW.USER32(?,?,00000082,?,?), ref: 00389D9E
                                  • GetWindowLongW.USER32(?,000000FC), ref: 00389DB7
                                  • SetWindowLongW.USER32(?,000000FC,?), ref: 00389DC6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Long$CallProc
                                  • String ID:
                                  • API String ID: 513923721-0
                                  • Opcode ID: c07a26c91fefab37f8e42599aac00899a393ea825653afd1afc25685fc1f81b5
                                  • Instruction ID: 1599873b39e7b9055c8e31923e0808e24d42e17d0eac76c56ac51ec7b4d161aa
                                  • Opcode Fuzzy Hash: c07a26c91fefab37f8e42599aac00899a393ea825653afd1afc25685fc1f81b5
                                  • Instruction Fuzzy Hash: BE311731500705AFCF269F14CC45EAABBB1FF48720B148A1EF99A966A0D731E924DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427914 Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0042791B
                                    • Part of subcall function 004275FB: __EH_prolog3_GS.LIBCMT ref: 00427605
                                    • Part of subcall function 004275FB: GetTempPathW.KERNEL32(00000104,0041740C,00000000,?,00000001,?,?,?,0041740C,?,00000000), ref: 0042765A
                                    • Part of subcall function 004275FB: GetTempFileNameW.KERNEL32(0041740C,shim_clone,00000000,?,?,?,?,?,?,00000001,?,?,?,0041740C,?,00000000), ref: 00427687
                                    • Part of subcall function 004275FB: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000001,?,?,?,0041740C,?,00000000), ref: 004276CC
                                  • GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000020,004278EC,?,?,00000000,?,00000001,?,?,?,0041740C,?,00000000), ref: 00427944
                                  • GetFileVersionInfoW.KERNELBASE(?,?,?,?,00000000,?,00000020,004278EC,?,?,00000000,?,00000001), ref: 00427970
                                  • GetLastError.KERNEL32(?,00000020,004278EC,?,?,00000000,?,00000001,?,?,?,0041740C,?,00000000), ref: 004279B5
                                  • DeleteFileW.KERNEL32(?,?,00000020,004278EC,?,?,00000000,?,00000001,?,?,?,0041740C,?,00000000), ref: 004279CA
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$InfoTempVersion$CopyDeleteErrorH_prolog3H_prolog3_LastNamePathSize
                                  • String ID:
                                  • API String ID: 908379794-0
                                  • Opcode ID: 4924ca43dbcca85c2c19d1fc5a943864e7f6f35b9c06f1aa3e085d10f7956a7e
                                  • Instruction ID: 61a5ce365daf28625894b51cc229e822af4a7fea5a32f2a5d58023cb70bcd0dd
                                  • Opcode Fuzzy Hash: 4924ca43dbcca85c2c19d1fc5a943864e7f6f35b9c06f1aa3e085d10f7956a7e
                                  • Instruction Fuzzy Hash: 3921A271A04219DBEF11CFA5E844BEEBBB4FF48304F14805AE415B6260CB784985CBB9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047F53F Relevance: 7.6, APIs: 5, Instructions: 52windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0047F546
                                    • Part of subcall function 00390B79: __EH_prolog3.LIBCMT ref: 00390B80
                                    • Part of subcall function 00390B79: BeginPaint.USER32(?,?,00000004,0038FC52,?,?,?,?,?,?,0038F278,?,?,?,?,?), ref: 00390B9C
                                  • GetClientRect.USER32(00000000,?), ref: 0047F56A
                                    • Part of subcall function 00390A93: __EH_prolog3.LIBCMT ref: 00390A9A
                                    • Part of subcall function 00390A93: CreateCompatibleDC.GDI32(00000001), ref: 00390ACA
                                    • Part of subcall function 00390A93: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 00390AE2
                                    • Part of subcall function 00390A93: SelectObject.GDI32(?,00000000), ref: 00390AEE
                                    • Part of subcall function 00390A93: SetViewportOrgEx.GDI32(?,00000000,?,00000000), ref: 00390B06
                                  • GetParent.USER32(00000001), ref: 0047F58F
                                  • SendMessageW.USER32(00000000,00000135,?,00000001), ref: 0047F5A4
                                  • FillRect.USER32(?,?,00000000), ref: 0047F5B5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CompatibleCreateH_prolog3Rect$BeginBitmapClientFillH_prolog3_MessageObjectPaintParentSelectSendViewport
                                  • String ID:
                                  • API String ID: 1078749280-0
                                  • Opcode ID: 8c409b23043ad89a08828ae583a42bfde22a22284ea18b8512fdb7bb43f0c746
                                  • Instruction ID: 7d22c3b1c4d4a80ff3582f746aa886e7d99830c2b30830e416617fe62ed15ab1
                                  • Opcode Fuzzy Hash: 8c409b23043ad89a08828ae583a42bfde22a22284ea18b8512fdb7bb43f0c746
                                  • Instruction Fuzzy Hash: 2E211A31800218EFDF15ABA0CD04FEEBB75FF18304F0085A9E44AA71A1DB74AA99DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047FB15 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Destroy
                                  • String ID: 'Xh6
                                  • API String ID: 3707531092-479216549
                                  • Opcode ID: 9a30b14a05bdb3333f2bcbb117aa7677c35abe2ad2fd251d4877429102aa68f8
                                  • Instruction ID: 2317810dddf7d8a11a81b208a5e9fe6f742586b47e745210d77ffa12b759c78a
                                  • Opcode Fuzzy Hash: 9a30b14a05bdb3333f2bcbb117aa7677c35abe2ad2fd251d4877429102aa68f8
                                  • Instruction Fuzzy Hash: 6F114D72400A04EFCB20DB25C905B5AF7F9FB44730F10862EE46A976A0D778B905CA58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004704FA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • LCMapStringEx.KERNEL32(?,00461C2D,00000010,?,?,00462EBA,?,?,00000000,?,?,?,?,?,0046295E), ref: 0047054D
                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,C2E85006,00000001,?,000000FF), ref: 0047056B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: String
                                  • String ID: LCMapStringEx$PA8
                                  • API String ID: 2568140703-58543709
                                  • Opcode ID: 92dbb43f80ba46aebd42c2b640e2f098641a4b30a50ebecd38a4950b88ecb09e
                                  • Instruction ID: e6af7a755a08b21cca8fd09ce07afc9b4f2aa789b3d65231d3e2d4ff2dcf512c
                                  • Opcode Fuzzy Hash: 92dbb43f80ba46aebd42c2b640e2f098641a4b30a50ebecd38a4950b88ecb09e
                                  • Instruction Fuzzy Hash: A6011332541209FBCF129F94DC01EEE7F62EF09710F04815AFE0865160CA7A8931EF89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D39FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3Init_thread_footer
                                  • String ID: (&P$,&P
                                  • API String ID: 537467459-1047188568
                                  • Opcode ID: 866a71ca814b06661a2f26318026a772051049fa82b29cb214eb0d6e48aad07c
                                  • Instruction ID: ebc5f95bdbd4ed7e42100d757e1d128daedcf496a6ba5ce5440fdfa877b34e23
                                  • Opcode Fuzzy Hash: 866a71ca814b06661a2f26318026a772051049fa82b29cb214eb0d6e48aad07c
                                  • Instruction Fuzzy Hash: 28F0B473605A408BCB16E734A84670C33A0EB44326F21436FE411972D2CF394E0C9D5E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C017 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038DD49: CreateEventW.KERNEL32(00000000,00000000,00000000,?,?,?,00386420,Caphyon.AI.ExtUI.IEClickSoundRemover,?,?,?,003A944B,?,00000000), ref: 0038DD56
                                    • Part of subcall function 0038DD49: GetLastError.KERNEL32(00000000,?,?,00386420,Caphyon.AI.ExtUI.IEClickSoundRemover,?,?,?,003A944B,?,00000000), ref: 0038DD69
                                  • SetEvent.KERNEL32(?), ref: 0041C036
                                  • CreateThread.KERNEL32 ref: 0041C05D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastThread
                                  • String ID: h>K$h>K
                                  • API String ID: 387812677-4248433645
                                  • Opcode ID: 7ba06b012308999b673c0a0049af9588d20389f57e1dffcc79f4c697e347f57d
                                  • Instruction ID: bbfe4a5bd278fb7cdbab809fc54b951db438e5b9014ad3ddca4edc0f5a16f058
                                  • Opcode Fuzzy Hash: 7ba06b012308999b673c0a0049af9588d20389f57e1dffcc79f4c697e347f57d
                                  • Instruction Fuzzy Hash: 88F0A0B0044308BBC7295FE0EC49BBA3E59EB08300F00523BF205842A2C6B85998DB1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004002B0 Relevance: 6.2, APIs: 4, Instructions: 210memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadStringW.USER32(00380000,0000FDE9,?,00000100), ref: 0040033E
                                  • LoadStringW.USER32(?,?,?,00000001), ref: 004003DC
                                  • SysFreeString.OLEAUT32(00000000), ref: 004004F1
                                  • SysAllocString.OLEAUT32 ref: 00400515
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: String$Load$AllocFree
                                  • String ID:
                                  • API String ID: 1561515232-0
                                  • Opcode ID: aefd99b03647ebf8b5220f38a985f8c79eb50a9b5acd188598aa2c0a952b3dfc
                                  • Instruction ID: 4d4f6a43ebf29be20578fef09964b6e84772c49ab0007ba5f61694732615202f
                                  • Opcode Fuzzy Hash: aefd99b03647ebf8b5220f38a985f8c79eb50a9b5acd188598aa2c0a952b3dfc
                                  • Instruction Fuzzy Hash: 8471E071D00248EFDB15DFA4D844BEEBBB5EF48314F20422AE901B7391DB786A44CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042CC75 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0042CC7C
                                  • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000020,0042D4C0,?), ref: 0042CCB3
                                  • WriteFile.KERNEL32(?,?,0000C800,0000C800,00000000,?,?,00000008,0000C800,?,?,?,00000000), ref: 0042CD0C
                                  • CloseHandle.KERNEL32(?,?,?,00000008,0000C800,?,?,?,00000000), ref: 0042CD3D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$CloseCreateH_prolog3HandleWrite
                                  • String ID:
                                  • API String ID: 2284221589-0
                                  • Opcode ID: 528cb32c116e24c863307901f1cc9d7d88a138c798e9c5d46497e980421c8d8e
                                  • Instruction ID: 657fc86fe4d4894d52761cc9620391d70cbf43c914a51b091605684b4d815814
                                  • Opcode Fuzzy Hash: 528cb32c116e24c863307901f1cc9d7d88a138c798e9c5d46497e980421c8d8e
                                  • Instruction Fuzzy Hash: E5216B71D00219AFEF11DFA5DD49BEE7A78AF09305F10812AF501BB291C7785A04CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423FDD Relevance: 6.0, APIs: 4, Instructions: 48filepipeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00423FE4
                                  • ConnectNamedPipe.KERNEL32(?,00000000,00000004,00423F50,?,000000FF,00000000,00000008,0040ECB7,?,?,?,?,?,?,Advinst_Extract_), ref: 00423FF6
                                  • GetLastError.KERNEL32(?,?,?,?,?,Advinst_Extract_,00000001,00000000,?,?,Advinst_Estimate_,00000078), ref: 00424000
                                  • ReadFile.KERNEL32(?,?,00007F90,00000000,00000000,00000004,00423F50,?,000000FF,00000000,00000008,0040ECB7,?), ref: 00424024
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ConnectErrorFileH_prolog3LastNamedPipeRead
                                  • String ID:
                                  • API String ID: 1078819359-0
                                  • Opcode ID: f575c2007918bd24f2fe15429562446c30c0ec0fe0f915678ca643f576498c23
                                  • Instruction ID: 2c187ab3e64b09399989e8db779bb54163d7b2fc0ca5d85606b763ed313a20d6
                                  • Opcode Fuzzy Hash: f575c2007918bd24f2fe15429562446c30c0ec0fe0f915678ca643f576498c23
                                  • Instruction Fuzzy Hash: 791170306042599FDF31EF10DC09FAE7B65FF80304F40846ABA165A2E1DB789951CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042D24B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 347COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0042D255
                                    • Part of subcall function 0042DF8B: __EH_prolog3_catch.LIBCMT ref: 0042DF92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_H_prolog3_catch
                                  • String ID: Name${Binary Data}
                                  • API String ID: 3862090230-874704490
                                  • Opcode ID: 7266b3e513dd540f0f4141fb005d38bc9e50df44599e73d6339d7e1b66e860be
                                  • Instruction ID: 42c09ccd2cd2b1befb54b5d389469d5704d8f27240340222a11fcfff22b18e9e
                                  • Opcode Fuzzy Hash: 7266b3e513dd540f0f4141fb005d38bc9e50df44599e73d6339d7e1b66e860be
                                  • Instruction Fuzzy Hash: D4F12470D00269DFDB24DBA4D984BEDBBB4BF14304F5080EAE109A6290DB749E85CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004539D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 004539DE
                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004539EF
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 003B047C: __EH_prolog3_GS.LIBCMT ref: 003B0483
                                    • Part of subcall function 003ED470: _wcslen.LIBCMT ref: 003ED5F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen$DirectorySystem
                                  • String ID: msi.dll
                                  • API String ID: 501040740-3974507041
                                  • Opcode ID: 99e481613c8918f858a4e3582eff3ce7dc6e065de35f8eef5e1c180c54aa720d
                                  • Instruction ID: 10c14c25934ed9701d3e41b935688b02e83d6001bb60ba18c1bf2c6f9982a4a2
                                  • Opcode Fuzzy Hash: 99e481613c8918f858a4e3582eff3ce7dc6e065de35f8eef5e1c180c54aa720d
                                  • Instruction Fuzzy Hash: 5841A0718026689ACB15EB68CD8DADDBB78EF51301F2041DAE409A7191EB746F84CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D1FCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindow.USER32(00000003), ref: 003D2016
                                  • KiUserCallbackDispatcher.NTDLL(00000003,00000000), ref: 003D2026
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CallbackDispatcherUserWindow
                                  • String ID: P&9
                                  • API String ID: 3289301729-254213262
                                  • Opcode ID: 562aa2346af109c7bb4d982a970444b095704d371509cefadc35d4d6038e973a
                                  • Instruction ID: cfbd8d1185bb2bdceeca51e578f4e67e54edefd594cb55cc8a3d4adef5291fe2
                                  • Opcode Fuzzy Hash: 562aa2346af109c7bb4d982a970444b095704d371509cefadc35d4d6038e973a
                                  • Instruction Fuzzy Hash: D2217C71904604DFDB15DFA8D985BEBBBF8FB08710F104A2EE06A97290DB746A04CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EFE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 003EFE8C
                                  • RegSetValueExW.KERNELBASE(?,00000002,00000000,00000002,?,00000000,?), ref: 003EFEA4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Value_wcslen
                                  • String ID: 'Xh6
                                  • API String ID: 1203960817-479216549
                                  • Opcode ID: a9a9ee2cd2039d2031da73f59bede380a23453227a39ea76b8fcdf452754e5d8
                                  • Instruction ID: 6f9ffa2dcc1147424c9f45756e38837c14e35f8e050fdc85bffb915ebef4d0ab
                                  • Opcode Fuzzy Hash: a9a9ee2cd2039d2031da73f59bede380a23453227a39ea76b8fcdf452754e5d8
                                  • Instruction Fuzzy Hash: DD01F532110661AFDB25DF19DC89F6B7769FF90751F004139E400571A6D761BC28C6F2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D18CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003D1920
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003D192B
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$CreateLong
                                  • String ID: STATIC
                                  • API String ID: 4015368215-1882779555
                                  • Opcode ID: bd8ec490b6baa7f21d4111a245e19244829f3f0a2a13fb914de5697e820ce832
                                  • Instruction ID: 41f48b4355f9597fd9a5e349ea13c8d47e4f7173640933dabae464d7d440c105
                                  • Opcode Fuzzy Hash: bd8ec490b6baa7f21d4111a245e19244829f3f0a2a13fb914de5697e820ce832
                                  • Instruction Fuzzy Hash: 9B019272610208BFCB059F49DC82DDFBBADEF89750B10006AF60197260C6B1AD10CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A4F0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsWindow.USER32(00000004), ref: 003A4F56
                                  • DestroyWindow.USER32(00000004,?,?,?,004885BE,000000FF,?,0039283C,36685827,?,?,?,004847C7,000000FF), ref: 003A4F63
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Destroy
                                  • String ID: P&9
                                  • API String ID: 3707531092-254213262
                                  • Opcode ID: cde6f0cd741ea26d229691d46a825cac0c0449587a3ec4dad45714008c5c8e56
                                  • Instruction ID: f36f7cf7c208007df33c723527d37155d0d30ca77d8d62127a79d621f4e1a13a
                                  • Opcode Fuzzy Hash: cde6f0cd741ea26d229691d46a825cac0c0449587a3ec4dad45714008c5c8e56
                                  • Instruction Fuzzy Hash: DA218E71404744EFC721DF64C909B9AFBF4FF05724F108A6ED0A6976A1D7B4AA04CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D012B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003D0169
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003D0178
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$CreateLong
                                  • String ID: RichEdit20W
                                  • API String ID: 4015368215-4173859555
                                  • Opcode ID: c70378bfcdebc2ea75074c2de51a47b5d104e0bb9678d275c1eb2c21748b72ad
                                  • Instruction ID: 7f0471a467e54084d55b8fe9895d03e7a8c0ed6ca4902348285997beb05007aa
                                  • Opcode Fuzzy Hash: c70378bfcdebc2ea75074c2de51a47b5d104e0bb9678d275c1eb2c21748b72ad
                                  • Instruction Fuzzy Hash: D1014B72611228BBCB159F98DC45DDF3FA9EB09790F104059FA059B250C6719D10DBF4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A932D Relevance: 4.8, APIs: 3, Instructions: 278windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A9337
                                    • Part of subcall function 003D3092: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 003D30B0
                                    • Part of subcall function 003A9234: DestroyAcceleratorTable.USER32(?), ref: 003A9260
                                    • Part of subcall function 003A0579: __EH_prolog3.LIBCMT ref: 003A0580
                                    • Part of subcall function 003B164D: __EH_prolog3_GS.LIBCMT ref: 003B1654
                                  • CreateAcceleratorTableW.USER32(?,?), ref: 003A95EC
                                  • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 003A9678
                                    • Part of subcall function 003A9AAE: __EH_prolog3.LIBCMT ref: 003A9AB5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AcceleratorH_prolog3H_prolog3_MessageSendTable$CreateDestroy
                                  • String ID:
                                  • API String ID: 984245775-0
                                  • Opcode ID: 472e9214c9563b966eebd85e9afcde62d1fb4e758d958b26e574c91663f6374d
                                  • Instruction ID: ed90df82bd27cb96a31b6325e9eb14146a4f8facc085abe1a6349b951e8e6d6b
                                  • Opcode Fuzzy Hash: 472e9214c9563b966eebd85e9afcde62d1fb4e758d958b26e574c91663f6374d
                                  • Instruction Fuzzy Hash: 2CB14D71A002188FDF16DF68C885BDDB7B5FF4A310F1541AAE849AF252DB31AE45CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042DF8B Relevance: 4.7, APIs: 3, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch.LIBCMT ref: 0042DF92
                                  • __EH_prolog3_catch.LIBCMT ref: 0042E153
                                    • Part of subcall function 0042E471: __EH_prolog3.LIBCMT ref: 0042E478
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch$H_prolog3
                                  • String ID:
                                  • API String ID: 3796446187-0
                                  • Opcode ID: d416d4b5524b249ce51a4867aafa29418d89e4282237595d9becc54cab93295e
                                  • Instruction ID: a3a75f6b071be6ccc3719778f21b01334aebfa59c04a1b4b77c1ddc4b8c87f54
                                  • Opcode Fuzzy Hash: d416d4b5524b249ce51a4867aafa29418d89e4282237595d9becc54cab93295e
                                  • Instruction Fuzzy Hash: 3D919E71E00219DFCF08DFA9D5805ADBBB5BF48310F64826EE915AB381DB749E01CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C8394 Relevance: 4.6, APIs: 3, Instructions: 114windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003C839E
                                    • Part of subcall function 003A5194: __EH_prolog3.LIBCMT ref: 003A519B
                                  • SendMessageW.USER32(?,000000CE,00000000,00000000), ref: 003C84A0
                                  • SendMessageW.USER32(?,000000BA,00000000,00000000), ref: 003C84B3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3H_prolog3_
                                  • String ID:
                                  • API String ID: 1270747201-0
                                  • Opcode ID: e1787d54f7d9d090ec60de158c53630c8a1ca4a5822047901a523f9a18236278
                                  • Instruction ID: fbc8b5ed0eca316bcaf3941db2438a73f94a75e7ee6efa828e50e2b07af76777
                                  • Opcode Fuzzy Hash: e1787d54f7d9d090ec60de158c53630c8a1ca4a5822047901a523f9a18236278
                                  • Instruction Fuzzy Hash: 00519B70A00318DFDB24EF68C949B9DBBB0AF05314F1442D9E85AAB2D2CBB45E84CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A7B4B Relevance: 4.6, APIs: 3, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 003A7B55
                                  • SetWindowTextW.USER32(00000005,00000000), ref: 003A7C81
                                  • KiUserCallbackDispatcher.NTDLL(00000005), ref: 003A7CB0
                                    • Part of subcall function 003AA572: KillTimer.USER32(00000001,00000001,?,003A7C40,?,?,?,0000008C,003A6C2F,00000001,?,00000001,00000001,?,?), ref: 003AA585
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CallbackDispatcherH_prolog3_catch_KillTextTimerUserWindow
                                  • String ID:
                                  • API String ID: 1080206543-0
                                  • Opcode ID: 139f0279cc345b53035664a5eb53399da1b0b80b8b963d2c174b02fa99d8c773
                                  • Instruction ID: 54f2e5ad67ea3281d7171501b6dd66841e16d4ace9272e50defb3e31a9b1823e
                                  • Opcode Fuzzy Hash: 139f0279cc345b53035664a5eb53399da1b0b80b8b963d2c174b02fa99d8c773
                                  • Instruction Fuzzy Hash: 7241A331904648DFCB16EFB8C895ADEBBB4FF16314F14859DE496AB292CF306A04CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C99B Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: NamePathShort$H_prolog3
                                  • String ID:
                                  • API String ID: 1036993572-0
                                  • Opcode ID: d31ea196e66c220761971161d357487c4bd2d4fe3f4d02536656a37ca56c1b51
                                  • Instruction ID: a751f04394e38f0f83401327cae3b55622b1e37f22cec60d79d5a3df01a53d84
                                  • Opcode Fuzzy Hash: d31ea196e66c220761971161d357487c4bd2d4fe3f4d02536656a37ca56c1b51
                                  • Instruction Fuzzy Hash: 2021B171A00619EBCB16EF60C885BADBB61FF40760F108769F815AB2D1DB349A05CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042716A Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(?,36685827,?,?,00000000,004820F0,000000FF,?,004152B5,00000000,36685827,?,?,?,?,00000000), ref: 0042719D
                                  • FreeLibrary.KERNEL32(00000000,36685827,?,?,00000000,004820F0,000000FF,?,004152B5,00000000,36685827,?,?,?,?,00000000), ref: 004271CE
                                  • CloseHandle.KERNEL32(?), ref: 00427207
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Close$ChangeFindFreeHandleLibraryNotification
                                  • String ID:
                                  • API String ID: 3807137154-0
                                  • Opcode ID: 15753ba19c02bdc887bb0a9843f0bb65cef22e9d572ca6bf2877f017a3dba1ae
                                  • Instruction ID: f3075f9406f0340857414afea23bac787df79f321c376968fd930d29095079af
                                  • Opcode Fuzzy Hash: 15753ba19c02bdc887bb0a9843f0bb65cef22e9d572ca6bf2877f017a3dba1ae
                                  • Instruction Fuzzy Hash: 731113B1A087109BD720CF6AEDC4B66BBE8FB09750B50453EA819D3390D778A914CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038652B Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 00386532
                                  • IsWindow.USER32(00000004), ref: 00386588
                                  • IsWindow.USER32(00000004), ref: 0038659E
                                    • Part of subcall function 0038D060: __EH_prolog3.LIBCMT ref: 0038D067
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$H_prolog3H_prolog3_catch_
                                  • String ID:
                                  • API String ID: 3095529931-0
                                  • Opcode ID: 6a72e0ffea472ac73ae443eef45db598533b189e28448dd5459e1a8a1bfd6905
                                  • Instruction ID: a0c8b67ae17649509503adb14d20603812792eb2edbd80cd8a47955086c63904
                                  • Opcode Fuzzy Hash: 6a72e0ffea472ac73ae443eef45db598533b189e28448dd5459e1a8a1bfd6905
                                  • Instruction Fuzzy Hash: D6113A746007019FC729EF66C986D2BB7B1FF45701315C9ADA46B87A61DB31E800CB10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C763F Relevance: 4.5, APIs: 3, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003C7646
                                  • SendMessageW.USER32(?,00000435,00000000,?), ref: 003C7691
                                  • SendMessageW.USER32(?,00000449,00000002,?), ref: 003C76B8
                                    • Part of subcall function 003C8394: __EH_prolog3_GS.LIBCMT ref: 003C839E
                                    • Part of subcall function 003C8394: SendMessageW.USER32(?,000000CE,00000000,00000000), ref: 003C84A0
                                    • Part of subcall function 003C8394: SendMessageW.USER32(?,000000BA,00000000,00000000), ref: 003C84B3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3_
                                  • String ID:
                                  • API String ID: 3491702567-0
                                  • Opcode ID: deff6df6a2478b0b45e403f102ba208987a557918aa505474f334614a33b034b
                                  • Instruction ID: fafba9d62acff324b94d6a638579aa3dfde82ad57e096b0bf44b4ee1ff0f32cc
                                  • Opcode Fuzzy Hash: deff6df6a2478b0b45e403f102ba208987a557918aa505474f334614a33b034b
                                  • Instruction Fuzzy Hash: 4C1106B5E00208EFCB05EFA9C9859EDBBB5FF48310F90012AE505A7250DB305A05CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00457F5A Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 34memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?,003897C2,00000000,36685827,?,?,00483069,000000FF), ref: 00457F9E
                                  • HeapFree.KERNEL32(00000000,?,?,003897C2,00000000,36685827,?,?,00483069,000000FF), ref: 00457FA5
                                    • Part of subcall function 00457E13: GetProcessHeap.KERNEL32(00000000,?,?,00457F78,00000000,?,?,003897C2,00000000,36685827,?,?,00483069,000000FF), ref: 00457E2B
                                    • Part of subcall function 00457E13: HeapFree.KERNEL32(00000000,?,00457F78,00000000,?,?,003897C2,00000000,36685827,?,?,00483069,000000FF), ref: 00457E32
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID: PA8
                                  • API String ID: 3859560861-1386033528
                                  • Opcode ID: a2552522dbdca7285e6aee9ab61bcb8262a3a49d091752f33cc975bbd92d6049
                                  • Instruction ID: b15b482ab9a31d653689b6300ec1708bd08955286a90235e1b0616d6257f5ea1
                                  • Opcode Fuzzy Hash: a2552522dbdca7285e6aee9ab61bcb8262a3a49d091752f33cc975bbd92d6049
                                  • Instruction Fuzzy Hash: 5AF05E3310D3049BC6316B55BC09B6B7B659B81B53F14443BFD09422928A385844D6A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412331 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: .msi
                                  • API String ID: 431132790-299543723
                                  • Opcode ID: d0b91dda4e8a529906e7fe7d4236fa011fca6009af4aaf1bda31649d7c5ff769
                                  • Instruction ID: 42274be6b63423cd60f57863f14bc8980a2d3cb48f7838700c48d08f07b88b12
                                  • Opcode Fuzzy Hash: d0b91dda4e8a529906e7fe7d4236fa011fca6009af4aaf1bda31649d7c5ff769
                                  • Instruction Fuzzy Hash: 9181D27090035AEFCF15EF64C991AEEBBB5BF44314F00451EE815AB291CBBC9A94CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038633D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00386344
                                    • Part of subcall function 0038798D: __EH_prolog3.LIBCMT ref: 00387994
                                    • Part of subcall function 0038798D: EnterCriticalSection.KERNEL32(005026C4,0000003C,00386D52,?,00000000,00000004,003865B2), ref: 003879AA
                                    • Part of subcall function 0038798D: RegisterClipboardFormatW.USER32(WM_ATLGETHOST), ref: 003879BF
                                    • Part of subcall function 0038798D: RegisterClipboardFormatW.USER32(WM_ATLGETCONTROL), ref: 003879CB
                                    • Part of subcall function 0038798D: GetClassInfoExW.USER32 ref: 003879EE
                                    • Part of subcall function 0038798D: LoadCursorW.USER32(00000000,00007F00), ref: 00387A22
                                    • Part of subcall function 0038798D: RegisterClassExW.USER32(00000030), ref: 00387A45
                                    • Part of subcall function 0038798D: GetClassInfoExW.USER32(AtlAxWinLic140,00000030), ref: 00387A8E
                                    • Part of subcall function 0038798D: LoadCursorW.USER32(00000000,00007F00), ref: 00387AC4
                                    • Part of subcall function 0038798D: RegisterClassExW.USER32(00000030), ref: 00387AE5
                                    • Part of subcall function 0038DD49: CreateEventW.KERNEL32(00000000,00000000,00000000,?,?,?,00386420,Caphyon.AI.ExtUI.IEClickSoundRemover,?,?,?,003A944B,?,00000000), ref: 0038DD56
                                    • Part of subcall function 0038DD49: GetLastError.KERNEL32(00000000,?,?,00386420,Caphyon.AI.ExtUI.IEClickSoundRemover,?,?,?,003A944B,?,00000000), ref: 0038DD69
                                    • Part of subcall function 0038DFCC: __EH_prolog3_GS.LIBCMT ref: 0038DFD3
                                    • Part of subcall function 0038DE4B: __EH_prolog3_GS.LIBCMT ref: 0038DE52
                                  Strings
                                  • Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 00386413
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ClassRegister$ClipboardCursorFormatH_prolog3H_prolog3_InfoLoad$CreateCriticalEnterErrorEventLastSection
                                  • String ID: Caphyon.AI.ExtUI.IEClickSoundRemover
                                  • API String ID: 845673267-1457952470
                                  • Opcode ID: 65f53bfb9e56eb5797f1e47227b02484c76f33788864bed0e03dd48f310043dd
                                  • Instruction ID: 008d242f54768513dd0248f040f042d8b5b34f42a751170be49be102fff9bfa8
                                  • Opcode Fuzzy Hash: 65f53bfb9e56eb5797f1e47227b02484c76f33788864bed0e03dd48f310043dd
                                  • Instruction Fuzzy Hash: 8F414CB0805789DECB11DF69C14028DFFF0BF59304F6486AED048AB742D3B59609CBA6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B0327 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: `Name` = '
                                  • API String ID: 2427045233-2937690115
                                  • Opcode ID: 5f89c0dac3290e98115f77d6bb906fd32bb8a5edb3df5c3df254a83ae3b2da66
                                  • Instruction ID: 616c9f24a8eb9254abc93958f34ee5eccd4e602005d486962ac8facde3d40624
                                  • Opcode Fuzzy Hash: 5f89c0dac3290e98115f77d6bb906fd32bb8a5edb3df5c3df254a83ae3b2da66
                                  • Instruction Fuzzy Hash: 3021C471904208CFDB05EFA4C8857DEBBF4EF04319F24406DE505AB682CBB89A49CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423F19 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: CLOSE
                                  • API String ID: 431132790-3830793076
                                  • Opcode ID: 82a1c127c89b3624e5274126b7fc7c1c36d25f89bb8430dca9540e0cdb4f7c93
                                  • Instruction ID: 79513405c970e03a602cdb887f3646ecaae5bb05bcef661bb08c73d3b758fc8c
                                  • Opcode Fuzzy Hash: 82a1c127c89b3624e5274126b7fc7c1c36d25f89bb8430dca9540e0cdb4f7c93
                                  • Instruction Fuzzy Hash: EB21C270E0031A9FCF04EFA4D9419AEF770BF40324F608A5EE0626B2D1DB38AA04DB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038DFCC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0038DFD3
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 0038DFE4
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                  • API String ID: 3251556500-2431777889
                                  • Opcode ID: 05d3791829076a88890dd9da435314637947b9920a99aff275903d0bc0c742de
                                  • Instruction ID: eb260c436cb7ca943c5d3b02961590684446bc636ffe3c3d13e064fc28c1ed2c
                                  • Opcode Fuzzy Hash: 05d3791829076a88890dd9da435314637947b9920a99aff275903d0bc0c742de
                                  • Instruction Fuzzy Hash: 3411C271804288EADB06F7A0C816BDDBB78AF14310F5445E9F041BB0D2EF741B49C761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038DE4B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0038DE52
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  • AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 0038DE57
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current
                                  • API String ID: 3251556500-2431777889
                                  • Opcode ID: 206485bdd4abfb77a513de7c842c6582eec4badc533652660403a521b44dd21c
                                  • Instruction ID: 401e51efa179a3bab290a75f0ad10f8f6ee49c083e108fd65e68ec53dde371db
                                  • Opcode Fuzzy Hash: 206485bdd4abfb77a513de7c842c6582eec4badc533652660403a521b44dd21c
                                  • Instruction Fuzzy Hash: 44118E31805258EADB06FBA0C856BDDBB78AF14310F9441E8F1427B0D2DF742B4AC7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D1D8C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003D1D93
                                    • Part of subcall function 003A4FCC: __EH_prolog3_GS.LIBCMT ref: 003A4FD3
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$_wcslen
                                  • String ID: AI_COLOR_DISABLED_TEXT
                                  • API String ID: 2654712544-3584999645
                                  • Opcode ID: bb848ff133d54dca759b4ac122703833d3728e1d5d5446801117bc520afd0e61
                                  • Instruction ID: cf30ba5bacd66930e612f11fb1950cb4bb2beeefe25b45db2beca23c88ac4b84
                                  • Opcode Fuzzy Hash: bb848ff133d54dca759b4ac122703833d3728e1d5d5446801117bc520afd0e61
                                  • Instruction Fuzzy Hash: D701BC31900208DBCB15EFB0C489ADDFBB4FF08314F6405AAE001AB291DB389A45CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042CD9F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0042C8EF: _wcslen.LIBCMT ref: 0042C901
                                  • _wcslen.LIBCMT ref: 0042CDB4
                                    • Part of subcall function 0042CDFB: __EH_prolog3_GS.LIBCMT ref: 0042CE02
                                    • Part of subcall function 0042D24B: __EH_prolog3_GS.LIBCMT ref: 0042D255
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: Binary
                                  • API String ID: 3251556500-3243043891
                                  • Opcode ID: 7dd2fcc9fdd2f489e61b931e0d80dfda404d9b77119027a5e27844292f848b26
                                  • Instruction ID: 4f02754938ae9ddac281126d15d698f3f8a31cad8f818d9791004f7ca3e04281
                                  • Opcode Fuzzy Hash: 7dd2fcc9fdd2f489e61b931e0d80dfda404d9b77119027a5e27844292f848b26
                                  • Instruction Fuzzy Hash: E8F02E3131062467C6257A2ADC42F5F7B59EF81B20F40411FFC054B2D1DE6CEC119299
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003DAA69 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003DAA73
                                    • Part of subcall function 0044241D: __EH_prolog3.LIBCMT ref: 00442424
                                    • Part of subcall function 003DA2FE: __EH_prolog3_GS.LIBCMT ref: 003DA308
                                    • Part of subcall function 004425B2: CloseHandle.KERNEL32(?,36685827,?,00000000,?,?,00000000,004A07C9,000000FF,?,003DAC7A,?,?,?,0000025C,003DAA55), ref: 00442617
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$CloseH_prolog3Handle
                                  • String ID: InstallUISequence
                                  • API String ID: 2032638821-1326666714
                                  • Opcode ID: 00421a55f1d94f24b28432f0487f2fc80ee1a2261f26a0e8b15b6212bc7a3195
                                  • Instruction ID: 6d3e06b8f73f534c94ddf2cbdb8744d5712c4b313690ae4b25232574f1093c83
                                  • Opcode Fuzzy Hash: 00421a55f1d94f24b28432f0487f2fc80ee1a2261f26a0e8b15b6212bc7a3195
                                  • Instruction Fuzzy Hash: 47F082715005189BDB21E6A1CC45FEEB3ACEB04315F5001AFB15AD7191DB786F44CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D3AA2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch
                                  • String ID: (&P
                                  • API String ID: 3886170330-1638538394
                                  • Opcode ID: 1917fd74994f75b0d3677da7b2b50d7f51c0f8d292f5dfd294ac00ee5250b4f2
                                  • Instruction ID: 40265c9a660ec03ff0b220f49d95c95c13c3e043fc0f66b7d2dc9f58618014cd
                                  • Opcode Fuzzy Hash: 1917fd74994f75b0d3677da7b2b50d7f51c0f8d292f5dfd294ac00ee5250b4f2
                                  • Instruction Fuzzy Hash: 6AE01AB0D01609DEDB41DFB88C066ED7AF4FB48310F10412AA414E72E1EB794608CF79
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EFEC0 Relevance: 3.2, APIs: 2, Instructions: 231registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,36685827,?,?,00000000), ref: 003EFF32
                                  • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,36685827), ref: 003EFFE9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 0e59a7434f731e332191d7a968f4870428b696c743d72e21fd2ac55b23c2a832
                                  • Instruction ID: 75f42162959cc38da57c3297c72ad719291ca66411455835820ddb6a21ce9208
                                  • Opcode Fuzzy Hash: 0e59a7434f731e332191d7a968f4870428b696c743d72e21fd2ac55b23c2a832
                                  • Instruction Fuzzy Hash: 2E91C070E10249DFDB14CFA8D985BAEBBB1FF44308F20811DE505E7681D7B5AA48CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00392414 Relevance: 3.1, APIs: 2, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0039241B
                                    • Part of subcall function 003B0155: __EH_prolog3.LIBCMT ref: 003B015C
                                    • Part of subcall function 003ED470: _wcslen.LIBCMT ref: 003ED5F5
                                  • EqualRect.USER32(?,?), ref: 003924B3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: EqualH_prolog3H_prolog3_Rect_wcslen
                                  • String ID:
                                  • API String ID: 960143964-0
                                  • Opcode ID: 764433a99fb60ade071cde37a38df4936519833f938df7202c56e7c630151436
                                  • Instruction ID: d42cd66e20e34e871239110be3921aa854c3f25ab36078fd088f38ccb7042863
                                  • Opcode Fuzzy Hash: 764433a99fb60ade071cde37a38df4936519833f938df7202c56e7c630151436
                                  • Instruction Fuzzy Hash: 68515C71D00609EFCF16DFA4C995AEEFBB9BF05304F214559E405AB251DB70AE05CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038CC09 Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0038CC10
                                  • DestroyAcceleratorTable.USER32(?), ref: 0038CD43
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AcceleratorDestroyH_prolog3Table
                                  • String ID:
                                  • API String ID: 848293909-0
                                  • Opcode ID: 0ac0cf5e4cf95ddd2fd28cdd2c6c79b085d6c00ac73a1a1661d49c57ac526a9e
                                  • Instruction ID: 17487cdf521b182c275d59d66f686ddc19e98fa14085d194d9a3b2a73509385e
                                  • Opcode Fuzzy Hash: 0ac0cf5e4cf95ddd2fd28cdd2c6c79b085d6c00ac73a1a1661d49c57ac526a9e
                                  • Instruction Fuzzy Hash: E041D7746107009FD729EF75C898A66BBE9BF85701B15499DE49ACB661CB31E801CB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427524 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0042752B
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004275F8), ref: 004275B7
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog3Handle
                                  • String ID:
                                  • API String ID: 2454561918-0
                                  • Opcode ID: 1c4de0d00b1bb2599a5a3d09de5e3882bf5c8d48d326fc726c42179fd78fca74
                                  • Instruction ID: 6c976ec3b293e4e912adeb6f8d5d87b74284b80990f8a7db346829499c1b2bad
                                  • Opcode Fuzzy Hash: 1c4de0d00b1bb2599a5a3d09de5e3882bf5c8d48d326fc726c42179fd78fca74
                                  • Instruction Fuzzy Hash: 9021A435205710AFCB15DF74D884BAABBB0FF44310F10446EE8169B7A1CB34EA45CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00391BA5 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • KillTimer.USER32(00000000,00000001,36685827,?,?,?,?,0048463A,000000FF), ref: 00391BE7
                                    • Part of subcall function 00389048: GetWindowLongW.USER32(00000000,000000FC), ref: 0038905B
                                    • Part of subcall function 00389048: SetWindowLongW.USER32(00000000,000000FC,?), ref: 00389077
                                  • DeleteCriticalSection.KERNEL32(?,36685827,?,?,?,?,0048463A,000000FF), ref: 00391C07
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: LongWindow$CriticalDeleteKillSectionTimer
                                  • String ID:
                                  • API String ID: 1032004442-0
                                  • Opcode ID: 26f39235f63c336851217a024f0d1fae7223818d8231cf89066131e5d308275a
                                  • Instruction ID: 5c1f3c61d54976f719a561e1cec1fbfca9e5b35a3c5b55d09b22351168006346
                                  • Opcode Fuzzy Hash: 26f39235f63c336851217a024f0d1fae7223818d8231cf89066131e5d308275a
                                  • Instruction Fuzzy Hash: 4821FF31404745EFCF22CF54C909B9ABBF4FB05724F10866EE092672E1C7B9AA05DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003FB080 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,36685827,?,00000000,-00000020,00000002,00495AC0,000000FF,00000000,004136A4,?,?,00000000,?,?,?), ref: 003FB0B8
                                  • HeapFree.KERNEL32(?,00000000,?,?,00000000,-00000020,00000002,00495AC0,000000FF,00000000,004136A4,?,?,00000000,?,?), ref: 003FB0F6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ExistsFileFreeHeapPath
                                  • String ID:
                                  • API String ID: 3939291066-0
                                  • Opcode ID: 7e39ba10bc1731e72c845f560da62e75798c86b442db541cbc4e36ca7fb243e5
                                  • Instruction ID: 2dc70da837db7f561580db7297248641dbd70e1baa1556bc80bb13c4172beb89
                                  • Opcode Fuzzy Hash: 7e39ba10bc1731e72c845f560da62e75798c86b442db541cbc4e36ca7fb243e5
                                  • Instruction Fuzzy Hash: E911BF72A04608AFC715DF58DC51BB9F7A9FB45320F24876AE826877D0DB36AC00CB84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046F795 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 0046F7B6
                                    • Part of subcall function 0046E6D9: RtlAllocateHeap.NTDLL(00000000,00000000,00000004,?,0046F7AA,?,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 0046E70B
                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,00000004,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89,00000000,004FF2F0), ref: 0046F7F2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: b7e7be6cb76bb38df49d1138244077d5f39c18a94bba6fc78bdeb2a978f9dde8
                                  • Instruction ID: 307693316004abb11bba5b3526cbcff542c1fd198d7e44ecb9eb9998b8230295
                                  • Opcode Fuzzy Hash: b7e7be6cb76bb38df49d1138244077d5f39c18a94bba6fc78bdeb2a978f9dde8
                                  • Instruction Fuzzy Hash: 6EF0F6321041156BDB212B27FC81F6B27A99F81BB6F21003BF894962D0FA3CD80591AF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038984C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • DestroyWindow.USER32(00000000,?,?,?,36685827,?,?,?,004830F3,000000FF), ref: 003898A7
                                  • InterlockedDecrement.KERNEL32(004FF4A0), ref: 003898B6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DecrementDestroyInterlockedWindow
                                  • String ID:
                                  • API String ID: 2222927662-0
                                  • Opcode ID: b9607cce20a5995de823d856f1172d9e2c11336aff778e22e425a8573000eb86
                                  • Instruction ID: e16ff55a69552bd8dba387956f5e7bbd3b0ae9f41170d3eb310ef7cdedb02359
                                  • Opcode Fuzzy Hash: b9607cce20a5995de823d856f1172d9e2c11336aff778e22e425a8573000eb86
                                  • Instruction Fuzzy Hash: 5501DE71904700DFC724DF08CC49BAAB7F8FF05B25F108A6EE412976A0C7BAA900CB48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B177B Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID:
                                  • API String ID: 176396367-0
                                  • Opcode ID: 6ee162f877eb712535d0f9b881ebbbde375727b94e00772fc1b697bb9a1acd7c
                                  • Instruction ID: ee3d37df00b275a5366088735e6473691153e9db809b4d119c267cb7cc2a981a
                                  • Opcode Fuzzy Hash: 6ee162f877eb712535d0f9b881ebbbde375727b94e00772fc1b697bb9a1acd7c
                                  • Instruction Fuzzy Hash: 64F0A471201210ABDB19EF15D8D2DA6736CEF9533176140AEFD0A9F24AEB60AC40CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F5BB0 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003F68D0: LoadLibraryW.KERNEL32(ComCtl32.dll,36685827,?,?,00000000), ref: 003F690C
                                    • Part of subcall function 003F68D0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003F6932
                                    • Part of subcall function 003F68D0: FreeLibrary.KERNEL32(00000000), ref: 003F69AB
                                  • SendMessageW.USER32(?,00000080,00000001,00000000), ref: 003F5BF4
                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003F5BFF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: LibraryMessageSend$AddressFreeLoadProc
                                  • String ID:
                                  • API String ID: 3032493519-0
                                  • Opcode ID: d1cb84c62e9c203ff733c91c96c5f1c5611555ed7f0051f294545b25970edeed
                                  • Instruction ID: abefbf1528ece9f1df184cbc23e57ccf64fd731548e1ec767e13e69c4980122e
                                  • Opcode Fuzzy Hash: d1cb84c62e9c203ff733c91c96c5f1c5611555ed7f0051f294545b25970edeed
                                  • Instruction Fuzzy Hash: EAF01C22B8122C36F66025595C47F67B64DD781BA5E10427AFA98AF2C2ECC67C1043E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D3128 Relevance: 3.0, APIs: 2, Instructions: 18windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 003D3135
                                  • RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 003D314E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageRedrawSendWindow
                                  • String ID:
                                  • API String ID: 1030633669-0
                                  • Opcode ID: e710723641e8e34c23adcdda62f674a378002ef5687e691835e54010da4e65e7
                                  • Instruction ID: f4a050fcb4faf11b192e39246a207a3ac81e465b8d6b3946c771d84fa6a71105
                                  • Opcode Fuzzy Hash: e710723641e8e34c23adcdda62f674a378002ef5687e691835e54010da4e65e7
                                  • Instruction Fuzzy Hash: 15E01731690210AFEB219F04EC4AF947BA2AF05B11F114466F2826E2E0CBE12C94CF08
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00457CF1 Relevance: 3.0, APIs: 2, Instructions: 17libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(?,?), ref: 00457CFA
                                  • RtlEncodePointer.NTDLL(00000000,?,00457C82,00000000,AtlThunk_AllocateData,004FE30C,?,?,00457F37,004FE314,?,?,?,?,00390564,?), ref: 00457D09
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressEncodePointerProc
                                  • String ID:
                                  • API String ID: 1846120836-0
                                  • Opcode ID: 711701eb458804b4f4157135ebcad6b7935abb6e2c6a8742a158f2fa4eec565e
                                  • Instruction ID: edf0a5c4dddf74797e45e41549b09ad6460a211f19c5c84a20a8e3ecf4db6262
                                  • Opcode Fuzzy Hash: 711701eb458804b4f4157135ebcad6b7935abb6e2c6a8742a158f2fa4eec565e
                                  • Instruction Fuzzy Hash: C5D0A934208308ABCF110FB1FC088AA3FADEF0631970080A1FD0C86321E7329422AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003882F2 Relevance: 1.8, APIs: 1, Instructions: 314COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 003885E1
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: ae51f04e5f5317bff91f4b4a4440d765b55bcc4ff1a5c09b9b0ad61408c5faa5
                                  • Instruction ID: 2328f6798881bc91bca6f9f1a7ca113aed0b9da91551e89563e552b047990311
                                  • Opcode Fuzzy Hash: ae51f04e5f5317bff91f4b4a4440d765b55bcc4ff1a5c09b9b0ad61408c5faa5
                                  • Instruction Fuzzy Hash: 84B1D1766043029BDF26EF28C880B7E77EAFB85300F8609AEF59187251DF70D8448B52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00416B08 Relevance: 1.8, APIs: 1, Instructions: 305COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00416B0F
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 3728bd769e83e0bf0e72acbdfd3ebc723892d012cd10f8b919dafd2b173ebe22
                                  • Instruction ID: a3d0f325333b85f78f32afb06140fbf3c055d27085202040e51ca02041f155d0
                                  • Opcode Fuzzy Hash: 3728bd769e83e0bf0e72acbdfd3ebc723892d012cd10f8b919dafd2b173ebe22
                                  • Instruction Fuzzy Hash: D0B1D631E002199FCF05EFA4C845AFEB7B5AF14304F11455AE451BB281DB78EA86CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AF75F Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003AF766
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID:
                                  • API String ID: 3251556500-0
                                  • Opcode ID: 46d090919667d2f82010a4b838266fd5e0dca37822c632e329cd606272e9bddd
                                  • Instruction ID: e403f546573b55733a5056a4bf6c521abffb0cdf8df0648b41cc7c1f1f25fbb5
                                  • Opcode Fuzzy Hash: 46d090919667d2f82010a4b838266fd5e0dca37822c632e329cd606272e9bddd
                                  • Instruction Fuzzy Hash: 95C15B70D00208DFCB15DFB8C595ADDB7B4EF19314F60866EE462AB291E734AA49CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00437D28 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID:
                                  • API String ID: 2427045233-0
                                  • Opcode ID: 238699d0e10e18dedccc2296dfe3bd0a42d35d437644dee5a35c70cf2981aa26
                                  • Instruction ID: 1308c159fa748db855e8d987d7725f4e3a3ebac31ac3859b39078e0a7a17e4a3
                                  • Opcode Fuzzy Hash: 238699d0e10e18dedccc2296dfe3bd0a42d35d437644dee5a35c70cf2981aa26
                                  • Instruction Fuzzy Hash: 4951A2B061C205EBDF399F58C855B6F76A5BF8C300F24644FF49A93390D7389D418A6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C722D Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: RectWindow$CursorEventMouseRedrawTrack
                                  • String ID:
                                  • API String ID: 4112187664-0
                                  • Opcode ID: bc0a3b19c859cfa992e6b31626a5e167e4e018dce67f03978cea9510d2320e66
                                  • Instruction ID: 8a7d17c36e5f9c604ef627e12809562ab044fdb3f0625d2ebddf88df88440ad0
                                  • Opcode Fuzzy Hash: bc0a3b19c859cfa992e6b31626a5e167e4e018dce67f03978cea9510d2320e66
                                  • Instruction Fuzzy Hash: DE51AC74608245EFDB269F24C885FBABBA9EB84310F10892EFC55C6241D7349C55DFA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EE500 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 003EE684
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID:
                                  • API String ID: 2005118841-0
                                  • Opcode ID: 68683863becfab1f487186be378f0e55221a3f58877b7d81abec6bc1910cc7e0
                                  • Instruction ID: 237e975b95b8b74f3a94bc89068a97621008687ee2aafb3bffa450919a62d306
                                  • Opcode Fuzzy Hash: 68683863becfab1f487186be378f0e55221a3f58877b7d81abec6bc1910cc7e0
                                  • Instruction Fuzzy Hash: FC41F472E002159FCB15DF69C881B7EBBA9EB45364F20472EE8259B2C1EB70AD00C6D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004319E7 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 004319F1
                                    • Part of subcall function 0039FAC6: __EH_prolog3.LIBCMT ref: 0039FACD
                                    • Part of subcall function 0039FAC6: _wcslen.LIBCMT ref: 0039FB00
                                    • Part of subcall function 0039FAC6: _wcslen.LIBCMT ref: 0039FB1B
                                    • Part of subcall function 0039FBA0: __EH_prolog3.LIBCMT ref: 0039FBA7
                                    • Part of subcall function 00432584: __EH_prolog3.LIBCMT ref: 0043258B
                                    • Part of subcall function 00433E22: __EH_prolog3.LIBCMT ref: 00433E29
                                    • Part of subcall function 004327EF: __EH_prolog3_catch.LIBCMT ref: 004327F6
                                    • Part of subcall function 00432A88: __EH_prolog3_catch.LIBCMT ref: 00432A8F
                                    • Part of subcall function 00432B15: __EH_prolog3_catch.LIBCMT ref: 00432B1C
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$H_prolog3_catch$_wcslen$H_prolog3_
                                  • String ID:
                                  • API String ID: 20832266-0
                                  • Opcode ID: e560976059f20d62478d850c12b3055a6fe2958eafb541046e66dfe98b92bceb
                                  • Instruction ID: f64b591d8ed81dd3b15150390b63bb3b206cdd4b00eed7c2ed060a8385e57388
                                  • Opcode Fuzzy Hash: e560976059f20d62478d850c12b3055a6fe2958eafb541046e66dfe98b92bceb
                                  • Instruction Fuzzy Hash: 41612871D00258DECF15EFA4C981BDDBBB4AF18304F6085AEE049A7282DB746B49CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041518B Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: aa5fdcccb6e206135405cf67df26ff4f27c760e4996c70990d116c2e7ef3f61d
                                  • Instruction ID: 5a8b169709ae3295928ed2cbc1e73a8b5af84f4416256ec2075dde041eb0df96
                                  • Opcode Fuzzy Hash: aa5fdcccb6e206135405cf67df26ff4f27c760e4996c70990d116c2e7ef3f61d
                                  • Instruction Fuzzy Hash: E1412572A00610EFDB15CF14C880BEAB7B5FF85314F1485AEE9159B381DB78E881CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D3B67 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 3cf364594f16d792319445e094fc1c08c360e89c9f6497c277a4ca0644e1dd79
                                  • Instruction ID: eb1fc905396ad4348117d7acf8ec6b89058b4b53254084214710f6e8600e5ece
                                  • Opcode Fuzzy Hash: 3cf364594f16d792319445e094fc1c08c360e89c9f6497c277a4ca0644e1dd79
                                  • Instruction Fuzzy Hash: 8F411870D0021AAFEF15CFA4DD85ABEBBF5EF48301F10412AF516A22A0D7749E51DB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042748D Relevance: 1.6, APIs: 1, Instructions: 68synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,004275F8), ref: 004274A6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ObjectSingleWait
                                  • String ID:
                                  • API String ID: 24740636-0
                                  • Opcode ID: d8333c0a40c5119c1363f9f0aaf7862d21f56fa55350bd31ac57efdc5eab3921
                                  • Instruction ID: a6775d4445e89070876b05acc0be864fa2b55faddccd348b8d9cd3bf8ee2a213
                                  • Opcode Fuzzy Hash: d8333c0a40c5119c1363f9f0aaf7862d21f56fa55350bd31ac57efdc5eab3921
                                  • Instruction Fuzzy Hash: 4C11E631309626BFC7219F1AE894927F7A8FF05324745466AF815CB761EB24EC50CBD4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AF16E Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Event
                                  • String ID:
                                  • API String ID: 4201588131-0
                                  • Opcode ID: 66be0562ccb699698966be8bbe5a07ab88b58eaeb0b622a6c148e5beb05c8a59
                                  • Instruction ID: 239f5d647791b004cc4b02179b949567f3285cd6977ed400426cfa8cf074d3a8
                                  • Opcode Fuzzy Hash: 66be0562ccb699698966be8bbe5a07ab88b58eaeb0b622a6c148e5beb05c8a59
                                  • Instruction Fuzzy Hash: B111903A104606DFCA3B9EF9C488A3AB769FF433047150A39E412C7A64CB24ED11DA90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00427295 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,0041461D,?,00000000,00000000,?), ref: 004272B7
                                    • Part of subcall function 0038E076: CloseHandle.KERNEL32(00000000,?,?,004220EC,00000000,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:,00000000,00000104,-00000010,00000000), ref: 0038E08A
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseCreateFileHandle
                                  • String ID:
                                  • API String ID: 3498533004-0
                                  • Opcode ID: 11ce3ef313b877f4bd4681ed03e027c881f5cb9c8b065989e74031d559ed49cb
                                  • Instruction ID: 833874b0a21ba7ec7c397a2b3375594d3994022e5098daabcedcf68b71155c0d
                                  • Opcode Fuzzy Hash: 11ce3ef313b877f4bd4681ed03e027c881f5cb9c8b065989e74031d559ed49cb
                                  • Instruction Fuzzy Hash: E2210375604711AFD310DF29D884A56FBE8FF49350F10461AF859D7250E730E950CBE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042C8EF Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0042C901
                                    • Part of subcall function 0042DE16: __EH_prolog3.LIBCMT ref: 0042DE1D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_wcslen
                                  • String ID:
                                  • API String ID: 3746244732-0
                                  • Opcode ID: e4c7f9cd6561a21cb22c58cc91d0683ed70afed7c7da077148153e4a6dc19861
                                  • Instruction ID: 332481e7c22e863fbb9b32be679e98a64a5017cd436cf1a729d219fae1ab33cb
                                  • Opcode Fuzzy Hash: e4c7f9cd6561a21cb22c58cc91d0683ed70afed7c7da077148153e4a6dc19861
                                  • Instruction Fuzzy Hash: D91148B2200B009FD731AF25D98062BB7F6FF88315B41092EE18643E21C7B5F895CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B4896 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DeleteObject
                                  • String ID:
                                  • API String ID: 1531683806-0
                                  • Opcode ID: 4a5db9e37bd2cb75ee23291d04f9fbc4000eabff013e7be1c081971608ded866
                                  • Instruction ID: 5e7f2be69cab5e227632eeb6b534473754ab46363f55ea86743a148e2cbeaf6c
                                  • Opcode Fuzzy Hash: 4a5db9e37bd2cb75ee23291d04f9fbc4000eabff013e7be1c081971608ded866
                                  • Instruction Fuzzy Hash: 0B11A171A04B84EFD715CF28C849BAAB7E8EF45714F14862EE816D72C1DB75AA00C658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0039BA15 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0039BAC3: DeleteObject.GDI32(00000000), ref: 0039BB05
                                  • DeleteObject.GDI32(?), ref: 0039BA7B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DeleteObject
                                  • String ID:
                                  • API String ID: 1531683806-0
                                  • Opcode ID: c54dbb508125c4b24090869027763211bee9541684db2ebe65a183832b3fd73f
                                  • Instruction ID: 85317ad172d149aae86345a710d9d69b244b5625f302e169ac07c5c08f6e8037
                                  • Opcode Fuzzy Hash: c54dbb508125c4b24090869027763211bee9541684db2ebe65a183832b3fd73f
                                  • Instruction Fuzzy Hash: 1311EF70904744EFDB0AEB68C945BEEBBE8EB00304F10469DE012972C0EBB46B04CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A02CA Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: d9721de03c8ad4bdd025361ccd59419a6627282733024b16ee89ca42e5975166
                                  • Instruction ID: d5bf267d5744c8825998f5e2f915fb21f8aab9b12c88ab1bd031b9af401f3b61
                                  • Opcode Fuzzy Hash: d9721de03c8ad4bdd025361ccd59419a6627282733024b16ee89ca42e5975166
                                  • Instruction Fuzzy Hash: 04017175A08604BFD715CF69DC45FAABBACEB45720F10462EF865D33C0DA74A9008658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042E594 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch.LIBCMT ref: 0042E59B
                                    • Part of subcall function 00399CBE: __EH_prolog3_catch.LIBCMT ref: 00399CC5
                                    • Part of subcall function 0042EB11: __EH_prolog3_catch.LIBCMT ref: 0042EB18
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch
                                  • String ID:
                                  • API String ID: 3886170330-0
                                  • Opcode ID: 8a7a3818070d65d376cab98cc6b586464b0ee3f6ade5fb23e61c8df02a78ee70
                                  • Instruction ID: f17f4bfbb4db119741eaa41c2594869075bd7473f67b34e767f88e1cfbbac30a
                                  • Opcode Fuzzy Hash: 8a7a3818070d65d376cab98cc6b586464b0ee3f6ade5fb23e61c8df02a78ee70
                                  • Instruction Fuzzy Hash: CD113270A042209FCB10DF69C184B19BFE2BB0A304F68C1AAE4098F396D374ED85CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00390683 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 610c4c93dc289212ded70eefd4862400f7471c723a3f267d340626bc53e36918
                                  • Instruction ID: 18e4ccb48e803587aa056246fbf0a9a2fd6f0d2f63de9daa895c782f4bb7a239
                                  • Opcode Fuzzy Hash: 610c4c93dc289212ded70eefd4862400f7471c723a3f267d340626bc53e36918
                                  • Instruction Fuzzy Hash: 6911867090031AEFCF128FA4C9406AE7AF0FF48750F11852DE95597360D3718D20EB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BFFE8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003BFFEF
                                    • Part of subcall function 0038633D: __EH_prolog3.LIBCMT ref: 00386344
                                    • Part of subcall function 003A4D33: __EH_prolog3.LIBCMT ref: 003A4D3A
                                    • Part of subcall function 00395C29: __EH_prolog3.LIBCMT ref: 00395C30
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: aa42d7cef21262eee8a07eec01660676391d073e975be5e6ca2b13fedd2b30c3
                                  • Instruction ID: b1030ac58bc32b739a10b8a0d5064a7070abd4fa5ea3447afea3e03440cc788a
                                  • Opcode Fuzzy Hash: aa42d7cef21262eee8a07eec01660676391d073e975be5e6ca2b13fedd2b30c3
                                  • Instruction Fuzzy Hash: 761148B05002049FCB06EF68C445AEDBBE4EF48314F05809EF1198B3A2CBB49E04CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B0155 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 4d14753f1ccf97cd43b41c1db9b9e8cd9b149ce1cc43a1e720d84afac36521dd
                                  • Instruction ID: 56518f757e880781aefa0c48883674e9fb49ac6e94929681e6d138091f69df6c
                                  • Opcode Fuzzy Hash: 4d14753f1ccf97cd43b41c1db9b9e8cd9b149ce1cc43a1e720d84afac36521dd
                                  • Instruction Fuzzy Hash: 6B01D134A00311CBDB189FA9844039FF6B1FF48309F50452ED259AB681CBB94A04C785
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042EB11 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch.LIBCMT ref: 0042EB18
                                    • Part of subcall function 0042EB9E: __EH_prolog3_catch.LIBCMT ref: 0042EBA5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch
                                  • String ID:
                                  • API String ID: 3886170330-0
                                  • Opcode ID: 91cc612dd7c4f5245ac4b6fa0279646cbcbd24aad3430f0300902df2f8653615
                                  • Instruction ID: b56417a27cf8d4a542e97df117e17f038c6aa94c5096c5fe3b2f53f0e817bde6
                                  • Opcode Fuzzy Hash: 91cc612dd7c4f5245ac4b6fa0279646cbcbd24aad3430f0300902df2f8653615
                                  • Instruction Fuzzy Hash: 94015774600254AFCB05DF65C84166C7FA1EF48324F18C09EF8598F382D7399901CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00471460 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0046E63F,00000001,00000364,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 004714A1
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 794c92a5a603ccdba3019a53b62065b786cf542414c3e12948e979067472f266
                                  • Instruction ID: 47f1c837d80573e3ea14eb3c932d047a45bc06a4f1611c9b02c8455932f291b6
                                  • Opcode Fuzzy Hash: 794c92a5a603ccdba3019a53b62065b786cf542414c3e12948e979067472f266
                                  • Instruction Fuzzy Hash: CAF0E9356041256BDF315A2EDC05FEB37589F41770B15C123AC0CD62A0DA38DC0182ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00469FF0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00471460: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0046E63F,00000001,00000364,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 004714A1
                                  • _free.LIBCMT ref: 0046A010
                                    • Part of subcall function 0046E727: RtlFreeHeap.NTDLL(00000000,00000000,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?), ref: 0046E73D
                                    • Part of subcall function 0046E727: GetLastError.KERNEL32(?,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?,?), ref: 0046E74F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Heap$AllocateErrorFreeLast_free
                                  • String ID:
                                  • API String ID: 314386986-0
                                  • Opcode ID: 70342efc15f830c1823951c157f6b9398945bac72d87b77d97e1bbf162925cdb
                                  • Instruction ID: c80ea47b89e993a0346e06fd54e6fa7ff912cc0164f4a9ed28d1e288ca1ac98a
                                  • Opcode Fuzzy Hash: 70342efc15f830c1823951c157f6b9398945bac72d87b77d97e1bbf162925cdb
                                  • Instruction Fuzzy Hash: 30F08CB1A00309AFC310DF69C442B8ABBF8FB48710F10416AE908E7381F771AD108BD6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D40DF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 003D410D
                                    • Part of subcall function 003D3FDB: __EH_prolog3.LIBCMT ref: 003D3FE2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ClientH_prolog3Rect
                                  • String ID:
                                  • API String ID: 3689810249-0
                                  • Opcode ID: bc2eea0470e41b1a095de1d3b6d574714c5d3d16c27af1f0d3c40754173073f6
                                  • Instruction ID: 705f6cc3ee7ce3f32acaac2c8881ae09c5a907723c7ac35547b93158e3dbb08f
                                  • Opcode Fuzzy Hash: bc2eea0470e41b1a095de1d3b6d574714c5d3d16c27af1f0d3c40754173073f6
                                  • Instruction Fuzzy Hash: 6AF096329046099F8700EF29D88586BFBE9EF89324F40461EFD544B251EA31AA69C7D7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A4FCC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A4FD3
                                    • Part of subcall function 003AF75F: __EH_prolog3_GS.LIBCMT ref: 003AF766
                                    • Part of subcall function 003AFADA: __EH_prolog3_GS.LIBCMT ref: 003AFAE1
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID:
                                  • API String ID: 2427045233-0
                                  • Opcode ID: 2f3351865495655b32e53b370fdd6360ca4e3f2c00f511c9e02058067b765f08
                                  • Instruction ID: 3a371c270e049fdbf97554e164d437a6102e01962813a90df7449cf29aeb7db6
                                  • Opcode Fuzzy Hash: 2f3351865495655b32e53b370fdd6360ca4e3f2c00f511c9e02058067b765f08
                                  • Instruction Fuzzy Hash: 7101A235A00205DFCB06FBB0C519ADDBBB5FF44300F544299E512AB292DF34AE05CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038716B Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: c9b1bf205e9b7aaef0c43a138c6a4534ae1716a2fb5866380d57b11c2c3c8dfa
                                  • Instruction ID: 40ddf50e5182a1668aaab00faa3041a4c2f8d8ebac3b4504d69f24c0d02f7b81
                                  • Opcode Fuzzy Hash: c9b1bf205e9b7aaef0c43a138c6a4534ae1716a2fb5866380d57b11c2c3c8dfa
                                  • Instruction Fuzzy Hash: 9AF0F936100209AFCB018F55DD08EAB7FAAFB88310F058125FE0887260C371D831DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046E6D9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000004,?,0046F7AA,?,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 0046E70B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: f1d582f52494a9ead097e14ecdc1aaf06684b26e53a3ad6b857fa503b240783d
                                  • Instruction ID: 401a5ea51249d509e822ff295366720111b04400e0f04ed2c10235e2b77cabd3
                                  • Opcode Fuzzy Hash: f1d582f52494a9ead097e14ecdc1aaf06684b26e53a3ad6b857fa503b240783d
                                  • Instruction Fuzzy Hash: 81E0653910422157D6212667DC45BAB77DC9F423A6F190127EC44962D2FA69DC0191EF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042EB9E Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch.LIBCMT ref: 0042EBA5
                                    • Part of subcall function 0039B324: __EH_prolog3_catch.LIBCMT ref: 0039B32B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch
                                  • String ID:
                                  • API String ID: 3886170330-0
                                  • Opcode ID: 25614c4c64b80062f73d7784c8352c73a2937bda6d1743239b2067d10144045c
                                  • Instruction ID: e8c6812b93bae80afbdd66a910fa6b19cb0d3e9d484a270475238c74c20d2518
                                  • Opcode Fuzzy Hash: 25614c4c64b80062f73d7784c8352c73a2937bda6d1743239b2067d10144045c
                                  • Instruction Fuzzy Hash: 4AF08C70901304EBCB12EFA9818129DBBB0BF54314F60469EE4849B342C7789B05CBE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003925E2 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 9fdf7a90a38423de5517d2c0bafbf8dbd2f1c6e7a7ee277ce6a71a4b7334f303
                                  • Instruction ID: 88a8c2202c6a7438bc16ea9cea16f183eb540dacb924d82be04f74c8af4d365b
                                  • Opcode Fuzzy Hash: 9fdf7a90a38423de5517d2c0bafbf8dbd2f1c6e7a7ee277ce6a71a4b7334f303
                                  • Instruction Fuzzy Hash: DEF0A930C00215DFDB10CFA4C8043AEBAB0EB08712F20855EE890A7291D3F80A008BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042DE16 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 9dda97236e71d6c29801f58bfd10c258121b56c1a10511fc91d912c049d0f106
                                  • Instruction ID: 75a997558ca33ebcaeca0d65c447f13dfb4c7a264858ca9cd8f8c9bce125eee1
                                  • Opcode Fuzzy Hash: 9dda97236e71d6c29801f58bfd10c258121b56c1a10511fc91d912c049d0f106
                                  • Instruction Fuzzy Hash: 27F08C71900619EFDF15EF94C802B9D7B74EF04720F21821BF964AF2E1C7796A518BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D3092 Relevance: 1.5, APIs: 1, Instructions: 22windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 003D30B0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 48bad179b76c8b6e18e822d005601fb9d1355010b99ddcbda0c95ced8c5a2f47
                                  • Instruction ID: 34dad66b5397268086d91b6f7071137fd2a215d16f3f2525195a322d74588b69
                                  • Opcode Fuzzy Hash: 48bad179b76c8b6e18e822d005601fb9d1355010b99ddcbda0c95ced8c5a2f47
                                  • Instruction Fuzzy Hash: 81E04672201704AFD3218F59D8C4E53BBE8EF19749704846EF18AC7220C272AC54DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C75FC Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003D0194: __EH_prolog3_GS.LIBCMT ref: 003D019B
                                    • Part of subcall function 003D0194: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 003D0298
                                    • Part of subcall function 003D0194: RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 003D02AA
                                  • SendMessageW.USER32 ref: 003C7624
                                    • Part of subcall function 003C76D8: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000037,?,?,003C7722,0000005C,003C7292), ref: 003C76F1
                                    • Part of subcall function 003C76D8: RedrawWindow.USER32(00000000,00000000,00000000,00000541,?,?,003C7722,0000005C,003C7292), ref: 003C7701
                                    • Part of subcall function 003C763F: __EH_prolog3_GS.LIBCMT ref: 003C7646
                                    • Part of subcall function 003C763F: SendMessageW.USER32(?,00000435,00000000,?), ref: 003C7691
                                    • Part of subcall function 003C763F: SendMessageW.USER32(?,00000449,00000002,?), ref: 003C76B8
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$H_prolog3_Redraw
                                  • String ID:
                                  • API String ID: 2354492013-0
                                  • Opcode ID: 433ab34f9e271ce83443bcba87d971170f93a17dd855bb7e826dce76502e6853
                                  • Instruction ID: 379aa7050377dcea47f93f9bd261100dd70dadb56fbd882aeff4ba6d7f2f1595
                                  • Opcode Fuzzy Hash: 433ab34f9e271ce83443bcba87d971170f93a17dd855bb7e826dce76502e6853
                                  • Instruction Fuzzy Hash: 49E07D720147001BD2326B28DC07FD5B3D89B04310F00061DF999661C16DE13A20C7ED
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00423BEA Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00423BF1
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: cfdd1151edbe1a33350182275530d9e8ba03582286000bee6c85394250d01015
                                  • Instruction ID: 2094bc53522a838567478db9aef40435638f1dbc5168ea0faa7c001dae2502f8
                                  • Opcode Fuzzy Hash: cfdd1151edbe1a33350182275530d9e8ba03582286000bee6c85394250d01015
                                  • Instruction Fuzzy Hash: CDE086709107019BC720EFF5944161EB6A0FF44705B50AC7FB9568B752DBB8990487C9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00384285 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID:
                                  • API String ID: 176396367-0
                                  • Opcode ID: ca383cf7980e171647679309f38986d2733719b4c7c631ec2321800c1f6ef05a
                                  • Instruction ID: 1c7fd970450993c09338601122f090ce4124b3f89c60e44e760e441e0bcda550
                                  • Opcode Fuzzy Hash: ca383cf7980e171647679309f38986d2733719b4c7c631ec2321800c1f6ef05a
                                  • Instruction Fuzzy Hash: 1DD05E72204721ABD7296F20D805A5BBBE1EF40329F008D1EF88946250D7799884879A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00386E54 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00386E5B
                                    • Part of subcall function 00386F8C: __EH_prolog3.LIBCMT ref: 00386F93
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID:
                                  • API String ID: 431132790-0
                                  • Opcode ID: 445cf1bb641091b519771a34f993ef7b9d9c9c75ab2808ca4f1f4db6996df3b8
                                  • Instruction ID: c2edaa9c3d084c826b3b9d376d2d3f6c6aa0cce998b3eee22eb40f91f99df9b7
                                  • Opcode Fuzzy Hash: 445cf1bb641091b519771a34f993ef7b9d9c9c75ab2808ca4f1f4db6996df3b8
                                  • Instruction Fuzzy Hash: 6EE0ECB5500508EFDB00EFA8C849BAE77B0FF14319F00C045FA144F261C7B69A18CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003880D1 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 003880E9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 652349ef63f56d722ce5ed4f176c783f3aa53e07c07bf787c708328ad59e174f
                                  • Instruction ID: baebbcc272e31fdf20b76850b2558c0c1f178504d43d18c21f7a5524ecf77f17
                                  • Opcode Fuzzy Hash: 652349ef63f56d722ce5ed4f176c783f3aa53e07c07bf787c708328ad59e174f
                                  • Instruction Fuzzy Hash: 26D092BA610101AFCF064B58CC08D01BFA3AF8C31536AC0A4B5088A136CB33C862EB00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038DDD3 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038DF49: __EH_prolog3_GS.LIBCMT ref: 0038DF50
                                  • CloseHandle.KERNEL32(?,36685827,?,?,?,?,00000000,00483C80,000000FF), ref: 0038DE27
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog3_Handle
                                  • String ID:
                                  • API String ID: 3893559359-0
                                  • Opcode ID: 5e376bfee3a22bc19f2265da25e5dcb365f4e4ee433a01ef37308ec299939a90
                                  • Instruction ID: a69fba2905feb55f69de20546a6b6d0f68158f61fcfab35da1f8f179328c120e
                                  • Opcode Fuzzy Hash: 5e376bfee3a22bc19f2265da25e5dcb365f4e4ee433a01ef37308ec299939a90
                                  • Instruction Fuzzy Hash: 8801DFB1904744EFDB11DF49CA0979EFBB8FB40724F1082AEE011A76D0C7B46A04CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08410FD7 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000003.668626178.0000000008410000.00000010.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_3_8410000_DLC3A4.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction ID: 144fea4c092aff2ab976b468949d26e472304994a37c0a2280052123e0d7e89d
                                  • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 08410FDF Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000003.668626178.0000000008410000.00000010.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_3_8410000_DLC3A4.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction ID: 144fea4c092aff2ab976b468949d26e472304994a37c0a2280052123e0d7e89d
                                  • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0042697F Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 331fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • FindFirstFileW.KERNEL32(?,00000000,00000000,?,?,?,36685827,?,00000000,00000000), ref: 00426A16
                                  • FindNextFileW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00426A31
                                  • _wcsrchr.LIBVCRUNTIME ref: 00426A59
                                  • _wcsrchr.LIBVCRUNTIME ref: 00426A9D
                                  • FindNextFileW.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00426BED
                                  • _wcsrchr.LIBVCRUNTIME ref: 00426B15
                                    • Part of subcall function 003D4AA6: __EH_prolog3.LIBCMT ref: 003D4AAD
                                    • Part of subcall function 003D4AA6: _wcslen.LIBCMT ref: 003D4AE5
                                    • Part of subcall function 004150F2: __EH_prolog3.LIBCMT ref: 004150F9
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  • FindClose.KERNEL32(00000000,004BFC0C,?,00000000,00000000), ref: 00426C9B
                                  • FindFirstFileW.KERNEL32(?,00000000,004BFC0C,?,00000000,00000000), ref: 00426CA8
                                  • FindNextFileW.KERNEL32(?,00000000,00000000,?,00000000,00000000), ref: 00426CC5
                                  • FindNextFileW.KERNEL32(?,00000000,?,00000000,00000000), ref: 00426D10
                                  • FindClose.KERNEL32(?,?,00000000,00000000), ref: 00426D2D
                                    • Part of subcall function 0038D91C: __EH_prolog3.LIBCMT ref: 0038D923
                                    • Part of subcall function 0038D91C: _wcslen.LIBCMT ref: 0038D953
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Find$File$H_prolog3$Next$_wcsrchr$CloseFirst_wcslen
                                  • String ID: .jar$.pack
                                  • API String ID: 1575710775-1219716722
                                  • Opcode ID: 0bbc987e1c75fb39ecf09696d58c2c981c12dc5ed8a74ff50da72047819bc4c7
                                  • Instruction ID: ac2759947e46f9f22bee58b264f67421f25013f670ec366dc0ade2c64c4c0336
                                  • Opcode Fuzzy Hash: 0bbc987e1c75fb39ecf09696d58c2c981c12dc5ed8a74ff50da72047819bc4c7
                                  • Instruction Fuzzy Hash: 5FD1C331904259DFCF05EFA4DC45AEEBBB8BF15314F64415AE411B72C1EB38AA08CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402EB0 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 477COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000,36685827,7FFFFFFE,?,00000000), ref: 00402F1E
                                  • _wcslen.LIBCMT ref: 00402F3C
                                  • _wcslen.LIBCMT ref: 004030D5
                                  • _wcslen.LIBCMT ref: 00403279
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$HandleModule
                                  • String ID: MODULE_BASE_ADDRESS$[0x%.8Ix]
                                  • API String ID: 4171770972-3408254016
                                  • Opcode ID: 0691834719302370ade2603153a213e23caaa3703b93951c1768fddaaefa458b
                                  • Instruction ID: 5442a63d6e3de73f12e39f6380652974c7872e6b4903a0a3fdb78d6792362c21
                                  • Opcode Fuzzy Hash: 0691834719302370ade2603153a213e23caaa3703b93951c1768fddaaefa458b
                                  • Instruction Fuzzy Hash: 3602B670A002059FCB14DFA4C8C19AEB7B9FF49305B10063FE512E72D1EB78AA55CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A78C Relevance: 9.2, APIs: 6, Instructions: 159fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0041A796
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                    • Part of subcall function 0041AA08: __EH_prolog3_GS.LIBCMT ref: 0041AA12
                                    • Part of subcall function 0041AA08: FindFirstFileW.KERNEL32(?,?,00000000,00000000,00000001), ref: 0041AA74
                                    • Part of subcall function 0041AA08: FindClose.KERNEL32(00000000), ref: 0041AB6C
                                    • Part of subcall function 003F3420: HeapFree.KERNEL32(?,00000000,?), ref: 003F3502
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  • _wcslen.LIBCMT ref: 0041A88A
                                  • FindFirstFileW.KERNEL32(?,?,004BEA28,00000000,?,00000000,00000000,00000001), ref: 0041A8C4
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0041A8E8
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0041A973
                                  • FindClose.KERNEL32(00000000), ref: 0041A996
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Find$File$H_prolog3$CloseFirstH_prolog3_Next$FreeHeap_wcslen
                                  • String ID:
                                  • API String ID: 631787520-0
                                  • Opcode ID: 72a3c65c7eb81591551eee5d3ff6ec5a8efa4584ecd2d5a0bc0509447ff86903
                                  • Instruction ID: e967a7b3ca5108351ff3aa88663696ab3c64c05911be0c56761186a08d6fedc3
                                  • Opcode Fuzzy Hash: 72a3c65c7eb81591551eee5d3ff6ec5a8efa4584ecd2d5a0bc0509447ff86903
                                  • Instruction Fuzzy Hash: D9619F70806259DBCF55EB64CC89BDDBBB8AF04314F5480DAE40967281DB385F89CF66
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047464B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0047496A,?,00000000), ref: 004746E4
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0047496A,?,00000000), ref: 0047470D
                                  • GetACP.KERNEL32(?,?,0047496A,?,00000000), ref: 00474722
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: ef0eb30edb1a52740ce562b78192206831719f80a0ef026c4b93a1b04222812a
                                  • Instruction ID: 06d06338645e6e64823559aa9613e0fd560256f1696a7a740fc9ab1370c4b153
                                  • Opcode Fuzzy Hash: ef0eb30edb1a52740ce562b78192206831719f80a0ef026c4b93a1b04222812a
                                  • Instruction Fuzzy Hash: B2219062B00100A6D7388F54C900AF773A6ABD6B51B57C966E94DD7310E73EDD41C798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047481F Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5E9
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E5F6
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0047492B
                                  • IsValidCodePage.KERNEL32(00000000), ref: 00474986
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00474995
                                  • GetLocaleInfoW.KERNEL32(?,00001001,0046A5E6,00000040,?,0046A706,00000055,00000000,?,?,00000055,00000000), ref: 004749DD
                                  • GetLocaleInfoW.KERNEL32(?,00001002,0046A666,00000040), ref: 004749FC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID:
                                  • API String ID: 745075371-0
                                  • Opcode ID: 3c3e988b17b9ab03365dfd3590ab9e5d9bb5a4b2d6b8fa25706f177ab7463284
                                  • Instruction ID: 442f61e7a16f63a04d8be5e2f69622c5df6b12597c47d539bb634aa298652a56
                                  • Opcode Fuzzy Hash: 3c3e988b17b9ab03365dfd3590ab9e5d9bb5a4b2d6b8fa25706f177ab7463284
                                  • Instruction Fuzzy Hash: 0E5195B1A00209AFDF10DFB5CC45AFB77B8EF95700F14846AEA18E7250E7789940CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003ACC2E Relevance: 7.6, APIs: 5, Instructions: 58nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003ACC35
                                  • GetWindowDC.USER32(?,?,?), ref: 003ACC61
                                  • NtdllDefWindowProc_W.NTDLL(?,?,00000000,00000000,?,?,?), ref: 003ACC9C
                                  • SetWindowLongW.USER32(?,000000F0,?), ref: 003ACCB1
                                  • DeleteDC.GDI32(?), ref: 003ACCC6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$DeleteH_prolog3LongNtdllProc_
                                  • String ID:
                                  • API String ID: 1114441301-0
                                  • Opcode ID: 768c83c97e7420b8a03bf34daecc6ee61ec9d36b4c4eb50209e47a2ec3710892
                                  • Instruction ID: 1f1708f8644786c93b425d42aaa31bcd4328476cbb642b596ebd7b2949141d17
                                  • Opcode Fuzzy Hash: 768c83c97e7420b8a03bf34daecc6ee61ec9d36b4c4eb50209e47a2ec3710892
                                  • Instruction Fuzzy Hash: 1921B431600205EFDB01DFB4C949BAD3BB1FF09315F148098F905AB2A2CB759E14DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004702A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0046A044,?,00000004), ref: 004702F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx$PA8
                                  • API String ID: 2299586839-4036295727
                                  • Opcode ID: 7c0355eaa6cea609f822577e5a06adeb546690ae76e8da6a6b5e02438713a60d
                                  • Instruction ID: a6b56a0f4be153bb4fbc9d4cb7138ef6a50241e194b80fac25ed62b627509930
                                  • Opcode Fuzzy Hash: 7c0355eaa6cea609f822577e5a06adeb546690ae76e8da6a6b5e02438713a60d
                                  • Instruction Fuzzy Hash: 45F04632641208BBCB10AFA0DC05FAE3F51EB05700F10405AFD0956292CE354E209ACD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047030E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,00468D82), ref: 0047034D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Time$FileSystem
                                  • String ID: GetSystemTimePreciseAsFileTime$PA8
                                  • API String ID: 2086374402-205196788
                                  • Opcode ID: 231df6d5a0c89442f02e04027ddda27f1cef33819ef0dd2a8a214067a26a2896
                                  • Instruction ID: ecc1f124018ea43f483b7591f1b426de5a8f4a5f0c897aa33f5b133fbd828eb4
                                  • Opcode Fuzzy Hash: 231df6d5a0c89442f02e04027ddda27f1cef33819ef0dd2a8a214067a26a2896
                                  • Instruction Fuzzy Hash: B5E05C31B01218E78750AB60AC41F7E7B50CB66B10714416BFC0857281DE285D1095CE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004742D2 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5E9
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E5F6
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00474326
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00474377
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00474437
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: bbd9e17c7d3b16156518ddfe07771fc7a8944926f251eed5a41bf08260b8057e
                                  • Instruction ID: fb369cf66966ae81335778f2223f5e1c24dab680645f8a63e66659fad2c9e4c9
                                  • Opcode Fuzzy Hash: bbd9e17c7d3b16156518ddfe07771fc7a8944926f251eed5a41bf08260b8057e
                                  • Instruction Fuzzy Hash: FA61B071600107ABEB289F25CD82BFA77A8EF44304F1181BAED09C6691F77CD952DB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00460A1C Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,004FF2F0), ref: 00460B14
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,004FF2F0), ref: 00460B1E
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,004FF2F0), ref: 00460B2B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 19a946c7887369974ced3249402c928e529dd0b82e2411b257b998cc6f494461
                                  • Instruction ID: 7d8ff582971d6725bfe41c19c9a9368cb007d47b3bdcb32c43830a0fb4f65599
                                  • Opcode Fuzzy Hash: 19a946c7887369974ced3249402c928e529dd0b82e2411b257b998cc6f494461
                                  • Instruction Fuzzy Hash: 1F31F37490121C9BCB21DF65DD8879DBBB8BF08311F5042EAE80CA6251EB749F858F89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F67C0 Relevance: 3.1, APIs: 2, Instructions: 85windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,36685827,?), ref: 003F680B
                                  • GetLastError.KERNEL32 ref: 003F6815
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorFormatLastMessage
                                  • String ID:
                                  • API String ID: 3479602957-0
                                  • Opcode ID: 7cc9b4dde655618d8dee851f5f0a317397987fc0cc18745ba945ea4846514978
                                  • Instruction ID: 307dd546f3fa335a62287d3f6b0224a65bafb934213a16f271c7b1d286a670c4
                                  • Opcode Fuzzy Hash: 7cc9b4dde655618d8dee851f5f0a317397987fc0cc18745ba945ea4846514978
                                  • Instruction Fuzzy Hash: AD21D671A00209AFDB11DF99CC46BBEBBF8EB44754F20412DE515E73C1DBB5990087A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00390558 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongW.USER32(0000000E,000000FC), ref: 0039056B
                                  • SetWindowLongW.USER32(0000000E,000000FC,?), ref: 0039057F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 0ae7c65e64d50b493cadaacfc107d72fbbbded5d504ea53105eea2da8260300f
                                  • Instruction ID: 85e12b6747cfb28b11a52cca90045fe9e4f745bd5196dde281d31f4005d96dd9
                                  • Opcode Fuzzy Hash: 0ae7c65e64d50b493cadaacfc107d72fbbbded5d504ea53105eea2da8260300f
                                  • Instruction Fuzzy Hash: 6CF03072608512AFCB159B24EC05E26FBA2FF493617014339E429D25E0EB31EC30CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00474522 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5E9
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E5F6
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00474576
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: 7f9e05417a3b0bb712a93a61d3c0973b8a733f2b611b0369005522e4685ff048
                                  • Instruction ID: 4f09feee5f517541754fc6e29321979940eec720e6bb6353dfdeb293464255bb
                                  • Opcode Fuzzy Hash: 7f9e05417a3b0bb712a93a61d3c0973b8a733f2b611b0369005522e4685ff048
                                  • Instruction Fuzzy Hash: 1421B37260420AABDB249E25DC41BBB73ECEF41318F1041BBEE09C6281EB389D55CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004741AA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                  • EnumSystemLocalesW.KERNEL32(004742D2,00000001,00000000,?,0046A5E6,?,004748FF,00000000,?,?,?), ref: 0047421C
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: c5c402e72d8eb017c22de109f8a345b92ba8f520eb170940ab2afa230f696cf5
                                  • Instruction ID: 30888f9b64d447e77280d54f6b6270a2fc421798afa24335a7e67e528fac7b16
                                  • Opcode Fuzzy Hash: c5c402e72d8eb017c22de109f8a345b92ba8f520eb170940ab2afa230f696cf5
                                  • Instruction Fuzzy Hash: 0711363A2043009FDB289F3988916BAB791FBC0358B14842EE98A87741D375A952CB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00474752 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004745CD,00000000,00000000,?), ref: 0047477E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: ef479f3b77cec36b282787e09cfbb9d1f901817d16e05ffb323ceba78bc5722f
                                  • Instruction ID: eab5b0aa973d7694d1b2fa83f3696cde6978fa60893e3d20dd8f678008f873e2
                                  • Opcode Fuzzy Hash: ef479f3b77cec36b282787e09cfbb9d1f901817d16e05ffb323ceba78bc5722f
                                  • Instruction Fuzzy Hash: 02F0F936600215BBDB3C5A658C05AFB779CDB81368F15846EEC1DA3240EB78BD02C6D4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004740B6 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5E9
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E5F6
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0046A5ED,00000000,0046A70D), ref: 0047410A
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: 6d995eb27814d80f82e6f3f876835526054586412bfd3d8d12c9a030ef4bc9fd
                                  • Instruction ID: 7d05f75cb8990df016881ab43a78e610ba9cf0ca9a9538e49af3a014eb78a0a8
                                  • Opcode Fuzzy Hash: 6d995eb27814d80f82e6f3f876835526054586412bfd3d8d12c9a030ef4bc9fd
                                  • Instruction Fuzzy Hash: ADF0F932600105ABC714AF75DC459FA73ECDB45315F00417EFA06D7281FA386D058799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00474245 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                  • EnumSystemLocalesW.KERNEL32(00474522,00000001,?,?,0046A5E6,?,004748C3,0046A5E6,?,?,?,?,?,0046A5E6,?,?), ref: 00474291
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: af733352d5702dcf2a987cb3732413ba7c3fcf2a512d96a70d56aa574b54f474
                                  • Instruction ID: 04afed643270921efa320a88244f9429ffce16de8e4c7ce721de53b0dfe343a5
                                  • Opcode Fuzzy Hash: af733352d5702dcf2a987cb3732413ba7c3fcf2a512d96a70d56aa574b54f474
                                  • Instruction Fuzzy Hash: B6F028363003041FDB245F359C81ABB7B95EFC0368B05846EFE4987681D3759C428604
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00394E43 Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtdllDefWindowProc_W.NTDLL(00000000,?,?,?,003940E4,?,?,?,?,?,?,?,?,?,00393FF0,?), ref: 00394EA9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: NtdllProc_Window
                                  • String ID:
                                  • API String ID: 4255912815-0
                                  • Opcode ID: 6a295ba730ab6424078dc84d9ffb7497d9c409b2aa488810262eb4046f41259f
                                  • Instruction ID: 45f38d37b0c568d6d8e2e091f66b46d51a5bd016595fb900b0a09843028b0409
                                  • Opcode Fuzzy Hash: 6a295ba730ab6424078dc84d9ffb7497d9c409b2aa488810262eb4046f41259f
                                  • Instruction Fuzzy Hash: 4DF030B0E1030166EF366614C69CC6DA65BF3D0340F11893AE65040BE8E3388C929502
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047415F Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                  • EnumSystemLocalesW.KERNEL32(004740B6,00000001,?,?,?,00474921,0046A5E6,?,?,?,?,?,0046A5E6,?,?,?), ref: 00474196
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 4a1824fb34764c596e8e10c6771a18a3ff01c53faff1edf681aa4f1f839ed540
                                  • Instruction ID: a02dc0093bbb0dfea15a9811a99947331b295515c11153ee1a9098f43c423149
                                  • Opcode Fuzzy Hash: 4a1824fb34764c596e8e10c6771a18a3ff01c53faff1edf681aa4f1f839ed540
                                  • Instruction Fuzzy Hash: 00F0EC3A30020567CB14EF35DC55BB77F94EFC1714B46805AEA098B791D7759883C794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004167AC Relevance: 105.2, APIs: 1, Strings: 59, Instructions: 230COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004167B6
                                    • Part of subcall function 0038D91C: __EH_prolog3.LIBCMT ref: 0038D923
                                    • Part of subcall function 0038D91C: _wcslen.LIBCMT ref: 0038D953
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$_wcslen
                                  • String ID: OsNotIdentified$Windows 10 version 1507 x64$Windows 10 version 1507 x86$Windows 10 version 1511 x64$Windows 10 version 1511 x86$Windows 10 version 1607 x64$Windows 10 version 1607 x86$Windows 10 version 1703 x64$Windows 10 version 1703 x86$Windows 10 version 1709 x64$Windows 10 version 1709 x86$Windows 10 version 1803 x64$Windows 10 version 1803 x86$Windows 10 x64$Windows 10 x86$Windows 7 RTM x64$Windows 7 RTM x86$Windows 7 SP1 x64$Windows 7 SP1 x86$Windows 7 x64$Windows 7 x86$Windows 8 x64$Windows 8 x86$Windows 8.1 x64$Windows 8.1 x86$Windows Server 2003 SP1 x64$Windows Server 2003 SP1 x86$Windows Server 2003 SP2 x64$Windows Server 2003 SP2 x86$Windows Server 2003 x64$Windows Server 2003 x86$Windows Server 2008 R2 RTM x64$Windows Server 2008 R2 SP1 x64$Windows Server 2008 R2 x64$Windows Server 2008 RTM x64$Windows Server 2008 RTM x86$Windows Server 2008 SP2 x64$Windows Server 2008 SP2 x86$Windows Server 2008 x64$Windows Server 2008 x86$Windows Server 2012 R2 x64$Windows Server 2012 x64$Windows Server 2016 x64$Windows Vista RTM x64$Windows Vista RTM x86$Windows Vista SP1 x64$Windows Vista SP1 x86$Windows Vista SP2 x64$Windows Vista SP2 x86$Windows Vista x64$Windows Vista x86$Windows XP SP1 x64$Windows XP SP1 x86$Windows XP SP2 x64$Windows XP SP2 x86$Windows XP SP3 x86$Windows XP x64$Windows XP x86$h0P
                                  • API String ID: 821321042-1143339858
                                  • Opcode ID: f4723c6c9189cc0763d2387ae12f36b2aea829f65a93049866ce9a883661a5bb
                                  • Instruction ID: f8ab36602a78155da5bbef7b03c922306de5897839fe71be29f7b15e0bd6f31b
                                  • Opcode Fuzzy Hash: f4723c6c9189cc0763d2387ae12f36b2aea829f65a93049866ce9a883661a5bb
                                  • Instruction Fuzzy Hash: 2571D078B0520587CBA599294614BFF2661EB42341F26C4BFE045AA384C7FCCEC29B4F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CEA8D Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 298windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003CEA94
                                  • GetClientRect.USER32(?,?), ref: 003CEAFF
                                  • SetBkMode.GDI32(?,00000001), ref: 003CEB0C
                                  • SelectObject.GDI32(?,?), ref: 003CEB1B
                                  • IsWindowEnabled.USER32(?), ref: 003CEB46
                                  • GetSysColor.USER32(00000011), ref: 003CEB5A
                                  • SetTextColor.GDI32(?,00000000), ref: 003CEB64
                                  • SetTextColor.GDI32(?,00000000), ref: 003CEB86
                                  • IsWindowEnabled.USER32(?), ref: 003CEBB0
                                  • GetSysColor.USER32(00000011), ref: 003CEBD5
                                  • SetTextColor.GDI32(?,00000000), ref: 003CEBDF
                                  • SelectObject.GDI32(?,?), ref: 003CEBFB
                                  • SetTextColor.GDI32(?,?), ref: 003CEC1E
                                  • SelectObject.GDI32(?,?), ref: 003CEC29
                                  • IsWindowEnabled.USER32(?), ref: 003CEC40
                                  • GetSysColor.USER32(00000011), ref: 003CEC54
                                  • SetTextColor.GDI32(?,00000000), ref: 003CEC5E
                                  • SetTextColor.GDI32(?,?), ref: 003CED0C
                                  • GetFocus.USER32 ref: 003CED12
                                  • SelectObject.GDI32(?,00000001), ref: 003CED36
                                  • SetBkMode.GDI32(?,00000001), ref: 003CED45
                                  • IsWindowEnabled.USER32(?), ref: 003CED51
                                  • GetSysColor.USER32(00000011), ref: 003CED76
                                  • SetTextColor.GDI32(?,00000000), ref: 003CED80
                                  • SelectObject.GDI32(?,?), ref: 003CEDBD
                                  • GetWindowLongW.USER32(?,000000F0), ref: 003CEDDA
                                  • GetFocus.USER32 ref: 003CEE1D
                                  • SetTextColor.GDI32(?,00000001), ref: 003CEE41
                                  • SelectObject.GDI32(?,?), ref: 003CEE4D
                                    • Part of subcall function 003CF2B8: lstrlenW.KERNEL32(?,?,?,?,?,003CEAEC,?,?,?,?,?,?,00000058,003C146A), ref: 003CF2ED
                                    • Part of subcall function 003CF2B8: CompareStringW.KERNEL32(00000400,00000001,?,00000003,<A>,00000003,?,?,?,?,003CEAEC,?,?,?,?,?), ref: 003CF326
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Color$Text$ObjectSelect$Window$Enabled$FocusMode$ClientCompareH_prolog3_LongRectStringlstrlen
                                  • String ID: OpE
                                  • API String ID: 1236755206-2903432966
                                  • Opcode ID: 2a4f31eba07dbb7ef6f838e2d8a1350d00e3e46840095978927768c51bd4d2f0
                                  • Instruction ID: 1b9bf141e891e3009515d7e788bc9e3163d84dfbc172c8fd720b8d1a94c49576
                                  • Opcode Fuzzy Hash: 2a4f31eba07dbb7ef6f838e2d8a1350d00e3e46840095978927768c51bd4d2f0
                                  • Instruction Fuzzy Hash: EEC1F671904548AFDF068FA4DC88EED7BB6EF48300F188179ED0AAE265CB319D51DB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BAB54 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 294windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003BAB5B
                                  • IsWindow.USER32(?), ref: 003BAB79
                                  • IsWindow.USER32(?), ref: 003BAB86
                                  • CopyRect.USER32(?,?), ref: 003BABEB
                                  • IsRectEmpty.USER32(?), ref: 003BABF5
                                  • SendMessageW.USER32(?,00001104,00000001,?), ref: 003BAC4C
                                  • IsWindowEnabled.USER32(00000002), ref: 003BAC57
                                  • GetSysColor.USER32(0000000F), ref: 003BAC65
                                  • SendMessageW.USER32(?,00001200,00000000,00000000), ref: 003BAC7E
                                  • SetBkMode.GDI32(?,00000001), ref: 003BACE6
                                  • SetTextColor.GDI32(?,?), ref: 003BACF3
                                  • IsWindowEnabled.USER32(00000004), ref: 003BAD07
                                  • SetTextColor.GDI32(?,?), ref: 003BAD14
                                  • CopyRect.USER32(?,?), ref: 003BAECC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$ColorRect$CopyEnabledMessageSendText$EmptyH_prolog3_Mode
                                  • String ID: OpE
                                  • API String ID: 4040537998-2903432966
                                  • Opcode ID: 67e0640ef694cb42259cc02699d68726087741b179097a826658ce69be6a8a79
                                  • Instruction ID: 41a762f8dfd83b5769b13961d84d41031b7430681a0df0119e823d49dee0367d
                                  • Opcode Fuzzy Hash: 67e0640ef694cb42259cc02699d68726087741b179097a826658ce69be6a8a79
                                  • Instruction Fuzzy Hash: 57C15B71E00A09AFDF05CFA4C988BEDBBB5FF08304F144169EA05AB691D770A955CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0039C963 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 228windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0039C96A
                                  • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,0000005C), ref: 0039C9C1
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  • SendMessageW.USER32(?,00000432,00000000,0000002C), ref: 0039CAC9
                                  • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0039CADD
                                  • SendMessageW.USER32(?,00000421,00000003,?), ref: 0039CAF2
                                  • SendMessageW.USER32(?,00000418,00000000,0000012C), ref: 0039CB07
                                  • GetWindowTextLengthW.USER32(?), ref: 0039CB0E
                                  • SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0039CB1E
                                  • ClientToScreen.USER32(?,?), ref: 0039CB3E
                                  • GetWindowRect.USER32(?,?), ref: 0039CB50
                                  • PtInRect.USER32(?,?,?), ref: 0039CB60
                                  • SendMessageW.USER32(?,00000412,00000000), ref: 0039CBB2
                                  • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0039CBC2
                                  • SetTimer.USER32(?,?,00001388,00000000), ref: 0039CBD9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$Window$Rect$ClientCreateH_prolog3_LengthLongScreenTextTimer
                                  • String ID: ,$tooltips_class32
                                  • API String ID: 3887852958-3856767331
                                  • Opcode ID: 54adefe322a2d70fe2a26403e6bd30ac30396f23c6be46b16fc76c6ddf172c0d
                                  • Instruction ID: 3bbdf181de9fb856c65b87edd660bf6dc339e3c7c9e4795554fb16aaa5a3f48a
                                  • Opcode Fuzzy Hash: 54adefe322a2d70fe2a26403e6bd30ac30396f23c6be46b16fc76c6ddf172c0d
                                  • Instruction Fuzzy Hash: B0911B71A00309AFDB15CFA4CC85EAEBBB5FF48301F14452AE606EB6A0D774A954CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B6E1C Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 289COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B6E26
                                  • __Init_thread_footer.LIBCMT ref: 003B727E
                                    • Part of subcall function 00395BC3: _wcslen.LIBCMT ref: 00395BEB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_Init_thread_footer_wcslen
                                  • String ID: 0(P$AiVerMax$AiVerMin$H(P$MsiNTProductType$ServicePackLevel$ServicePackLevelMinor$VersionNT$VersionNT64$WindowsBuild$`(P$x(P
                                  • API String ID: 2573428249-853029784
                                  • Opcode ID: 118cc13e4ff2c32edede9d9c731adbeea5c0b6f9e1fe71390acf6b9a0c51e2b3
                                  • Instruction ID: 79eaa7925241f119e034c4e743a4dd37c5e662ed9e41a0e9817695e03afa2426
                                  • Opcode Fuzzy Hash: 118cc13e4ff2c32edede9d9c731adbeea5c0b6f9e1fe71390acf6b9a0c51e2b3
                                  • Instruction Fuzzy Hash: EED19B30904248DFCF11EFA8C945BDCBBB5AF55304F1485E9E549AB282DB746E48CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406960 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 449COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 004069EF
                                  • SetWindowTextW.USER32(00000000,?), ref: 00406B4C
                                  • ShowWindow.USER32(?,00000005), ref: 00406BB2
                                  • _wcslen.LIBCMT ref: 00406BC0
                                  • SetWindowTextW.USER32(00000000,?), ref: 00406D1D
                                  • ShowWindow.USER32(?,00000000), ref: 00406D82
                                  • ShowWindow.USER32(?,00000000), ref: 00406D89
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000616), ref: 00406DD2
                                  • IsWindow.USER32(00000000), ref: 00406E13
                                  • IsRectEmpty.USER32(?), ref: 00406E30
                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,?,00000616), ref: 00406E60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Show$Text_wcslen$EmptyRect
                                  • String ID: Details <<$Details >>
                                  • API String ID: 3481237938-3763984547
                                  • Opcode ID: 33760662d405a6621cf6ab0baafebcad4f5cc14d73edda6509bcc2ff65ff5c66
                                  • Instruction ID: 4e92a087f440f1e1cc8ac43307f8357f53c78c5d60981e3bd64b6b62b79dff5a
                                  • Opcode Fuzzy Hash: 33760662d405a6621cf6ab0baafebcad4f5cc14d73edda6509bcc2ff65ff5c66
                                  • Instruction Fuzzy Hash: 93F1D371E102059FDB14DF78CC45AAEB7B5EF48314F21822EE412B72D1DB38A961CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043E4E4 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 364processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0043E4EE
                                    • Part of subcall function 0043F4DF: __EH_prolog3_GS.LIBCMT ref: 0043F4E9
                                    • Part of subcall function 0043F4DF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0043F50E
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 003ED470: _wcslen.LIBCMT ref: 003ED5F5
                                  • _wcslen.LIBCMT ref: 0043E565
                                  • CreateProcessW.KERNEL32 ref: 0043E67D
                                  • GetLastError.KERNEL32 ref: 0043E699
                                    • Part of subcall function 003DBAD0: _wcslen.LIBCMT ref: 003DBB3D
                                    • Part of subcall function 00435B21: __EH_prolog3_GS.LIBCMT ref: 00435B28
                                    • Part of subcall function 003DBCA0: __cftof.LIBCMT ref: 003DBCF1
                                    • Part of subcall function 003DBCA0: _wcslen.LIBCMT ref: 003DBD0D
                                    • Part of subcall function 00435B9E: __EH_prolog3_GS.LIBCMT ref: 00435BA5
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043E735
                                  • GetExitCodeProcess.KERNEL32 ref: 0043E748
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3_$Process$CodeCreateDirectoryErrorExitLastObjectSingleSystemWait__cftof
                                  • String ID: ARPSIZE$AiProductCode$AiProductCode64$D$EstimatedSize$FASTOEM$Software\Microsoft\Windows\CurrentVersion\Uninstall\
                                  • API String ID: 2338128787-1690049508
                                  • Opcode ID: 9ed5319ff816721e176ca85dc6ca343b52ff8aaf90f2514d0d2a0376c0fce0d1
                                  • Instruction ID: d3fecaf2c339f17e014995f3d1935858f5b79d82af83e31b5f929b9b744f78c0
                                  • Opcode Fuzzy Hash: 9ed5319ff816721e176ca85dc6ca343b52ff8aaf90f2514d0d2a0376c0fce0d1
                                  • Instruction Fuzzy Hash: 9DF1CF31805248DFDF16EFA4C995BDDBBB4BF14304F4841E9E005AB292EB745E89CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CEE5B Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 263COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003CEE65
                                  • IsWindow.USER32(?), ref: 003CEE72
                                  • GetClientRect.USER32(?,?), ref: 003CEEBB
                                  • SelectObject.GDI32(?,?), ref: 003CEF38
                                  • SelectObject.GDI32(?,?), ref: 003CEF8F
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 003AFC9E: _wcslen.LIBCMT ref: 003AFCC7
                                  • SelectObject.GDI32(?,?), ref: 003CF0CE
                                  • SelectObject.GDI32(?,?), ref: 003CF0F8
                                  • GetWindowLongW.USER32(?,000000F0), ref: 003CF119
                                  • SelectObject.GDI32(?,00000000), ref: 003CF179
                                  • OffsetRect.USER32(?,?,00000000), ref: 003CF1B2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$RectWindow_wcslen$ClientH_prolog3_LongOffset
                                  • String ID: $OpE
                                  • API String ID: 1065587602-2197671406
                                  • Opcode ID: adea9c4be6c5fb4de4894bc14f0c2e4aaa3240685d2409e6893d40af7368f103
                                  • Instruction ID: e0a9eeadb39c6c0716ab111c42bda6ae8ee6caa5e20e641737f67f61d007532a
                                  • Opcode Fuzzy Hash: adea9c4be6c5fb4de4894bc14f0c2e4aaa3240685d2409e6893d40af7368f103
                                  • Instruction Fuzzy Hash: AFB1F671D00119DFDF22CFA4C984BEDBBB6BB08310F244279E919AB1A2DB715945CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00396ADE Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00396AE5
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
                                  • API String ID: 3251556500-3153392536
                                  • Opcode ID: 87ca5f829c7d9fe21a20723a86f7a8825d6b65e4c0d18aea3d9d7e8206cf5ce8
                                  • Instruction ID: ea5de5b50f1679fbd3aa5d31876b637d5659b498df62576f80926c0cc565581e
                                  • Opcode Fuzzy Hash: 87ca5f829c7d9fe21a20723a86f7a8825d6b65e4c0d18aea3d9d7e8206cf5ce8
                                  • Instruction Fuzzy Hash: 5451D975D01708EACB46FBE8D952BDCB3B9AB18700F60C499F016BB191DB741B09CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00422014 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 127fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0042201E
                                  • GetModuleFileNameW.KERNEL32(00000000,-00000218,00000104,00000214,00421F06,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:,00000000,00000104,-00000010,00000000), ref: 0042204C
                                  • _wcslen.LIBCMT ref: 0042207B
                                  • _wcsrchr.LIBVCRUNTIME ref: 0042208E
                                  • _wcslen.LIBCMT ref: 004220B9
                                  • CreateFileW.KERNEL32(00000000,C0000000,00000003,00000000,00000004,00000080,00000000,00000214,00421F06,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:), ref: 004220DD
                                  • GetLastError.KERNEL32(00000000,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:,00000000,00000104,-00000010,00000000), ref: 004220F6
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000010,004138F4,00000008, Error:,00000000,Failed to extract file:,00000000,00000104,-00000010,00000000), ref: 00422114
                                  • WriteFile.KERNEL32(000000FF,0000FEFF,00000002,-00000220), ref: 0042214B
                                  • FlushFileBuffers.KERNEL32(000000FF), ref: 00422154
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$_wcslen$BuffersCreateErrorFlushH_prolog3_LastModuleNamePointerWrite_wcsrchr
                                  • String ID: .log$Logger
                                  • API String ID: 1679108618-950058237
                                  • Opcode ID: 9a370c6dcc84342b71f165d510181072bd037a1c9d53b1e695265908c7938e8c
                                  • Instruction ID: 4c08e6b70fd0438da91f2ece0cf118faa03ef7ac5053c05a428ef63fa9d65c42
                                  • Opcode Fuzzy Hash: 9a370c6dcc84342b71f165d510181072bd037a1c9d53b1e695265908c7938e8c
                                  • Instruction Fuzzy Hash: 0041A370600314BFEB29AB64EE89F7B77A8FF04314F90056EF506966D1DBB86D44CA18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00388AD8 Relevance: 19.6, APIs: 13, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetDC.USER32(00000000), ref: 00388AF1
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00388B02
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00388B09
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00388B10
                                  • MulDiv.KERNEL32(000009EC,00000000,00000000), ref: 00388B28
                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00388B39
                                  • GetDC.USER32(00000000), ref: 00388B69
                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00388B7A
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00388B81
                                  • ReleaseDC.USER32(00000000,00000000), ref: 00388B88
                                  • MulDiv.KERNEL32(00000000,00000000,000009EC), ref: 00388BA0
                                  • MulDiv.KERNEL32(00000000,?,000009EC), ref: 00388BB5
                                  • __EH_prolog3.LIBCMT ref: 00388BD3
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CapsDevice$Release$H_prolog3
                                  • String ID:
                                  • API String ID: 3259226543-0
                                  • Opcode ID: bfee8d69121844e2229065125b450dacdc597caf6a5961e6225ea4d70a6a9c08
                                  • Instruction ID: 314e1fc971f689901cfd61eac85dcb1a9d825616488e789638925f0ed5e9e54d
                                  • Opcode Fuzzy Hash: bfee8d69121844e2229065125b450dacdc597caf6a5961e6225ea4d70a6a9c08
                                  • Instruction Fuzzy Hash: E431D5B1604705AFE710AF659C49F2BBFA9EF88721F10446EFA44DB281DB719C00CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00472D4A Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 00472D8E
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00471FAD
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00471FBF
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00471FD1
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00471FE3
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00471FF5
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00472007
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00472019
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 0047202B
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 0047203D
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 0047204F
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00472061
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00472073
                                    • Part of subcall function 00471F90: _free.LIBCMT ref: 00472085
                                  • _free.LIBCMT ref: 00472D83
                                    • Part of subcall function 0046E727: RtlFreeHeap.NTDLL(00000000,00000000,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?), ref: 0046E73D
                                    • Part of subcall function 0046E727: GetLastError.KERNEL32(?,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?,?), ref: 0046E74F
                                  • _free.LIBCMT ref: 00472DA5
                                  • _free.LIBCMT ref: 00472DBA
                                  • _free.LIBCMT ref: 00472DC5
                                  • _free.LIBCMT ref: 00472DE7
                                  • _free.LIBCMT ref: 00472DFA
                                  • _free.LIBCMT ref: 00472E08
                                  • _free.LIBCMT ref: 00472E13
                                  • _free.LIBCMT ref: 00472E4B
                                  • _free.LIBCMT ref: 00472E52
                                  • _free.LIBCMT ref: 00472E6F
                                  • _free.LIBCMT ref: 00472E87
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 3e7bc86ff59fa0d3b868fb4d45cf3ec69c9e76773a47bda198fe0dbe1d160165
                                  • Instruction ID: 792df201b22c687d4b185a77ba36aeeda707b1f34eacca0eb783e51533ed51c4
                                  • Opcode Fuzzy Hash: 3e7bc86ff59fa0d3b868fb4d45cf3ec69c9e76773a47bda198fe0dbe1d160165
                                  • Instruction Fuzzy Hash: 2F312F315006059FEB309A3ADE45B9773E8EF04355F14942FE49CD7292EF79AC848729
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042CDFB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 200COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3_
                                  • String ID: FROM `$ ORDER BY $ WHERE $SELECT
                                  • API String ID: 2000020936-854822918
                                  • Opcode ID: c1a69e8cff50b6fbc9904cb03241acba579d13c0557f0ad9637fcae602fe8f41
                                  • Instruction ID: 59e71ff1931cc3e2f7b0e752fe0016bcfab5b594ece967ecf8dfd73d019b8e7c
                                  • Opcode Fuzzy Hash: c1a69e8cff50b6fbc9904cb03241acba579d13c0557f0ad9637fcae602fe8f41
                                  • Instruction Fuzzy Hash: B0710331901654DFCB15EBA4D991BEEBB70BF10304F2404AEE0416F292EB786E45CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004067D0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 132windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003F68D0: LoadLibraryW.KERNEL32(ComCtl32.dll,36685827,?,?,00000000), ref: 003F690C
                                    • Part of subcall function 003F68D0: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 003F6932
                                    • Part of subcall function 003F68D0: FreeLibrary.KERNEL32(00000000), ref: 003F69AB
                                  • SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 00406822
                                  • GetDC.USER32(00000000), ref: 0040682A
                                  • GetDeviceCaps.GDI32(00000000), ref: 00406831
                                  • MulDiv.KERNEL32(00000009,00000000), ref: 0040683A
                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Courier New,?,?), ref: 00406863
                                  • IsWindow.USER32(00000000), ref: 0040687D
                                  • SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00406894
                                  • GetWindowRect.USER32(?,?), ref: 004068AF
                                  • GetWindowRect.USER32(?,?), ref: 004068C2
                                  • GetWindowRect.USER32(00000000,?), ref: 004068D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Rect$LibraryMessageSend$AddressCapsCreateDeviceFontFreeLoadProc
                                  • String ID: Courier New
                                  • API String ID: 3093780888-2572734833
                                  • Opcode ID: 48c882044f094244b1988f61a03407be1aee9487262ebbc1912f7e2efda5c529
                                  • Instruction ID: 73a925d5c77db82b37a5077022df3bcca8746c9b00be4ae483827a04638e8a64
                                  • Opcode Fuzzy Hash: 48c882044f094244b1988f61a03407be1aee9487262ebbc1912f7e2efda5c529
                                  • Instruction Fuzzy Hash: D7418571B843087BEB14AF258D47FBF7695EF48B04F01012DBB067A1D1DAB4A8508B59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C0DC6 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 257windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003C106F
                                    • Part of subcall function 003C15AB: __EH_prolog3_catch_GS.LIBCMT ref: 003C15B5
                                    • Part of subcall function 003C15AB: GetClassNameW.USER32(?,?,00000008), ref: 003C15D6
                                    • Part of subcall function 003C15AB: lstrcmpiW.KERNEL32(?,static), ref: 003C15E9
                                    • Part of subcall function 003C15AB: GetWindowLongW.USER32(?,000000F0), ref: 003C1609
                                    • Part of subcall function 003C15AB: LoadCursorW.USER32(00000000,00007F89), ref: 003C1652
                                    • Part of subcall function 003C15AB: SystemParametersInfoW.USER32(0000001F,0000005C,?,00000000), ref: 003C1684
                                    • Part of subcall function 003C13D6: __EH_prolog3_GS.LIBCMT ref: 003C13DD
                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 003C0EB0
                                  • PtInRect.USER32(?,?,?), ref: 003C0F46
                                  • SetFocus.USER32(?), ref: 003C0F57
                                  • PtInRect.USER32(?,?,?), ref: 003C0FAA
                                    • Part of subcall function 003C1302: InvalidateRect.USER32(?,?,00000001,?,00000000,?), ref: 003C13B8
                                  • GetCursorPos.USER32(00000000), ref: 003C100F
                                  • ScreenToClient.USER32(?,00000000), ref: 003C101D
                                  • PtInRect.USER32(?,?,?), ref: 003C103E
                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003C10D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Rect$Invalidate$Cursor$ClassClientFocusH_prolog3_H_prolog3_catch_InfoLoadLongNameParametersScreenSystemWindowlstrcmpi
                                  • String ID:
                                  • API String ID: 3318378839-3916222277
                                  • Opcode ID: 69c3e1462768787fd9c9b3d034c7e653eccaf102e480b07f6e6f3bf3464c9a8a
                                  • Instruction ID: dcbc6ad067d461cdc38b0e24f3c3d69b9cff171c0f9b361be758a5b902c08c96
                                  • Opcode Fuzzy Hash: 69c3e1462768787fd9c9b3d034c7e653eccaf102e480b07f6e6f3bf3464c9a8a
                                  • Instruction Fuzzy Hash: 8D91AA71A04791DFDB2ADF28C884F7E77AAAB85304F01092EF896C3551C7709C85EB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041CACB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\JavaSoft\Java Development Kit\,00000000,?,?,36685827,?,?,00000000), ref: 0041CB39
                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,00000000), ref: 0041CBE2
                                  • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,00000000), ref: 0041CC19
                                  • RegQueryValueExW.ADVAPI32(?,JavaHome,00000000,00000000,00000000,?,?,?,00000000), ref: 0041CC51
                                  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0041CC80
                                  • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0041CCC9
                                    • Part of subcall function 0038D91C: __EH_prolog3.LIBCMT ref: 0038D923
                                    • Part of subcall function 0038D91C: _wcslen.LIBCMT ref: 0038D953
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog3OpenQueryValue$_wcslen
                                  • String ID: I?$JavaHome$Software\JavaSoft\Java Development Kit\$Software\JavaSoft\Java Runtime Environment\
                                  • API String ID: 2976289594-3754252902
                                  • Opcode ID: 07fec1eccaeca23a7bad23199375fbf1733cd49454a7cef6742d24c675983fd6
                                  • Instruction ID: 90e787fe5d7cadb01b4a999c77c2fd7c0072d551c12a767d6dbeef5bfe068eed
                                  • Opcode Fuzzy Hash: 07fec1eccaeca23a7bad23199375fbf1733cd49454a7cef6742d24c675983fd6
                                  • Instruction Fuzzy Hash: E2818C71D41249AFDB14DFA4DD85BEEBBB8EF08314F10411EE905B7281EB785A08CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408563 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0040856A
                                    • Part of subcall function 00408B27: __EH_prolog3.LIBCMT ref: 00408B50
                                    • Part of subcall function 004164BD: __EH_prolog3.LIBCMT ref: 004164C4
                                    • Part of subcall function 004164BD: __Init_thread_footer.LIBCMT ref: 00416512
                                  • _wcslen.LIBCMT ref: 00408605
                                  • _wcslen.LIBCMT ref: 00408621
                                    • Part of subcall function 00390F2F: __EH_prolog3.LIBCMT ref: 00390FBD
                                  • _wcslen.LIBCMT ref: 00408708
                                  • _wcslen.LIBCMT ref: 0040872F
                                  • _wcslen.LIBCMT ref: 00408786
                                  • _wcslen.LIBCMT ref: 0040879F
                                    • Part of subcall function 00416691: __EH_prolog3.LIBCMT ref: 00416698
                                    • Part of subcall function 003B8EC1: _wcsstr.LIBVCRUNTIME ref: 003B8EDB
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3$H_prolog3_Init_thread_footer_wcsstr
                                  • String ID: Search result:$Searching for:$Wrong OS or Os language for:
                                  • API String ID: 28953760-3777236843
                                  • Opcode ID: de075702cee7c40b23f121939cde5b6d700e817c9d3769b5f71d9ead36224b29
                                  • Instruction ID: 9396a10d436ec56c4cf03956350631ee18ff22556f572e7cd7a80ac81b3b1d0e
                                  • Opcode Fuzzy Hash: de075702cee7c40b23f121939cde5b6d700e817c9d3769b5f71d9ead36224b29
                                  • Instruction Fuzzy Hash: D3716F70901208AFCB19FBA4D995EAE7778AF10308F1041AFF4526B2E2DF785A09C71D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EA840 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: EXCEPTION_CMD$EXCEPTION_GENERIC$EXCEPTION_SEH$EXCEPTION_STD$EXCEPTION_UNHANDLED$EXCEPTION_WIN32$EXCEPTION_XML_PARSE$Exception ???$h)P
                                  • API String ID: 176396367-79770911
                                  • Opcode ID: a5d7483e56ffd9f3f195d2b55461c16e895e4553ea2fc6064b4fa204d1483e87
                                  • Instruction ID: 4a7211ee6eb092f11c3deff58e39b3e745b224cb0da97b06d7c32226be8fd2bf
                                  • Opcode Fuzzy Hash: a5d7483e56ffd9f3f195d2b55461c16e895e4553ea2fc6064b4fa204d1483e87
                                  • Instruction Fuzzy Hash: AA515871A00B559BC705AB798C81BAEB2A8EF04310F21073BF412C76D2E774B954C3A7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00424591 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 45libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryW.KERNEL32(kernel32.dll,?,?,0041C43A), ref: 004245A7
                                    • Part of subcall function 003F8310: FreeLibrary.KERNEL32(00000000,?,?,00427235,00000000), ref: 003F8324
                                  • GetProcAddress.KERNEL32(76EB0000,Wow64DisableWow64FsRedirection), ref: 004245CE
                                  • GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 004245E0
                                  • GetProcAddress.KERNEL32(IsWow64Process), ref: 004245F2
                                  • GetCurrentProcess.KERNEL32(00000000,?,00000000,?,?,0041C43A), ref: 00424603
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressProc$Library$CurrentFreeLoadProcess
                                  • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$`hv$kernel32.dll
                                  • API String ID: 1085388015-1940349634
                                  • Opcode ID: e30cb9da17fecf5eca6f2683a5696b72ef310391ec699970023e80c48c2c226b
                                  • Instruction ID: cd3976dcd45e8f0da12a8f03dd5228830239962f8272e6ca00c3506f531b8472
                                  • Opcode Fuzzy Hash: e30cb9da17fecf5eca6f2683a5696b72ef310391ec699970023e80c48c2c226b
                                  • Instruction Fuzzy Hash: 4501A771D00228BBCB20DBB4AE44B6B3FD8DB09B00B050476E500D3261D6BCD958CB9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042A448 Relevance: 16.8, APIs: 11, Instructions: 331COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowRect.USER32(00000000,?), ref: 0042A4A1
                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0042A4C1
                                  • InvalidateRect.USER32(00000000,00000000,00000001), ref: 0042A7D0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: RectWindow$InvalidatePoints
                                  • String ID:
                                  • API String ID: 937769350-0
                                  • Opcode ID: 585568a55d0ac9fa9489a4f63e2dc89133d72057c0fb0c9159b65e300217f1cc
                                  • Instruction ID: c266faac7a9c2ae0104c934f1003a533810eb177f7c7cb54789a5c9d0b8f9774
                                  • Opcode Fuzzy Hash: 585568a55d0ac9fa9489a4f63e2dc89133d72057c0fb0c9159b65e300217f1cc
                                  • Instruction Fuzzy Hash: E8D1F871208201AFD748CF6CD985A6BBBF5BF88300F488A2DF985CB255D734E915CB5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA212 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65libraryloaderwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003BA219
                                  • SendMessageW.USER32(00000000,0000112C,00000004,00000004), ref: 003BA267
                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 003BA2A7
                                  • __Init_thread_footer.LIBCMT ref: 003BA2BB
                                    • Part of subcall function 0045AFEB: EnterCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045AFF6
                                    • Part of subcall function 0045AFEB: LeaveCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045B033
                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 003BA2F1
                                  • __Init_thread_footer.LIBCMT ref: 003BA301
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressCriticalInit_thread_footerProcSection$EnterH_prolog3LeaveMessageSend
                                  • String ID: GetWindowTheme$SetWindowTheme$explorer
                                  • API String ID: 3374916797-3918015609
                                  • Opcode ID: 3a09c28fe7c68258000f9cd5be59307fa458bcc603c1902640ee3f36b37b7db7
                                  • Instruction ID: 7a5ca812a12759753c715fe025ad950e07275b2b4c44557269685228d05ad726
                                  • Opcode Fuzzy Hash: 3a09c28fe7c68258000f9cd5be59307fa458bcc603c1902640ee3f36b37b7db7
                                  • Instruction Fuzzy Hash: 7021D435144B00AFEB21AB74DD49B8D37F0FF0172AF20861EF7119B5E1CB7568049A29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003ACA65 Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003ACA6C
                                  • GetWindowDC.USER32(?,?,?), ref: 003ACA95
                                  • GetWindowRect.USER32(?,?), ref: 003ACAB1
                                  • GetRgnBox.GDI32(?,?), ref: 003ACAD3
                                  • IntersectRect.USER32(?,?,?), ref: 003ACAEC
                                  • OffsetRect.USER32(?,?,00000000), ref: 003ACB0A
                                  • CreateRectRgn.GDI32(?,?,?,?), ref: 003ACB4D
                                  • SelectClipRgn.GDI32(00000000,00000000), ref: 003ACB5A
                                  • DeleteObject.GDI32(00000000), ref: 003ACB7F
                                  • DeleteDC.GDI32(00000000), ref: 003ACB9C
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Rect$DeleteWindow$ClipCreateH_prolog3_IntersectObjectOffsetSelect
                                  • String ID:
                                  • API String ID: 3040978359-0
                                  • Opcode ID: b2a2850c610045024f31ac6e6fbca92b23d231618140b88c5bbcd5e4e43e0481
                                  • Instruction ID: 322bbdd4e1caf4bcf7af677f42db9fe33d2f2267d2dc7863545b4281a4cb1146
                                  • Opcode Fuzzy Hash: b2a2850c610045024f31ac6e6fbca92b23d231618140b88c5bbcd5e4e43e0481
                                  • Instruction Fuzzy Hash: 5D416872D10219AFDB11CFA4C988BEEBBB9FF19311F154119E802B7250DBB5A951CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F0220 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 367COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: 'Xh6$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS
                                  • API String ID: 176396367-3865557340
                                  • Opcode ID: ff12a8ba05f73266e88a8aa18561c3a2013d31e890b49cf4b6c35510ede7a4d8
                                  • Instruction ID: bdec474c2f8bfacfe9d79e6c8fb7d96b00a6832a845678ee1159ded9fb9ea898
                                  • Opcode Fuzzy Hash: ff12a8ba05f73266e88a8aa18561c3a2013d31e890b49cf4b6c35510ede7a4d8
                                  • Instruction Fuzzy Hash: C1C1F3B1A002059FCB198F78C88067E77A4FF44364F21072AEA26D76D2E774A954CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D098D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003D0994
                                    • Part of subcall function 00390B79: __EH_prolog3.LIBCMT ref: 00390B80
                                    • Part of subcall function 00390B79: BeginPaint.USER32(?,?,00000004,0038FC52,?,?,?,?,?,?,0038F278,?,?,?,?,?), ref: 00390B9C
                                    • Part of subcall function 003880D1: CallWindowProcW.USER32(?,?,?,?,?), ref: 003880E9
                                  • SelectObject.GDI32(?,?), ref: 003D0A1F
                                  • SetBkMode.GDI32(?,00000001), ref: 003D0A2D
                                  • SetTextColor.GDI32(?), ref: 003D0A6A
                                  • GetWindowLongW.USER32(00000000), ref: 003D0A7C
                                  • SendMessageW.USER32(00000000), ref: 003D0A99
                                    • Part of subcall function 003D1703: __EH_prolog3_GS.LIBCMT ref: 003D170A
                                    • Part of subcall function 003D1703: _wcslen.LIBCMT ref: 003D174D
                                  • SelectObject.GDI32(?,?), ref: 003D0B16
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_ObjectSelectWindow$BeginCallColorH_prolog3LongMessageModePaintProcSendText_wcslen
                                  • String ID: OpE
                                  • API String ID: 2639182382-2903432966
                                  • Opcode ID: d21c3481c5b3feccc586cd24153d678672379f8b22e845ef5d2826b7fc579611
                                  • Instruction ID: 1f3ae60bab460913c21e5e9081ab863017a1b73a89d1673fe8103001ec5973c2
                                  • Opcode Fuzzy Hash: d21c3481c5b3feccc586cd24153d678672379f8b22e845ef5d2826b7fc579611
                                  • Instruction Fuzzy Hash: FF516D71A003489FDF19EFE4C899AACBBB2FF84301F108159F946AF2A5CB709955DB10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004280B3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 135windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004280BA
                                  • SendMessageW.USER32(00000000,00000406,00000000,?), ref: 004280E5
                                    • Part of subcall function 0042B904: GetWindowLongW.USER32(?,000000F0), ref: 0042B912
                                    • Part of subcall function 0042B904: GetParent.USER32(?), ref: 0042B920
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                    • Part of subcall function 003ADE77: GetWindowLongW.USER32(00000001,000000F0), ref: 003ADE7E
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • IsWindow.USER32(?), ref: 00428154
                                  • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0042816A
                                    • Part of subcall function 003C1BDA: SendMessageW.USER32(?,00000432,00000000,?), ref: 003C1C11
                                  • SetWindowTextW.USER32(?,00000000), ref: 004281AB
                                  • EnableWindow.USER32(00000000,00000000), ref: 004281F6
                                  • SetEvent.KERNEL32(?,000000DA), ref: 00428243
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$LongMessageSend$CreateEnableEventH_prolog3ParentText
                                  • String ID: tooltips_class32
                                  • API String ID: 820836690-1918224756
                                  • Opcode ID: ba08538fe81a03a8bf6fcf403584edb514244d6b680d40d4a27bc8db07f681a0
                                  • Instruction ID: dfd309b148f9c9dbb788580279e0a42507ba9e803d25a3b6d187e840fbb64970
                                  • Opcode Fuzzy Hash: ba08538fe81a03a8bf6fcf403584edb514244d6b680d40d4a27bc8db07f681a0
                                  • Instruction Fuzzy Hash: 23418170B00611BFEB15AF64DC4AF7A7BA5FF09701F404169F201DA5E0CBB4A824CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004221D6 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004221E0
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  • _wcslen.LIBCMT ref: 00422263
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$_wcslen
                                  • String ID: $OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86
                                  • API String ID: 821321042-3481732494
                                  • Opcode ID: 17feb2113f31ece638a2c86950dfe52f28040a65c612c2a4525c78481054b2dd
                                  • Instruction ID: da02d0e93ff256902db49594d14f0353a5495eb04281aca64d3f1cabac971c45
                                  • Opcode Fuzzy Hash: 17feb2113f31ece638a2c86950dfe52f28040a65c612c2a4525c78481054b2dd
                                  • Instruction Fuzzy Hash: E00128B5E002185BDF56AAA08C51BFF76B0EF49301F0040ADF1057A282C7BD4F449BA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004064C0 Relevance: 13.7, APIs: 9, Instructions: 236windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongW.USER32(?,000000EB), ref: 004064F4
                                  • DeleteObject.GDI32(?), ref: 00406540
                                    • Part of subcall function 00405DD0: IsWindowVisible.USER32 ref: 00405DE6
                                    • Part of subcall function 00405DD0: SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00405E02
                                    • Part of subcall function 00405DD0: GetWindowLongW.USER32(?,000000F0), ref: 00405E08
                                    • Part of subcall function 00405DD0: GetWindowRect.USER32(00000000,?), ref: 00405E92
                                    • Part of subcall function 00405DD0: MapWindowPoints.USER32(00000000,?,00000002,00000002), ref: 00405EA3
                                  • IsWindowVisible.USER32(00000000), ref: 004065CC
                                  • GetWindowTextW.USER32(00000000,?,00000001), ref: 00406696
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040677D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$LongTextVisible$DeleteLengthMessageObjectPointsRectSend
                                  • String ID:
                                  • API String ID: 674981278-0
                                  • Opcode ID: 517bc79616a20763907b4c44ed2be4263397251dc259adf876819d8e73e449f4
                                  • Instruction ID: ae32ed5bf3899ba39f1a0f79b480ade6beaf0b6bbb1a64c0be7aac1c9481e9ac
                                  • Opcode Fuzzy Hash: 517bc79616a20763907b4c44ed2be4263397251dc259adf876819d8e73e449f4
                                  • Instruction Fuzzy Hash: FB817F31A002059BDB149F68C888BBF7BB5EB48318F21463BE513F72D0D7799961CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C67B1 Relevance: 13.6, APIs: 9, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003C67B8
                                  • GetWindowDC.USER32(?,0000004C,003C6598), ref: 003C67D2
                                  • GetWindowRect.USER32(?,?), ref: 003C67EE
                                  • IsWindowEnabled.USER32(?), ref: 003C67FD
                                  • SelectObject.GDI32(00000000,00000000), ref: 003C6854
                                  • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 003C689F
                                  • SelectObject.GDI32(?,?), ref: 003C68B8
                                  • DeleteObject.GDI32(?), ref: 003C68C9
                                  • DeleteDC.GDI32(?), ref: 003C68E5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ObjectWindow$DeleteRectSelect$ClipEnabledExcludeH_prolog3_
                                  • String ID:
                                  • API String ID: 2530160996-0
                                  • Opcode ID: 8730ba476ab2f5d822e8e728614ff7ec29c812d74b8170da1b09b008b7669e50
                                  • Instruction ID: 9566663ed83f5a932f8a8c216f1a2481da33c07351ab2e7d52287d9df06e1e2d
                                  • Opcode Fuzzy Hash: 8730ba476ab2f5d822e8e728614ff7ec29c812d74b8170da1b09b008b7669e50
                                  • Instruction Fuzzy Hash: 50416A71D00219AFDF01CFA8D888AEEBBB5EF89710F118169F905B7254CB705D41DB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00394CC7 Relevance: 13.6, APIs: 9, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00394CCE
                                  • GetWindowDC.USER32(?,0000004C,00394AAE), ref: 00394CE8
                                  • GetWindowRect.USER32(?,?), ref: 00394D04
                                  • IsWindowEnabled.USER32(?), ref: 00394D13
                                  • SelectObject.GDI32(00000000,00000000), ref: 00394D6A
                                  • ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00394DB5
                                  • SelectObject.GDI32(?,?), ref: 00394DCE
                                  • DeleteObject.GDI32(?), ref: 00394DDF
                                  • DeleteDC.GDI32(?), ref: 00394DFB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ObjectWindow$DeleteRectSelect$ClipEnabledExcludeH_prolog3_
                                  • String ID:
                                  • API String ID: 2530160996-0
                                  • Opcode ID: 98086093927f1e05508405b91407a5926d899acd5fe22816905ed33d9c7b1a2a
                                  • Instruction ID: 574579da85b50556ba3e10560415430b6783966e8f073b1f64b413db99c8d2d8
                                  • Opcode Fuzzy Hash: 98086093927f1e05508405b91407a5926d899acd5fe22816905ed33d9c7b1a2a
                                  • Instruction Fuzzy Hash: 4E415871D00219AFDF01CFA8D8889EEBBBAEF89311F118169F905BB215CB705D41CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046EA97 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID: ^)F$^)F$^)F
                                  • API String ID: 1036877536-885150357
                                  • Opcode ID: ded5c8c97c0d4c48c4a61de6c886a567655edcaeb56214606cba711e24d5f2de
                                  • Instruction ID: a506e426f90c4ac10438e716fd5751ddb63609430d78f091bdb34374fd7f30a0
                                  • Opcode Fuzzy Hash: ded5c8c97c0d4c48c4a61de6c886a567655edcaeb56214606cba711e24d5f2de
                                  • Instruction Fuzzy Hash: 16A157799003869FEB21CF1AC8917AEBBE1EF51314F18416FE5859B381E23C9D42C75A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A231F Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 254COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A2326
                                    • Part of subcall function 003D3AED: __EH_prolog3.LIBCMT ref: 003D3AF4
                                    • Part of subcall function 003A3118: __EH_prolog3_GS.LIBCMT ref: 003A311F
                                    • Part of subcall function 003A2EC4: __EH_prolog3.LIBCMT ref: 003A2ECB
                                    • Part of subcall function 003A2EC4: GetDC.USER32(00000000), ref: 003A2F72
                                    • Part of subcall function 003A2EC4: GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A2F84
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_$CapsDevice_wcslen
                                  • String ID: "$+':$AI_CF_SYS_BTNS_SPACING$AI_CF_SYS_BTNS_XPOS$AI_CF_SYS_BTNS_YPOS$AI_CF_SYS_BTNS_YPOS_FROM_FRAME
                                  • API String ID: 990172707-1575384059
                                  • Opcode ID: 77fd859296f1e983c1a82470754f06114557e5dc47ef743c402737276d341ccf
                                  • Instruction ID: 2477f1b8270129146d8ba85670dcdc1a0e0c6c1122f94b69fc05c2a0b67cbcb2
                                  • Opcode Fuzzy Hash: 77fd859296f1e983c1a82470754f06114557e5dc47ef743c402737276d341ccf
                                  • Instruction Fuzzy Hash: 55C18D31A02686EEC70AEF74D5957DDFBB0BF21304F50415EE0696B292DB742B18CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B60ED Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 220COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B60F4
                                    • Part of subcall function 003CF6C4: __EH_prolog3.LIBCMT ref: 003CF6CB
                                    • Part of subcall function 003B9A0E: __EH_prolog3.LIBCMT ref: 003B9A15
                                    • Part of subcall function 003B9A0E: GetSysColor.USER32(00000011), ref: 003B9B39
                                    • Part of subcall function 00392E25: GetSysColor.USER32 ref: 00392E64
                                    • Part of subcall function 003993AE: __EH_prolog3.LIBCMT ref: 003993B5
                                    • Part of subcall function 0039CFD9: __EH_prolog3_catch.LIBCMT ref: 0039CFE0
                                    • Part of subcall function 003B8858: __EH_prolog3_GS.LIBCMT ref: 003B885F
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$ColorH_prolog3_$H_prolog3_catch_wcslen
                                  • String ID: AI_BOOTSTRAPPER$AI_TREE_CHECK_BOX_IMAGES$PrereqInstallAction$PrereqInstalled$PrereqMandatoryInstallAction$PrereqSkipAction
                                  • API String ID: 3790551384-4288813253
                                  • Opcode ID: 910aecc3d610a4083138ab1db711cc242625f8798dcfd2e90e4a56f5fc666835
                                  • Instruction ID: 38044794f8aca9cb8e42366112f5a3d2410743ad3dd189d47a72e6f820a652ef
                                  • Opcode Fuzzy Hash: 910aecc3d610a4083138ab1db711cc242625f8798dcfd2e90e4a56f5fc666835
                                  • Instruction Fuzzy Hash: 3EB16F70805748DFCB16DFA8C544BCDBFF0AF59304F14849DE04AAB262EB746A09DB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AA994 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 206COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: Back$Cancel$Finish$Install$Next$list<T> too long
                                  • API String ID: 2427045233-4031523124
                                  • Opcode ID: ce216de4cdf0ef007f0ef17febe733ed8fd487b7ba9fd245427beeea98d459fb
                                  • Instruction ID: 9dc5e5e8d771c535cafd64df1ad65648ef7a7b5da47ee79cbaa0c54bbb508086
                                  • Opcode Fuzzy Hash: ce216de4cdf0ef007f0ef17febe733ed8fd487b7ba9fd245427beeea98d459fb
                                  • Instruction Fuzzy Hash: 92816971A012049FCF19DFA8C585AADBBF5FF49304F2541ADE806AB352DB30AD45CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA4D6 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 003BA509
                                  • GetClientRect.USER32(00000000,?), ref: 003BA5E6
                                  • ShowWindow.USER32(?,00000000), ref: 003BA63E
                                  • ShowWindow.USER32(?,00000000), ref: 003BA653
                                  • ShowWindow.USER32(?,00000000), ref: 003BA6FF
                                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 003BA70F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Show$ClientRect$Redraw
                                  • String ID: EnE
                                  • API String ID: 1450220205-1960338703
                                  • Opcode ID: 4715fa2f74ade6147cba4b61c2bca8e824eac45a420fb3eda7e0d8596aee0cb3
                                  • Instruction ID: 2ec0e806b468b0af72ce83c48ece76311e0b04afe50f1fdd2899c87d50573487
                                  • Opcode Fuzzy Hash: 4715fa2f74ade6147cba4b61c2bca8e824eac45a420fb3eda7e0d8596aee0cb3
                                  • Instruction Fuzzy Hash: F4714971608741AFDB14DF28CD89A6ABBE5FF88704F004A2DF985DA2A5D771E840CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004164BD Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004164C4
                                    • Part of subcall function 0045AFEB: EnterCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045AFF6
                                    • Part of subcall function 0045AFEB: LeaveCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045B033
                                    • Part of subcall function 004167AC: __EH_prolog3.LIBCMT ref: 004167B6
                                    • Part of subcall function 0045AE13: __onexit.LIBCMT ref: 0045AE19
                                  • __Init_thread_footer.LIBCMT ref: 00416512
                                    • Part of subcall function 0045AFA1: EnterCriticalSection.KERNEL32(004FE6B0,004FF2CC,?,0038D422,004FF2CC,004A5C49,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045AFAB
                                    • Part of subcall function 0045AFA1: LeaveCriticalSection.KERNEL32(004FE6B0,?,?,?,?,?,?,?,004275F8), ref: 0045AFDE
                                  Strings
                                  • h0P, xrefs: 004165B8
                                  • Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64, xrefs: 00416537
                                  • version, xrefs: 004165A7
                                  • d0P, xrefs: 004164E5
                                  • Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86, xrefs: 00416565
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterH_prolog3Leave$Init_thread_footer__onexit
                                  • String ID: Windows 9x/ME/NT/2000/XP/Vista/Windows 7/Windows 8 x86/Windows 8.1 x86/Windows 10 x86$Windows XP/Vista/Windows 7/Windows 8 x64/Windows 8.1 x64/Windows 10 x64$d0P$h0P$version
                                  • API String ID: 2874285785-2779389575
                                  • Opcode ID: cbc9321ebeda7602abefd45822b68fc109b0704fd402bc7421a937d7ddcc5674
                                  • Instruction ID: ff691451a529aabf9e573c7fdc9e7fe33b473049b3e22cc060a4447be9e6af76
                                  • Opcode Fuzzy Hash: cbc9321ebeda7602abefd45822b68fc109b0704fd402bc7421a937d7ddcc5674
                                  • Instruction Fuzzy Hash: EE51E171900244AECF05EBA4C856BEEB7B5AF15310F2101AEE411BB2D2DF789F04DB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F81A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,LockServiceDatabase), ref: 003F81FC
                                  • GetProcAddress.KERNEL32(00000000,UnlockServiceDatabase), ref: 003F821D
                                  • GetLastError.KERNEL32 ref: 003F8230
                                  • GetLastError.KERNEL32 ref: 003F823D
                                  • GetLastError.KERNEL32 ref: 003F824C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$AddressProc
                                  • String ID: LockServiceDatabase$UnlockServiceDatabase
                                  • API String ID: 1975335638-211437345
                                  • Opcode ID: fc22999bf7dd9c6a4cf423eb41848d368bc9b47d1da16cf0450b8b76aeffeb39
                                  • Instruction ID: 919b8865463ec48b9e6c7b82e1868c9682ab07cd8516b2efba8a1f37663446e2
                                  • Opcode Fuzzy Hash: fc22999bf7dd9c6a4cf423eb41848d368bc9b47d1da16cf0450b8b76aeffeb39
                                  • Instruction Fuzzy Hash: B921A674A44709EFDB259FA4CD48B7ABBB8FB45710F11493EE615E3290DF74A800CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046ACF3 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 405COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0046E58A: GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                    • Part of subcall function 0046E58A: _free.LIBCMT ref: 0046E5C1
                                    • Part of subcall function 0046E58A: SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                    • Part of subcall function 0046E58A: _abort.LIBCMT ref: 0046E608
                                  • _free.LIBCMT ref: 0046B00E
                                  • _free.LIBCMT ref: 0046B027
                                  • _free.LIBCMT ref: 0046B059
                                  • _free.LIBCMT ref: 0046B062
                                  • _free.LIBCMT ref: 0046B06E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort
                                  • String ID: PA8
                                  • API String ID: 1702784200-1386033528
                                  • Opcode ID: 292d6e8543dd28b106c7d67302d8b4654e418c2b1c2cbd20b1ee035ecac0761a
                                  • Instruction ID: a4bc73acdbeba4660aba854500685d53d737002eb7c3caad2699a4101f9d2ebe
                                  • Opcode Fuzzy Hash: 292d6e8543dd28b106c7d67302d8b4654e418c2b1c2cbd20b1ee035ecac0761a
                                  • Instruction Fuzzy Hash: 8BF1C371901619DFDB24DF25C885AAEB7B4FF44304F10869EE949A3351EB34AD90CF8A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E8030 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 403COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _strlen_wcslen
                                  • String ID: *** Stack Trace (x86) ***$'Xh6$'Xh6$Unknown exception
                                  • API String ID: 2847511282-2765867666
                                  • Opcode ID: 8798879ee1f845c843c50032cb7b64389a3596a104152b3a887b3094269a88d2
                                  • Instruction ID: 3602ec0860ce0d4b987510346107eee2c53adbf962bc74b7506167e973b0a724
                                  • Opcode Fuzzy Hash: 8798879ee1f845c843c50032cb7b64389a3596a104152b3a887b3094269a88d2
                                  • Instruction Fuzzy Hash: 78E12270E00258CFDB15CFA9C885BAEBBB5EF48314F20432DE419A72C1DB349A45CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436150 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 280COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0043615A
                                    • Part of subcall function 00395BC3: _wcslen.LIBCMT ref: 00395BEB
                                    • Part of subcall function 0042ED81: __EH_prolog3.LIBCMT ref: 0042ED88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3__wcslen
                                  • String ID: AiDlgHeight$AiDlgWeight$AiGifCommand$AiRefreshCost$AiRefreshDlg
                                  • API String ID: 1523997010-2845550424
                                  • Opcode ID: 329fae8e9c5848b9da789b317abd1407df67716fcda7f0c7769e36b814eef8eb
                                  • Instruction ID: 2a1423e52a4d52644714f8873885dcabac8ab9c5aaea3e078419b497d0e91169
                                  • Opcode Fuzzy Hash: 329fae8e9c5848b9da789b317abd1407df67716fcda7f0c7769e36b814eef8eb
                                  • Instruction Fuzzy Hash: 3CC18B70901309EBDB01EFA8C945BDDBBB4BF05314F6081CDE0456B292DB785B49CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F8880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTempPathW.KERNEL32(00000104,?,36685827,?,00000000,00000000), ref: 003F88D1
                                  • DeleteFileW.KERNEL32(?,?,00000000,00000000), ref: 003F8988
                                    • Part of subcall function 0038D32D: GetProcessHeap.KERNEL32(00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000,?,?,?,?,?,?), ref: 0038D37F
                                    • Part of subcall function 0038D32D: __Init_thread_footer.LIBCMT ref: 0038D3AF
                                    • Part of subcall function 0038D32D: __Init_thread_footer.LIBCMT ref: 0038D41D
                                  • GetTempFileNameW.KERNEL32(?,log,00000000,?,?,00000000,00000000), ref: 003F894B
                                    • Part of subcall function 0038D32D: __EH_prolog3.LIBCMT ref: 0038D334
                                  • _wcslen.LIBCMT ref: 003F89DE
                                  • HeapFree.KERNEL32(?,00000000,?,00000000), ref: 003F8A47
                                    • Part of subcall function 0038D89E: __CxxThrowException@8.LIBVCRUNTIME ref: 0038D870
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: FileHeapInit_thread_footerTemp$DeleteException@8FreeH_prolog3NamePathProcessThrow_wcslen
                                  • String ID: log
                                  • API String ID: 253203326-2403297477
                                  • Opcode ID: 7cdaa5dd41dcbd9d7f7437ab309739ab9d774c1c75a6c077c51a112d5f96793a
                                  • Instruction ID: d3c533724e76081649f794861283d764de20c5fc383e4a7cfcf9387f454828bc
                                  • Opcode Fuzzy Hash: 7cdaa5dd41dcbd9d7f7437ab309739ab9d774c1c75a6c077c51a112d5f96793a
                                  • Instruction Fuzzy Hash: 5381D2B060020DCFCB2ADF64C884BBAB7A4EF54304F24856EE616CB252EF74D901CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A2A29 Relevance: 10.6, APIs: 7, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • PtInRect.USER32(?,?,?), ref: 003A2A80
                                  • PtInRect.USER32(?,?,?), ref: 003A2ADC
                                  • PtInRect.USER32(?,?,?), ref: 003A2AAE
                                    • Part of subcall function 003A36BF: GetWindowLongW.USER32(?,000000EC), ref: 003A36DB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Rect$LongWindow
                                  • String ID:
                                  • API String ID: 3928257471-0
                                  • Opcode ID: 6a945c5d5fa752c52992511c5fb9ded2a3a96119e79199abb6dc1bed6b1dccba
                                  • Instruction ID: 9fd68cfb7e10e8dbcea4a86b404055b4c32c05f8a894a78304b0e703f79955af
                                  • Opcode Fuzzy Hash: 6a945c5d5fa752c52992511c5fb9ded2a3a96119e79199abb6dc1bed6b1dccba
                                  • Instruction Fuzzy Hash: 6E41A371204306AFDB12DF68CC41F6BB7E9EF4A704F05482AFD88DA1A1D670D948CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00426E26 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00426E2D
                                  • _wcsrchr.LIBVCRUNTIME ref: 00426E3B
                                    • Part of subcall function 00386D83: __EH_prolog3.LIBCMT ref: 00386D8A
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                  • DeleteFileW.KERNEL32(?), ref: 00426EC5
                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00426F90
                                    • Part of subcall function 0041CD72: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,36685827,?,?,?,?,?,00000000,00499B7D,000000FF), ref: 0041CDC1
                                    • Part of subcall function 0041CD72: ReadFile.KERNEL32(00000000,?,000003FF,?,00000000,?,?,?,?,?,00000000,00499B7D,000000FF), ref: 0041CDEB
                                    • Part of subcall function 0041CD72: CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00499B7D,000000FF), ref: 0041CE8B
                                    • Part of subcall function 0041B1D6: LoadStringW.USER32(000000CA,?,00000514,36685827), ref: 0041B229
                                  • _wcsrchr.LIBVCRUNTIME ref: 00426F11
                                  Strings
                                  • --verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 00426E7F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$H_prolog3$Delete_wcsrchr$CloseCreateHandleLoadReadString
                                  • String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
                                  • API String ID: 1055801165-3685554107
                                  • Opcode ID: 98730332cf10d067a30af6410312dffa5ed360f7aec8b45e5b569a89e18b772d
                                  • Instruction ID: dbcea3fc1f16d7ddeab1182063034ab469e852ac69b3b8535fef12820f38ccb2
                                  • Opcode Fuzzy Hash: 98730332cf10d067a30af6410312dffa5ed360f7aec8b45e5b569a89e18b772d
                                  • Instruction Fuzzy Hash: 8051D431904249EFDF0AEFA4D955BEEBB74AF11304F10809DE4116B2D2DB78AB08CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E00F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003E0124
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003E0144
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003E016C
                                  • std::_Facet_Register.LIBCPMT ref: 003E0257
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003E0289
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: @r>
                                  • API String ID: 459529453-1404260877
                                  • Opcode ID: 7f0a948e9dc6c15ed4654586a239879f193dc8fa4614ea8e504b9dc8eb9a54f9
                                  • Instruction ID: aa9aeb4943a6e931fe5cc4780e1170ea0066614b646b40b53b2ce45ee566fa92
                                  • Opcode Fuzzy Hash: 7f0a948e9dc6c15ed4654586a239879f193dc8fa4614ea8e504b9dc8eb9a54f9
                                  • Instruction Fuzzy Hash: E751F2B0900264DFCB16CF55C8447AEBBF4EB10314F24865EE845AB3C2DBB5AE45CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E4F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003E4F54
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 003E4F74
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003E4F9C
                                  • std::_Facet_Register.LIBCPMT ref: 003E507D
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 003E50AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                  • String ID: @r>
                                  • API String ID: 459529453-1404260877
                                  • Opcode ID: 3da23718e0f04d283e4354ab5ca84383e5a45e00eeba56a8abda1376f93037c2
                                  • Instruction ID: 995bc4b5f3d68fd0eeefee7077228f597c2e75e21ce0b1a20ced18b542e43202
                                  • Opcode Fuzzy Hash: 3da23718e0f04d283e4354ab5ca84383e5a45e00eeba56a8abda1376f93037c2
                                  • Instruction Fuzzy Hash: 5551ADB0900294DFDB12CF55C844BAEBBF4FB14718F25825DE845AB282DB75AE09CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C45A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041C461
                                    • Part of subcall function 003FA490: HeapFree.KERNEL32(?,00000000,?,?,?,?), ref: 003FA511
                                  • GetLastError.KERNEL32 ref: 0041C558
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041C573
                                  • GetExitCodeProcess.KERNEL32 ref: 0041C57D
                                  • CloseHandle.KERNEL32(00000000), ref: 0041C58C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$CloseCodeErrorExitFreeHandleHeapLastObjectProcessSingleWait
                                  • String ID: open
                                  • API String ID: 2803962761-2758837156
                                  • Opcode ID: 4bb9e236d6064dbb0084c576dfb09e88aeffe3308cce93fe4a5bcaa20270156c
                                  • Instruction ID: 4084ff511a0be8a74509b04a661a2073fbe074f1702b846e41c5fab709ad974b
                                  • Opcode Fuzzy Hash: 4bb9e236d6064dbb0084c576dfb09e88aeffe3308cce93fe4a5bcaa20270156c
                                  • Instruction Fuzzy Hash: 55417C70D04219DFCB15DFA4CC886EEBBB1BF44354F20816AE821AB3A1D7389E45CB84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041ACC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041ACC7
                                  • RegCloseKey.ADVAPI32(00000000,00000014,00419D27,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041AD0B
                                  • _wcsrchr.LIBVCRUNTIME ref: 0041AD1F
                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000014,00419D27,00000000,00000000,00000000), ref: 0041AD93
                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000014,00419D27,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0041ADBA
                                    • Part of subcall function 0041AC3A: __EH_prolog3.LIBCMT ref: 0041AC41
                                    • Part of subcall function 0041AC3A: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,00000000,?,00000001,0000005C,00000000,0000000C,0041A43F,?,?,00000014,00419CD4,00000000), ref: 0041AC9E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog3$OpenQueryValue_wcsrchr
                                  • String ID: I?
                                  • API String ID: 2264145215-1355892355
                                  • Opcode ID: a6fee72f6bc1949b94fe65c873465bb52cb58c965c38fcaae53a0199ca025217
                                  • Instruction ID: 7ef7e89a6a3e2e4cd19dda60f11ac16187ca5b7137b70d75b3f31e16db0b7f23
                                  • Opcode Fuzzy Hash: a6fee72f6bc1949b94fe65c873465bb52cb58c965c38fcaae53a0199ca025217
                                  • Instruction Fuzzy Hash: 3331057080238AEBDF01DFA4D819BEF7BB5AF80304F10815EF81197292DB788A55CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA90D Relevance: 10.6, APIs: 7, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003BA914
                                  • BeginPaint.USER32(00000000,?), ref: 003BA93E
                                  • GetClientRect.USER32(00000000,?), ref: 003BA957
                                  • GetSysColor.USER32(0000000F), ref: 003BA97B
                                  • FillRect.USER32(00000000,?,00000000), ref: 003BA9C5
                                  • EndPaint.USER32(00000001,?), ref: 003BA9D6
                                  • DeleteObject.GDI32(00000000), ref: 003BA9E5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: PaintRect$BeginClientColorDeleteFillH_prolog3_Object
                                  • String ID:
                                  • API String ID: 3649624617-0
                                  • Opcode ID: c835d24a7b19058346650a249b6e035a371fc928b658511a5066444d4ce03cc6
                                  • Instruction ID: b80b1fe1239e57ab02a7a73d3fe419504be3d8e5023a3396741d8758947bfabc
                                  • Opcode Fuzzy Hash: c835d24a7b19058346650a249b6e035a371fc928b658511a5066444d4ce03cc6
                                  • Instruction Fuzzy Hash: 1E3178B2C00608ABDB10DFB0CD49BEDBBB9FF08304F254229B901A7151DB745990DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA85C Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000001A,00000000,00000000), ref: 003BA886
                                  • SendMessageW.USER32(?,0000001A,00000000,00000000), ref: 003BA890
                                  • GetClientRect.USER32(?,?), ref: 003BA8A2
                                  • SendMessageW.USER32(?,0000001A,00000000,00000000), ref: 003BA8B0
                                  • SendMessageW.USER32(?,0000001A,00000000,00000000), ref: 003BA8BA
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003BA8CE
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003BA8DC
                                    • Part of subcall function 003BB0FB: SendMessageW.USER32(?,00001205,00000000,?), ref: 003BB132
                                    • Part of subcall function 003BA4D6: GetClientRect.USER32(?,?), ref: 003BA509
                                    • Part of subcall function 003BA4D6: GetClientRect.USER32(00000000,?), ref: 003BA5E6
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$ClientRect
                                  • String ID:
                                  • API String ID: 1925248871-0
                                  • Opcode ID: a4afb419a6fab10313005fa0b0d199cb5bb13a12bf9c780142edc9498df06997
                                  • Instruction ID: 1e8b05fe39ed9834d72d8b3267a1acd65da9674c68010a41d5bbf231849425ef
                                  • Opcode Fuzzy Hash: a4afb419a6fab10313005fa0b0d199cb5bb13a12bf9c780142edc9498df06997
                                  • Instruction Fuzzy Hash: EE11D331740308BBEB21BF258C46FABBF5AEF85710F114125FA005E0D1DAE1A810DAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00472988 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004726CF: _free.LIBCMT ref: 004726F8
                                  • _free.LIBCMT ref: 004729D6
                                    • Part of subcall function 0046E727: RtlFreeHeap.NTDLL(00000000,00000000,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?), ref: 0046E73D
                                    • Part of subcall function 0046E727: GetLastError.KERNEL32(?,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?,?), ref: 0046E74F
                                  • _free.LIBCMT ref: 004729E1
                                  • _free.LIBCMT ref: 004729EC
                                  • _free.LIBCMT ref: 00472A40
                                  • _free.LIBCMT ref: 00472A4B
                                  • _free.LIBCMT ref: 00472A56
                                  • _free.LIBCMT ref: 00472A61
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 8073c13efb6c1d246f7186b07917a16f3fe7d123f1632836b1a69653e4a38381
                                  • Instruction ID: c58a9e2bfe21d60f353dde17c1ade08aeafab33463a569f0bca2d2fb72a1f1f3
                                  • Opcode Fuzzy Hash: 8073c13efb6c1d246f7186b07917a16f3fe7d123f1632836b1a69653e4a38381
                                  • Instruction Fuzzy Hash: 27118131541B04BAD520B7B2CE47FCB77DCAF04745F40881FB29D660A3EAADB5484669
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00458733 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0045873A
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00458745
                                  • std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00458758
                                  • _Atexit.LIBCPMT ref: 00458775
                                    • Part of subcall function 0045A416: EncodePointer.KERNEL32(003DF687,?,0045877A,00458919,00000000,00000004,003DF687,00000001), ref: 0045A42F
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004587D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_$AtexitEncodeH_prolog3LocimpLocimp::_Lockit::_Lockit::~_New_Pointerstd::locale::_
                                  • String ID: PA8
                                  • API String ID: 1413381613-1386033528
                                  • Opcode ID: bde3cbf73b4fccaf9ddfaff6501c8a387f0e041cdb7ffa40ecd21d4321d56303
                                  • Instruction ID: b0783bc160a6d3a7aaeda65a5cbb626925daef5a787fa7e357f17ae3faf16c73
                                  • Opcode Fuzzy Hash: bde3cbf73b4fccaf9ddfaff6501c8a387f0e041cdb7ffa40ecd21d4321d56303
                                  • Instruction Fuzzy Hash: AC11C2756042109BC705EB62EC4867D7BA1BB94306F18405FEC01A73A3CF385A19CB8E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C8555 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 35libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003C855C
                                  • EnterCriticalSection.KERNEL32(004FF498,00000008,003C7B91,00000078,003C72E9,?), ref: 003C8583
                                  • LoadLibraryW.KERNEL32(uxtheme.dll), ref: 003C859B
                                  • FreeLibrary.KERNEL32(00000000), ref: 003C85B3
                                  • LeaveCriticalSection.KERNEL32(004FF498), ref: 003C85BA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalLibrarySection$EnterFreeH_prolog3LeaveLoad
                                  • String ID: uxtheme.dll
                                  • API String ID: 3261817684-291804724
                                  • Opcode ID: 5962bf6f1bb54e97180b9437d9dc422ed2416bb7a21c2e228c5992f7fedda50a
                                  • Instruction ID: 79e1ae1aedb9f53afdbac126ab780ca9e127e94e6948e7d77e26e37fcac770f6
                                  • Opcode Fuzzy Hash: 5962bf6f1bb54e97180b9437d9dc422ed2416bb7a21c2e228c5992f7fedda50a
                                  • Instruction Fuzzy Hash: 4501F934D05612CBCB109B78DD087AE3E61AF02325F5246A8F421D72F1CBB88E44CBE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D8834 Relevance: 9.1, APIs: 6, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 003D8F73: CharNextW.USER32(?,?,003D8840,?,?,?,?,?,003D85C5,?), ref: 003D8F92
                                  • CharNextW.USER32(?,?,?,?,?,?,003D85C5,?), ref: 003D8865
                                  • CharNextW.USER32(00000000,?,?,?,?,?,?,003D85C5,?), ref: 003D8881
                                  • CharNextW.USER32(00000000,?,?,?,?,?,?,003D85C5,?), ref: 003D8894
                                  • CharNextW.USER32(00000000,?,?,?,?,?,?,003D85C5,?), ref: 003D889F
                                  • CharNextW.USER32(?,?,?,?,?,?,?,003D85C5,?), ref: 003D8902
                                  • CharNextW.USER32(?,?,?,?,?,?,003D85C5,?), ref: 003D8924
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CharNext
                                  • String ID:
                                  • API String ID: 3213498283-0
                                  • Opcode ID: 814b41a601206e5ac41f632de4d96d8d9cf5400bdf6f786fb9c3591b080c9e27
                                  • Instruction ID: 50709c9f2d0c9fa1c2c47694ebe6950c3d92529bd9de9d82af418633b7f37ec2
                                  • Opcode Fuzzy Hash: 814b41a601206e5ac41f632de4d96d8d9cf5400bdf6f786fb9c3591b080c9e27
                                  • Instruction Fuzzy Hash: 0741D136A103079BC721AF24E89453AB7E6FF58300B95082BE582C7355EF70AC50D7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C365 Relevance: 9.1, APIs: 6, Instructions: 91processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041C36C
                                  • CreateProcessW.KERNEL32 ref: 0041C3E5
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041C40D
                                  • GetExitCodeProcess.KERNEL32 ref: 0041C419
                                  • CloseHandle.KERNEL32(?), ref: 0041C422
                                  • GetLastError.KERNEL32 ref: 0041C3F6
                                    • Part of subcall function 00424591: LoadLibraryW.KERNEL32(kernel32.dll,?,?,0041C43A), ref: 004245A7
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(76EB0000,Wow64DisableWow64FsRedirection), ref: 004245CE
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 004245E0
                                    • Part of subcall function 00424591: GetProcAddress.KERNEL32(IsWow64Process), ref: 004245F2
                                    • Part of subcall function 00424591: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,?,0041C43A), ref: 00424603
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressProcProcess$CloseCodeCreateCurrentErrorExitH_prolog3HandleLastLibraryLoadObjectSingleWait
                                  • String ID:
                                  • API String ID: 2936064723-0
                                  • Opcode ID: 781c083620aa8035a3ffb7eb1956aaa7997f485aa9055a4ef11273f6a4f6c2e2
                                  • Instruction ID: 137a3fef057989d4fc2c4862751fa66b8b1f1fd7b7e26aff8444e99189a27272
                                  • Opcode Fuzzy Hash: 781c083620aa8035a3ffb7eb1956aaa7997f485aa9055a4ef11273f6a4f6c2e2
                                  • Instruction Fuzzy Hash: 4D316171904209AFDB11DFB4CC49AEEBBB8EF48314F14452AE951E7250D7388984DB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004267BD Relevance: 9.1, APIs: 6, Instructions: 63threadsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 004267C4
                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000008,004146F4,?,00000000,36685827,00000000,?), ref: 004267E8
                                  • CreateThread.KERNEL32 ref: 0042680E
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,?,00000008,004146F4,?,00000000,36685827,00000000,?), ref: 00426831
                                  • GetExitCodeThread.KERNEL32(00000000,?,?,00000000,?,00000008,004146F4,?,00000000,36685827,00000000,?), ref: 0042683C
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,00000008,004146F4,?,00000000,36685827,00000000,?), ref: 0042685B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CreateThread$CloseCodeEventExitH_prolog3HandleObjectSingleWait
                                  • String ID:
                                  • API String ID: 1807503770-0
                                  • Opcode ID: d27b07f18a832f1904b1a6f312b5d81f41e392fd237bf83a07cc404a95bd9db5
                                  • Instruction ID: 020ad6b4193f1c9a1e771a8c636a9ea2e3abcfb2f77e403c5ec54bb7e48bead5
                                  • Opcode Fuzzy Hash: d27b07f18a832f1904b1a6f312b5d81f41e392fd237bf83a07cc404a95bd9db5
                                  • Instruction Fuzzy Hash: 291106B2504626AFC7219F64DC4496FBF78FF44714B11862AF85197390CB349E00CBE8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046E58A Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00000010,00461A6F,00000010,?,?,004613F8,?,?,00000010,00000002), ref: 0046E58E
                                  • _free.LIBCMT ref: 0046E5C1
                                  • _free.LIBCMT ref: 0046E5E9
                                  • SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E5F6
                                  • SetLastError.KERNEL32(00000000,?,00000010,00000002), ref: 0046E602
                                  • _abort.LIBCMT ref: 0046E608
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 9acdd1670978d2840a3fc22116ed84d9c3384d531c24a758e6b0aca301212d5b
                                  • Instruction ID: a304335cafd0bfb9402c75adeef03baf36d12ba69a974febd738e2a86b86fd2b
                                  • Opcode Fuzzy Hash: 9acdd1670978d2840a3fc22116ed84d9c3384d531c24a758e6b0aca301212d5b
                                  • Instruction Fuzzy Hash: A4F0F93914861076C61137676D49A6B19D5DBC276DB21002BF52992292FF2D8D01815F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E6540 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 257COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy_strlen
                                  • String ID: u>$pm>$n>
                                  • API String ID: 1616525300-4218023856
                                  • Opcode ID: 23fa354e9f5f7101938096ae24187b9869f700ad68e4afbea7e06181a5f55423
                                  • Instruction ID: 194b81f1aa1b3eb8c4a7f1df506955be9e1816b7d3bae3d302b521faef38b783
                                  • Opcode Fuzzy Hash: 23fa354e9f5f7101938096ae24187b9869f700ad68e4afbea7e06181a5f55423
                                  • Instruction Fuzzy Hash: 9B91F271D102989FDB05CFA9C881B9EBBB9EF15314F20832EE424AB2C1D7759A44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E6490 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 256COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy_strlen
                                  • String ID: u>$pm>$n>
                                  • API String ID: 1616525300-4218023856
                                  • Opcode ID: cfdb3f0b94f860a062cbd579bd65ba13eb223c7b65003b12d271b7e69a7e4690
                                  • Instruction ID: 24c003d042596b142acb2e642808efb8b38eef84639d2a0d47f8f7dfe52404ab
                                  • Opcode Fuzzy Hash: cfdb3f0b94f860a062cbd579bd65ba13eb223c7b65003b12d271b7e69a7e4690
                                  • Instruction Fuzzy Hash: 3891E0B1A00248DFDB05CFA9C881B9EBBF5EF55314F20822EE4159B3C1D779AA44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004546BE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 242COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 004546C8
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  • _wcslen.LIBCMT ref: 00454851
                                  • _wcslen.LIBCMT ref: 004548E5
                                    • Part of subcall function 00384906: __EH_prolog3_catch.LIBCMT ref: 0038490D
                                  • _wcslen.LIBCMT ref: 0045497C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3_H_prolog3_catch
                                  • String ID: =""
                                  • API String ID: 1843281786-2703271957
                                  • Opcode ID: 1df31c6b2ee198c307a538f33b8059923e4914a488df3b1b62da46ff273aaa73
                                  • Instruction ID: 89f12b89f6fb3cc0d2a93dfa769caea4c91c5824571b19a7a879e35197b3a9b6
                                  • Opcode Fuzzy Hash: 1df31c6b2ee198c307a538f33b8059923e4914a488df3b1b62da46ff273aaa73
                                  • Instruction Fuzzy Hash: 0BA1BD71C04248DEDF15EFA4C981BEEB7B4AF15304F2081ADE416AB192EB746F49CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004005A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,36685827,?,?,00000000), ref: 004005F9
                                  • _wcslen.LIBCMT ref: 004006CA
                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000), ref: 00400803
                                    • Part of subcall function 00400A50: _wcslen.LIBCMT ref: 00400A8B
                                    • Part of subcall function 003DC0B0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 003DC183
                                  • LocalFree.KERNEL32(00000002,36685827,?,00000000,Function_001022B0,000000FF,?,00000000), ref: 0040085D
                                  Strings
                                  • Failed to get Windows error message [win32 error 0x, xrefs: 00400619
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: FreeLocal_wcslen$FormatIos_base_dtorMessagestd::ios_base::_
                                  • String ID: Failed to get Windows error message [win32 error 0x
                                  • API String ID: 1162592797-3373098694
                                  • Opcode ID: 0b6f6637a84efd6a0ede2b5075ab6e59fa789435fa32b5936e19c27937ccc5a8
                                  • Instruction ID: bab90a8fe8646018de41b470e88b412b6b16f35cae50492019e4862b908b29cb
                                  • Opcode Fuzzy Hash: 0b6f6637a84efd6a0ede2b5075ab6e59fa789435fa32b5936e19c27937ccc5a8
                                  • Instruction Fuzzy Hash: 43818071A00205DBDB14DF64DC45BAEB7E8FF05314F20467AE426E72D1E778AA04CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043A2AE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 189threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0043A2B8
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  • GetCurrentThreadId.KERNEL32 ref: 0043A312
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CurrentH_prolog3_Thread_wcslen
                                  • String ID: ErrorDlg$ErrorMsgTitle$ProductName
                                  • API String ID: 4091872715-2238413694
                                  • Opcode ID: 446a0732e6bac4861dcb059ed4a80f492041dc7d38a75b9c772f515fdc1ae4cb
                                  • Instruction ID: ff77d79d2461fbcbe449848da71e380dc58e9e202854a3e040d174f19149144f
                                  • Opcode Fuzzy Hash: 446a0732e6bac4861dcb059ed4a80f492041dc7d38a75b9c772f515fdc1ae4cb
                                  • Instruction Fuzzy Hash: 2E816D30904348DFCB15EFA8C895BDEBBB4BF18304F54849DE486AB251DB74AE49CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00440E68 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00440E6F
                                    • Part of subcall function 00440D39: __EH_prolog3.LIBCMT ref: 00440D40
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  • _wcslen.LIBCMT ref: 00440EFD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3H_prolog3_
                                  • String ID: Intel$Intel64$x64
                                  • API String ID: 4184234421-2803704216
                                  • Opcode ID: a848f673f4fe45a7de6df180f93f3260eb47b8aa73d363dd19a91d22445b8ae3
                                  • Instruction ID: 28d2d72eb3f1be83ce8f62d94c0a2d6dd582c8e8a94eae440d69d80bc2e27df8
                                  • Opcode Fuzzy Hash: a848f673f4fe45a7de6df180f93f3260eb47b8aa73d363dd19a91d22445b8ae3
                                  • Instruction Fuzzy Hash: DC419031908248DADF25EBE8C996BFDB774AF10304F2445AEE1016B182DF785A09DB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003EECA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(?,36685827,?,?), ref: 003EECFB
                                  • DeleteFileW.KERNEL32(?,?,?,36685827,?,?), ref: 003EEDBE
                                  • HeapFree.KERNEL32(?,00000000,?,?,36685827,?,?), ref: 003EEDF5
                                  • FindNextFileW.KERNEL32(?,?,?,36685827,?,?), ref: 003EEE0C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: File$Delete$FindFreeHeapNext
                                  • String ID: .
                                  • API String ID: 1001264507-248832578
                                  • Opcode ID: 36849d7d9da5a55f258a8bc96cffd0cd2361c7835ecae07db7bf6d324fbb863c
                                  • Instruction ID: f0c5253b7d28a669a408d9e78a646aab8c0c09e33011d7d34e16e093b0d2cb49
                                  • Opcode Fuzzy Hash: 36849d7d9da5a55f258a8bc96cffd0cd2361c7835ecae07db7bf6d324fbb863c
                                  • Instruction Fuzzy Hash: 0D41F3719041A48FDB32DB2ACC447AAB7B5FF44324F1543AED919A32D0DB70AE81CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AC813 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DeleteEventH_prolog3MouseTrackWindow
                                  • String ID: ]qE
                                  • API String ID: 944552809-2880936281
                                  • Opcode ID: a72ab5fecef97e5d637c72489978d4b617521d006074b94ca05d6523a46cba95
                                  • Instruction ID: 1d65d77573c79a529a8ace5fa1b52d40acbb8c5ceb32c649d599a4472cf060f2
                                  • Opcode Fuzzy Hash: a72ab5fecef97e5d637c72489978d4b617521d006074b94ca05d6523a46cba95
                                  • Instruction Fuzzy Hash: 6131CE31900215AFDB11DF68C849BAEB7F4FF49315F02802CE942AB260C7B5AC05CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00416691 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00416698
                                  • GetSystemDefaultLangID.KERNEL32(0000000C,004085B4,?), ref: 004166AE
                                  • _wcslen.LIBCMT ref: 004166E8
                                  • _wcslen.LIBCMT ref: 00416701
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                    • Part of subcall function 00386F8C: __EH_prolog3.LIBCMT ref: 00386F93
                                    • Part of subcall function 003B8EC1: _wcsstr.LIBVCRUNTIME ref: 003B8EDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$_wcslen$DefaultLangSystem_wcsstr
                                  • String ID: SystemDefault LangID=
                                  • API String ID: 974931737-707804017
                                  • Opcode ID: 283078d6c94044427220c3f2e665dd14bec8137ce1351997f5527a9fb07c9f7b
                                  • Instruction ID: bc77d840f489aeeb4a4e2690ac86d156a7551b5e2ded72e64b1583d5f6fa559c
                                  • Opcode Fuzzy Hash: 283078d6c94044427220c3f2e665dd14bec8137ce1351997f5527a9fb07c9f7b
                                  • Instruction Fuzzy Hash: AF31F8709002259BCB15FBA4CC46AFF7774AF40314F51059EE4216B2C2DB7C9E45D769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A403A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3_
                                  • String ID: AI_CF_
                                  • API String ID: 2000020936-2623589081
                                  • Opcode ID: 45634b796bcdabe82576ffc0ea1c5cbd0466852be03c4a05414d881a170ef828
                                  • Instruction ID: 1b7948999e3cf980b863cf09255557068b0b56886fa137dea3f8738249b29245
                                  • Opcode Fuzzy Hash: 45634b796bcdabe82576ffc0ea1c5cbd0466852be03c4a05414d881a170ef828
                                  • Instruction Fuzzy Hash: 28318171800608EFDB16EFA8C985BDEBB74FF54308F24845EF0026B591DBB46A49CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D42B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003D42D7
                                  • SendMessageW.USER32(00000000,0000120C,?,00000004), ref: 003D4337
                                  • SendMessageW.USER32(00000000,0000120C,?,00000024), ref: 003D438E
                                  • SendMessageW.USER32(00000000,00001051,?,003D43B8), ref: 003D439F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID: $
                                  • API String ID: 3850602802-3993045852
                                  • Opcode ID: 3dbaf47038554354683c81be34e15a4aa3232c2cffe956e1d067cbd33c335799
                                  • Instruction ID: 57b4414259d9403cd1ed3b04078e0d2654341b34a6e7cfe95b7c15a01fd01214
                                  • Opcode Fuzzy Hash: 3dbaf47038554354683c81be34e15a4aa3232c2cffe956e1d067cbd33c335799
                                  • Instruction Fuzzy Hash: 26319A76204300ABD701CF19DD80A6BB7E4FF88705F100A2EF9499B290D775E924CF46
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B2073 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B207A
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: AI_FRAME_NO_CAPTION_$Dialog$`Dialog` = '$`_K
                                  • API String ID: 3251556500-3064914355
                                  • Opcode ID: 25fba82141d0c9e55d3b88fb14bb151e1ca3a114b04b1adc8c470e99d68bcb43
                                  • Instruction ID: 229b63603fd387532b8914d8463cbac6a5658394d5266b73038cfed198b428af
                                  • Opcode Fuzzy Hash: 25fba82141d0c9e55d3b88fb14bb151e1ca3a114b04b1adc8c470e99d68bcb43
                                  • Instruction Fuzzy Hash: 7E319031900248DFCB06EFE8C585BDDFBB1AF59304F24C499E0116F1A2DB74AA09CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C139 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041C140
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • _wcsrchr.LIBVCRUNTIME ref: 0041C15F
                                    • Part of subcall function 00386E54: __EH_prolog3.LIBCMT ref: 00386E5B
                                  • RegCloseKey.ADVAPI32(00000000,?,00000010,00415511,Software\Caphyon\Setups,?,00000000,?,?,00000000,00487489,000000FF,?,003D6109), ref: 0041C1E9
                                  • RegCloseKey.ADVAPI32(00000000,?,00000010,00415511,Software\Caphyon\Setups,?,00000000,?,?,00000000,00487489,000000FF,?,003D6109), ref: 0041C210
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$Close$_wcsrchr
                                  • String ID: I?
                                  • API String ID: 870597054-1355892355
                                  • Opcode ID: 3b759a5bb90a115d05ec1fbbf1747a25898bad2b6aa4175f765efe33bc7799c5
                                  • Instruction ID: fd59327e832e1c09d2a0ccb96f31f4d33853f9ab6d3608c636d96a10cf88200a
                                  • Opcode Fuzzy Hash: 3b759a5bb90a115d05ec1fbbf1747a25898bad2b6aa4175f765efe33bc7799c5
                                  • Instruction Fuzzy Hash: 1F315A31C0025ADFDB05EBE4CD8ABFFBBB0AF00315F10409AE51176292CB781A48DBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA38E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003BA395
                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 003BA42F
                                  • __Init_thread_footer.LIBCMT ref: 003BA444
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressH_prolog3Init_thread_footerProc
                                  • String ID: IsThemeActive$p)P
                                  • API String ID: 1846668073-3338008196
                                  • Opcode ID: 67e8b068113418a641f1a9d0fe9def806e14d9a06d506a457e65b5e1836d7286
                                  • Instruction ID: 89869c70cbf5e06adb0c6b9357fca5dfb3c106ce967e9094da6be1433e9126a0
                                  • Opcode Fuzzy Hash: 67e8b068113418a641f1a9d0fe9def806e14d9a06d506a457e65b5e1836d7286
                                  • Instruction Fuzzy Hash: DD112734505F00DBCB15EB39991939C33E4EF21328F24826AF759D3BE2CB344945AA26
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00446EDD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00446EE4
                                    • Part of subcall function 0044241D: __EH_prolog3.LIBCMT ref: 00442424
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 0043B1AE: __EH_prolog3_GS.LIBCMT ref: 0043B1B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$H_prolog3_wcslen
                                  • String ID: 04D$ALL$InstallUISequence$REMOVE
                                  • API String ID: 428691021-1415926814
                                  • Opcode ID: c8201e035a72c5db0dda98ed7e7773607b5ebcbf3d028328e7bb0a45a5738852
                                  • Instruction ID: f1391b4dd419c7624d350d25fb903edf2cf099cde1c73ea7871357b68f4161cd
                                  • Opcode Fuzzy Hash: c8201e035a72c5db0dda98ed7e7773607b5ebcbf3d028328e7bb0a45a5738852
                                  • Instruction Fuzzy Hash: 86219A74805748DACB05EFA4C845BDEBBB0EF18304F24845EE046BB391DB746A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C635C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: Absent$Advertise$Local$Network
                                  • API String ID: 431132790-2783015521
                                  • Opcode ID: fc0a6169b14e67f7a39b7f6127bc6a490cc286e42cb5dfeac70227920707837e
                                  • Instruction ID: 7eb6cb9934da40e0c72295f520f3663b4978779a74fad7991c47001b7953aef9
                                  • Opcode Fuzzy Hash: fc0a6169b14e67f7a39b7f6127bc6a490cc286e42cb5dfeac70227920707837e
                                  • Instruction Fuzzy Hash: 5B01DF74608244EACB16EF58C843FACB6A4FF84700B214A0FF815DB6B1C7B48D44C796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00474ADF Relevance: 7.7, APIs: 5, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69c5f8710b3c58d7d4f3ea9a48cff16318ded0d73702ecf1218507ecc0be62d2
                                  • Instruction ID: f0c6b75948d897f34bf8371e2fc7f49da92cb958e8445ca191d32785b3db1620
                                  • Opcode Fuzzy Hash: 69c5f8710b3c58d7d4f3ea9a48cff16318ded0d73702ecf1218507ecc0be62d2
                                  • Instruction Fuzzy Hash: A171D231901216CFDB31CB99C844AFFBBB5EF81364F14862BE46857290D7789D41CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042A21A Relevance: 7.7, APIs: 5, Instructions: 199windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0042A23B
                                  • IsWindowVisible.USER32(00000000), ref: 0042A282
                                  • SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0042A298
                                  • SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 0042A428
                                  • RedrawWindow.USER32(00000000,00000000,00000000,00000185,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042A439
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$MessageSend$LongRedrawVisible
                                  • String ID:
                                  • API String ID: 554559110-0
                                  • Opcode ID: 9a36b076e00395efafcc823b573ad78819c9718c1f8d517bba0808f29f1ad4f7
                                  • Instruction ID: 62dbf0b93fedd0c0db7078872bab891e5e2fafd73a64a148a6f2f4d61369dbfc
                                  • Opcode Fuzzy Hash: 9a36b076e00395efafcc823b573ad78819c9718c1f8d517bba0808f29f1ad4f7
                                  • Instruction Fuzzy Hash: CD61B131704310AFD714DF15D885A2BB7E6EF84314F44496EFC85AB292C674EC24CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B6C17 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$_wcsstr
                                  • String ID:
                                  • API String ID: 559806763-0
                                  • Opcode ID: 5c2e14f032869423a2795d9c345b2aa48a403b749d509c88cee4ebca693576f3
                                  • Instruction ID: 286971fe7bd28826b894a1dd7690f3bef487eb60b029a3519c8b21aff0d4ffac
                                  • Opcode Fuzzy Hash: 5c2e14f032869423a2795d9c345b2aa48a403b749d509c88cee4ebca693576f3
                                  • Instruction Fuzzy Hash: 2051C431604710AFD71AEB24C852B9B73E4FF89318F01055EFA859B682DB78ED04CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D08B6 Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003D08BD
                                  • GetClientRect.USER32(?,?), ref: 003D08DC
                                    • Part of subcall function 0038D32D: __EH_prolog3.LIBCMT ref: 0038D334
                                    • Part of subcall function 00390CB2: GetWindowTextLengthW.USER32(00000001), ref: 00390CB8
                                    • Part of subcall function 00390CB2: GetWindowTextW.USER32(00000001,00000000,00000001), ref: 00390CCF
                                  • IsWindowEnabled.USER32(?), ref: 003D0904
                                  • GetFocus.USER32 ref: 003D0913
                                  • GetDC.USER32(00000001), ref: 003D0941
                                    • Part of subcall function 003F6E70: SelectObject.GDI32(36685827,?), ref: 003F6ED3
                                    • Part of subcall function 003F6E70: SetTextColor.GDI32(?,?), ref: 003F6F1F
                                    • Part of subcall function 003F6E70: SelectObject.GDI32(?,?), ref: 003F6F49
                                    • Part of subcall function 003880D1: CallWindowProcW.USER32(?,?,?,?,?), ref: 003880E9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Text$ObjectSelect$CallClientColorEnabledFocusH_prolog3H_prolog3_LengthProcRect
                                  • String ID:
                                  • API String ID: 3077139154-0
                                  • Opcode ID: aac1ec18347233e60b9876d36b4c9fde59aca00a159a00a5e546d19c5da00e03
                                  • Instruction ID: e9ca7e603b5af2ba2edd7a20d8e0cd8818e387de2a429b53ef605d50df8549e4
                                  • Opcode Fuzzy Hash: aac1ec18347233e60b9876d36b4c9fde59aca00a159a00a5e546d19c5da00e03
                                  • Instruction Fuzzy Hash: 9B217A72900209DFDF16EFA0D9559EDB7B9FF08300F10416AE541B7262DB32AD54CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AC926 Relevance: 7.6, APIs: 5, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003AC92D
                                  • GetWindowDC.USER32(?,00000000,003AC304,?,?,?,?,0000001C,003A6D28,?,?,?,?,?,?,?), ref: 003AC947
                                  • GetWindowDC.USER32(?,00000000,003AC304,?,?,?,?,0000001C,003A6D28,?,?,?,?,?,?,?), ref: 003AC97D
                                  • SendMessageW.USER32(?,00000112,0000F060,00000000), ref: 003AC9AA
                                  • DeleteDC.GDI32(00000014), ref: 003AC9BF
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$DeleteH_prolog3MessageSend
                                  • String ID:
                                  • API String ID: 3203586259-0
                                  • Opcode ID: 24c5703e2796ca0fc566008f17e25d47a1614c515c29f495dd26915692774077
                                  • Instruction ID: 88a3dad6186c2a296d1e30720a030ff97c84401be4ba5fcf2f4995a2ab73c575
                                  • Opcode Fuzzy Hash: 24c5703e2796ca0fc566008f17e25d47a1614c515c29f495dd26915692774077
                                  • Instruction Fuzzy Hash: 2B216A32A00205EBEB219F66C84AFAA7BB5EF85711F108429FA159F191CBB5CD10DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F6BC0 Relevance: 7.6, APIs: 5, Instructions: 60filetimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,36685827), ref: 003F6BFD
                                  • GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003F6C1B
                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003F6C2D
                                  • GetLastError.KERNEL32(?,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003F6C37
                                  • CloseHandle.KERNEL32(00000000,?,?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 003F6C56
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorFileLast$CloseCreateHandleTime
                                  • String ID:
                                  • API String ID: 1269242970-0
                                  • Opcode ID: bab1807d6445d12b8fe996d33c696388d2657c8ade0ea1b5dfdbb2b88d0a84f4
                                  • Instruction ID: 82ef04eae475a626b4c215ed9042742979efbef7e8a66eb75c6a93b69e4f5fbb
                                  • Opcode Fuzzy Hash: bab1807d6445d12b8fe996d33c696388d2657c8ade0ea1b5dfdbb2b88d0a84f4
                                  • Instruction Fuzzy Hash: C4110D31944614ABD7318F65DD05BADBBB8FB46B25F200726F955B73D0C7705A0087A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0046E60E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000000,?,00000000,00460D89,0046F7C8,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89,00000000,004FF2F0), ref: 0046E613
                                  • _free.LIBCMT ref: 0046E648
                                  • _free.LIBCMT ref: 0046E66F
                                  • SetLastError.KERNEL32(00000000,?,00000000,004FF2CC,?,?,?), ref: 0046E67C
                                  • SetLastError.KERNEL32(00000000,?,00000000,004FF2CC,?,?,?), ref: 0046E685
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 49cf098b41d52a282350e72cec32f107dc2c8aadd605a4a28a7f334d51795dd7
                                  • Instruction ID: 0d29e1ecdc2efd92fae768f8584d2d9e1961b62e9a6c56182333b63119cfa427
                                  • Opcode Fuzzy Hash: 49cf098b41d52a282350e72cec32f107dc2c8aadd605a4a28a7f334d51795dd7
                                  • Instruction Fuzzy Hash: 3901F93A2856006793122777EC89D2B16DDEBE2369761012BF528A3392FF6C8D03416F
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A8CA3 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003A8CAA
                                  • SetBkMode.GDI32(?,00000001), ref: 003A8CC8
                                    • Part of subcall function 003D52E5: __EH_prolog3.LIBCMT ref: 003D52EC
                                  • GetSysColor.USER32(00000011), ref: 003A8CEB
                                  • SetTextColor.GDI32(?,00000000), ref: 003A8D05
                                  • GetSysColorBrush.USER32(0000000F), ref: 003A8D18
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Color$H_prolog3$BrushModeText
                                  • String ID:
                                  • API String ID: 1308927871-0
                                  • Opcode ID: 433eadc01438288f58fcfd1fb6c3cea0e1283aa9cb6890b1531863241d4ccde8
                                  • Instruction ID: 290b8f9dc3aa233e5f77769843c9fc1b7c632f136196bf5634f5a48879173c9b
                                  • Opcode Fuzzy Hash: 433eadc01438288f58fcfd1fb6c3cea0e1283aa9cb6890b1531863241d4ccde8
                                  • Instruction Fuzzy Hash: 8711AD30600605EBDF16AF60D809BAC7B22FF19751F148068F9525F2E2CF728D05DBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00390A93 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00390A9A
                                  • CreateCompatibleDC.GDI32(00000001), ref: 00390ACA
                                  • CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 00390AE2
                                  • SelectObject.GDI32(?,00000000), ref: 00390AEE
                                  • SetViewportOrgEx.GDI32(?,00000000,?,00000000), ref: 00390B06
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CompatibleCreate$BitmapH_prolog3ObjectSelectViewport
                                  • String ID:
                                  • API String ID: 201749095-0
                                  • Opcode ID: 5b23f23cc5dfd5a1b2ddeeeed2692ea20f3fce0d9a3f36fe726306e58864ff1a
                                  • Instruction ID: 09f339945b29afc6fc6767e7f92749ba1738be68df693e1571097a2f928bb7ae
                                  • Opcode Fuzzy Hash: 5b23f23cc5dfd5a1b2ddeeeed2692ea20f3fce0d9a3f36fe726306e58864ff1a
                                  • Instruction Fuzzy Hash: 5D112E74900A04DFD725DF69C944A2ABBF2FF48310B10C66DE89ACB365D772A901CF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047244A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00472462
                                    • Part of subcall function 0046E727: RtlFreeHeap.NTDLL(00000000,00000000,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?), ref: 0046E73D
                                    • Part of subcall function 0046E727: GetLastError.KERNEL32(?,?,004726FD,?,00000000,?,00000000,?,004729A1,?,00000007,?,?,00472EE2,?,?), ref: 0046E74F
                                  • _free.LIBCMT ref: 00472474
                                  • _free.LIBCMT ref: 00472486
                                  • _free.LIBCMT ref: 00472498
                                  • _free.LIBCMT ref: 004724AA
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5f50410ac7791099505e0f5c1a1734ef5095fa8b7b5df1da64bd6f85ab087248
                                  • Instruction ID: 50da226264979956b50154eed5b513e682c77047f38b4858eb10169a6faae6d4
                                  • Opcode Fuzzy Hash: 5f50410ac7791099505e0f5c1a1734ef5095fa8b7b5df1da64bd6f85ab087248
                                  • Instruction Fuzzy Hash: 56F04F32504244AF8620EB5AEBC6C5773DDEA00356764D80BF059D7642DB7CFC908A6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B8940 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 155COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B894A
                                    • Part of subcall function 0039FAC6: __EH_prolog3.LIBCMT ref: 0039FACD
                                    • Part of subcall function 0039FAC6: _wcslen.LIBCMT ref: 0039FB00
                                    • Part of subcall function 0039FAC6: _wcslen.LIBCMT ref: 0039FB1B
                                    • Part of subcall function 003B9159: __EH_prolog3_catch.LIBCMT ref: 003B9160
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3H_prolog3_H_prolog3_catch
                                  • String ID: Exact$MaxOnly$MinOnly
                                  • API String ID: 2825538272-799421204
                                  • Opcode ID: 6693a5fcc6c8afaa958b1778be58aa668838fa4e8963cf29be2527f1cd5f375b
                                  • Instruction ID: 88bc47ff451b87dd7d17b8a3ae33531146a15967dd5259fbaa84dc8b66b5d674
                                  • Opcode Fuzzy Hash: 6693a5fcc6c8afaa958b1778be58aa668838fa4e8963cf29be2527f1cd5f375b
                                  • Instruction Fuzzy Hash: 71712B71804348DECB15EFA4C985BCDFBB4BF18304F54819EE14AAB292EB701A49CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A3BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041A3C4
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • _wcsrchr.LIBVCRUNTIME ref: 0041A3E7
                                    • Part of subcall function 0038CE6D: __EH_prolog3.LIBCMT ref: 0038CE74
                                    • Part of subcall function 00386E54: __EH_prolog3.LIBCMT ref: 00386E5B
                                    • Part of subcall function 0041A71A: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002), ref: 0041A73C
                                    • Part of subcall function 0041A71A: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041A76E
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  • RegCloseKey.ADVAPI32(00000000,?,00000001,?,?,00000014,00419CD4,00000000,00000000,00000000,?,00000001), ref: 0041A4F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$QueryValue$Close_wcsrchr
                                  • String ID: I?
                                  • API String ID: 953250206-1355892355
                                  • Opcode ID: a0a25710349aeb9e383811cc41a17db87f8c4ba599522f3b69e0937888667d0c
                                  • Instruction ID: 9c0fba90b7d500650dfb3b640d986a38d27073b71c31d8245aeffc90a7032634
                                  • Opcode Fuzzy Hash: a0a25710349aeb9e383811cc41a17db87f8c4ba599522f3b69e0937888667d0c
                                  • Instruction Fuzzy Hash: 0C41F731805349DACF06EFA4C9497FE77B0AF00314F10805EE8216B2C2DBBC5A59DB56
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003F6E70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00390A93: __EH_prolog3.LIBCMT ref: 00390A9A
                                    • Part of subcall function 00390A93: CreateCompatibleDC.GDI32(00000001), ref: 00390ACA
                                    • Part of subcall function 00390A93: CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 00390AE2
                                    • Part of subcall function 00390A93: SelectObject.GDI32(?,00000000), ref: 00390AEE
                                    • Part of subcall function 00390A93: SetViewportOrgEx.GDI32(?,00000000,?,00000000), ref: 00390B06
                                  • SelectObject.GDI32(36685827,?), ref: 003F6ED3
                                  • SetTextColor.GDI32(?,?), ref: 003F6F1F
                                  • SelectObject.GDI32(?,?), ref: 003F6F49
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ObjectSelect$CompatibleCreate$BitmapColorH_prolog3TextViewport
                                  • String ID: OpE
                                  • API String ID: 580101597-2903432966
                                  • Opcode ID: 7415024a613316d60ff8211e848f427636449b7e925c24fe9926067be3628311
                                  • Instruction ID: cf9629125bf1440d49bef73dd3c611cfecb442d4f4a47e173d8b280619b75e5e
                                  • Opcode Fuzzy Hash: 7415024a613316d60ff8211e848f427636449b7e925c24fe9926067be3628311
                                  • Instruction Fuzzy Hash: F5313B71D00208AFDF119FA4DD45BADFF75FF08720F208226EA25A62A0DB716925DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436D88 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00436D8F
                                    • Part of subcall function 00395BC3: _wcslen.LIBCMT ref: 00395BEB
                                    • Part of subcall function 004477DF: __EH_prolog3_GS.LIBCMT ref: 004477E9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3__wcslen
                                  • String ID: AiGlobalProgress$AiInstallDataLog$AiInstallTextLog
                                  • API String ID: 1523997010-2145378038
                                  • Opcode ID: 8b668635f5688bb0e601ea99e4f94c9ae0e1b15739a7228847337d98a99ec54b
                                  • Instruction ID: da4ab968c3bf8c8be07df22b242aa18d16f610a0e889900bbd79d621d3e076c4
                                  • Opcode Fuzzy Hash: 8b668635f5688bb0e601ea99e4f94c9ae0e1b15739a7228847337d98a99ec54b
                                  • Instruction Fuzzy Hash: F221B634600701AFCB24EF24C046F6AB7E2AF49314F15C14EE8564B792C779A845CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0043EEB7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 0043EEBE
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcslen
                                  • String ID: ftp://$http://$https://
                                  • API String ID: 3251556500-2804853444
                                  • Opcode ID: ed0b17004c15de20fbd2e92b1c6a964608061efd2ddd11361b1ce27b64ffc267
                                  • Instruction ID: a71d19b88f43f47ccd32945a0647d60b981fe937ccc872cd318858260195e157
                                  • Opcode Fuzzy Hash: ed0b17004c15de20fbd2e92b1c6a964608061efd2ddd11361b1ce27b64ffc267
                                  • Instruction Fuzzy Hash: 2021AD31D413089AEB01EFE8C9927DCB770AF15315F24829AE5212F2D2DBB80A09CB44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041AE84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041AE8B
                                  • _wcsrchr.LIBVCRUNTIME ref: 0041AE97
                                    • Part of subcall function 00386F8C: __EH_prolog3.LIBCMT ref: 00386F93
                                    • Part of subcall function 0041AC3A: __EH_prolog3.LIBCMT ref: 0041AC41
                                    • Part of subcall function 0041AC3A: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,00000000,?,00000001,0000005C,00000000,0000000C,0041A43F,?,?,00000014,00419CD4,00000000), ref: 0041AC9E
                                    • Part of subcall function 00386E54: __EH_prolog3.LIBCMT ref: 00386E5B
                                    • Part of subcall function 0041BDED: __EH_prolog3.LIBCMT ref: 0041BDF4
                                    • Part of subcall function 0041BDED: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,000000C8,000000C8,00000014,0041BDCC,?,?,00000001), ref: 0041BE46
                                    • Part of subcall function 0038D133: __EH_prolog3.LIBCMT ref: 0038D13A
                                  • RegCloseKey.ADVAPI32(?,00000000,00000001,?,00000000,00000000,00000010,00419D50,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041AF24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$CloseOpenQueryValue_wcsrchr
                                  • String ID: I?
                                  • API String ID: 3845001457-1355892355
                                  • Opcode ID: c321ab42e5ac8c5ae5235240b1d2e0f538fb92231eb67fe0eb75e14980d2ff3d
                                  • Instruction ID: c76b1afabf0395bf04ff776b82a1742c724f8fa8fc027f4f93116ce6c7ffecb4
                                  • Opcode Fuzzy Hash: c321ab42e5ac8c5ae5235240b1d2e0f538fb92231eb67fe0eb75e14980d2ff3d
                                  • Instruction Fuzzy Hash: 3D219C71801389EBDF05EFA4C456BDEBBB0AF00314F10815EE8556B282CB799B48CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436CAB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00436CB2
                                    • Part of subcall function 00436E74: __EH_prolog3_GS.LIBCMT ref: 00436E7B
                                    • Part of subcall function 0042ED81: __EH_prolog3.LIBCMT ref: 0042ED88
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$H_prolog3
                                  • String ID: 0$ProductCode$ProductID
                                  • API String ID: 3952504126-3860224317
                                  • Opcode ID: 8d64114f9a015c4e024b95a575c3fc0d15a7cbfec3ae7deccb63cbab4ecfab72
                                  • Instruction ID: 01e477d560971ba0adf14405798d4eb920c5e796a5f246b5618554a75dd1d6e3
                                  • Opcode Fuzzy Hash: 8d64114f9a015c4e024b95a575c3fc0d15a7cbfec3ae7deccb63cbab4ecfab72
                                  • Instruction Fuzzy Hash: E2218E70900345EFDB11EBB9C556BDDBBB0AF15304F60829DE0526B6D2CBB41B09CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C1E6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0040C1ED
                                    • Part of subcall function 0040C0FE: __EH_prolog3.LIBCMT ref: 0040C105
                                  Strings
                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0040C208
                                  • InstalledLanguage, xrefs: 0040C233, 0040C255
                                  • Software\Caphyon\Advanced Installer\, xrefs: 0040C1F4
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: InstalledLanguage$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\
                                  • API String ID: 431132790-743420881
                                  • Opcode ID: 8a6d520c86d62f9dafb8e2667cb492d62ad781eeb1198b20226becd19fd79baa
                                  • Instruction ID: d19ff4ffff571a7b9f683bf7542a1ad53790c2641b3796168c9d718201edbd42
                                  • Opcode Fuzzy Hash: 8a6d520c86d62f9dafb8e2667cb492d62ad781eeb1198b20226becd19fd79baa
                                  • Instruction Fuzzy Hash: 1B11B670D002099BDB18DBE588816BF7A74EB49325F20437FA821B76E1D77C4E459BD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038A4B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 0038A4F2
                                  • ScreenToClient.USER32(00000000,?), ref: 0038A509
                                  • ScreenToClient.USER32(00000000,?), ref: 0038A514
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ClientScreen$Parent
                                  • String ID: EnE
                                  • API String ID: 3677003336-1960338703
                                  • Opcode ID: f97e98290828365ae5c68e609cd635f4d67169893ccc6d1ad1398fafb13b18df
                                  • Instruction ID: 5d9dbcd5baa5b1be68b7e43c9212834c4008bb88aa239ff27084ba38da97cbca
                                  • Opcode Fuzzy Hash: f97e98290828365ae5c68e609cd635f4d67169893ccc6d1ad1398fafb13b18df
                                  • Instruction Fuzzy Hash: 8D114F32900509AFDF02EFA8CD84CBFB7B9AF49310B114096E901E7110DA70AE15DB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D8039 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,003D80D8,00000000,003EFE5F,003EFE5F,00000000,?,?,0038DE0A,00000000,?), ref: 003D804B
                                  • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 003D805B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                  • API String ID: 1646373207-2994018265
                                  • Opcode ID: a2b5cd038315f4c2f55f1c7b9dc67788acaa876d9d61002e8f9f295feecf5074
                                  • Instruction ID: e6f6345e96f77705610f8fef14192903cc5ad2412e5546cd248221abe2565327
                                  • Opcode Fuzzy Hash: a2b5cd038315f4c2f55f1c7b9dc67788acaa876d9d61002e8f9f295feecf5074
                                  • Instruction Fuzzy Hash: 2701FB32104244BA8F321FA6EC08DDB3F7DEBCAB51715442AFA5990121DB32E865EB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E6DE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 003E6E22
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: u>$pm>$n>
                                  • API String ID: 2659868963-4218023856
                                  • Opcode ID: 555c5fafa0d3f3e09b479f0918528b15ecfffec89970547c8eba022814456a93
                                  • Instruction ID: 78d1c4196a94ddfbb2fe93f43e864ca7fb1314041a3028f881519235f8bcf977
                                  • Opcode Fuzzy Hash: 555c5fafa0d3f3e09b479f0918528b15ecfffec89970547c8eba022814456a93
                                  • Instruction Fuzzy Hash: E9111FB5904709EFC710CF59C904B9AFBF8FB16724F20866BE41497740E7B9A614CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B24F2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B24F9
                                    • Part of subcall function 00399E8F: __EH_prolog3.LIBCMT ref: 00399E96
                                    • Part of subcall function 00399E8F: _wcslen.LIBCMT ref: 00399EC4
                                    • Part of subcall function 00399E8F: _wcslen.LIBCMT ref: 00399EDB
                                    • Part of subcall function 0039FA80: __EH_prolog3.LIBCMT ref: 0039FA87
                                    • Part of subcall function 0039FA80: _wcslen.LIBCMT ref: 0039FA9A
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3$H_prolog3_
                                  • String ID: ListBox$PUK$`Property` = '
                                  • API String ID: 2994809227-4108292258
                                  • Opcode ID: bf5d862d7929756531a09ddaa6b6a1ff81507ea33e890cc4b226d0f9bf3baeb4
                                  • Instruction ID: c5bfcdc872eb3cd83886ff6be85ad73a2bea9ba5e9c485b169716d3c41c76ad3
                                  • Opcode Fuzzy Hash: bf5d862d7929756531a09ddaa6b6a1ff81507ea33e890cc4b226d0f9bf3baeb4
                                  • Instruction Fuzzy Hash: 1E118E30904208DFCB05EBA8C556ADDF7B1AF69314F64C49DF006AB292DB746F09CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA30C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003BA313
                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 003BA376
                                  • __Init_thread_footer.LIBCMT ref: 003BA386
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressH_prolog3Init_thread_footerProc
                                  • String ID: DrawThemeText
                                  • API String ID: 1846668073-2508557991
                                  • Opcode ID: b1356b8b1db4dd4d42d1ec95d93175aa7bb83246e35a40bfa1c8df47dde27d32
                                  • Instruction ID: 33d1c35d8f13cdf52799d4c25e74c3cdf36968b3fb179298e7f169b8c88df380
                                  • Opcode Fuzzy Hash: b1356b8b1db4dd4d42d1ec95d93175aa7bb83246e35a40bfa1c8df47dde27d32
                                  • Instruction Fuzzy Hash: F701A239008A01EBDB12AF65DC48E8E7BE4EF98325F10831EF625965F2CB344855DB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00400E00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,36685827,?,004962AE,000000FF,?), ref: 00400E44
                                  • GetProcAddress.KERNEL32(00000000), ref: 00400E4B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: Dbghelp.dll$SymFromAddr
                                  • API String ID: 2574300362-642441706
                                  • Opcode ID: 7d027379bc6a9ca0a6f8f8f4b15152597d0950187268f50de3c5725f68f91e0c
                                  • Instruction ID: 02d75dd272d7183583d1f7d9d1432bd435965164ef72fcae168e3c8be9ac9a8a
                                  • Opcode Fuzzy Hash: 7d027379bc6a9ca0a6f8f8f4b15152597d0950187268f50de3c5725f68f91e0c
                                  • Instruction Fuzzy Hash: A6016D71A49648EFC720CF98ED44B59BBE8F709724F1042AAE819D37D0D73965089A48
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00446CA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00446CA7
                                    • Part of subcall function 0044241D: __EH_prolog3.LIBCMT ref: 00442424
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_
                                  • String ID: (mD$04D$AdminUISequence
                                  • API String ID: 3355343447-688689587
                                  • Opcode ID: 0a3c3e7faa3eba0572a989a2410db656c3080c41081f2e5f87889a3a7deda1ea
                                  • Instruction ID: b9d0cf6450b817046b88123ba277c780de906a9f1c9b8f8fa9d0f685a6d4e9ad
                                  • Opcode Fuzzy Hash: 0a3c3e7faa3eba0572a989a2410db656c3080c41081f2e5f87889a3a7deda1ea
                                  • Instruction Fuzzy Hash: 8C0148B4805789DACB58DF94D809ADEBFB0EB08314F20846EF05AAB350D7741A04CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C6D61 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003C6D68
                                    • Part of subcall function 003CDF08: __EH_prolog3.LIBCMT ref: 003CDF0F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: P&9$s4;$q<
                                  • API String ID: 431132790-566991478
                                  • Opcode ID: 380f8e5bdec7a4c7fdb573a37e137ba5fe35d55b7b57b4b643c420f686f40259
                                  • Instruction ID: 077dc3ff098a9093df62c68e832b9b5b42a6a6cb9565099895be576368181576
                                  • Opcode Fuzzy Hash: 380f8e5bdec7a4c7fdb573a37e137ba5fe35d55b7b57b4b643c420f686f40259
                                  • Instruction Fuzzy Hash: 8601E9B0900605EBC704DF6AC484589FBA0FF48314B64C26EE45C8B351C7B59516CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A4CD9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetParent.USER32(?), ref: 003A4CF6
                                  • GetParent.USER32(?), ref: 003A4D02
                                  • SendMessageW.USER32(?,00000411,00000000,0000002C), ref: 003A4D19
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Parent$MessageSend
                                  • String ID: ,
                                  • API String ID: 2251359880-3772416878
                                  • Opcode ID: 5776e10fd2d9c04492bcb41a788e9529989e89b94ad4caae3ceead8c3562e141
                                  • Instruction ID: 705309ab92636663c58da3add480fd34b0d91e63fbfe22915ba8c150f5aa0fb2
                                  • Opcode Fuzzy Hash: 5776e10fd2d9c04492bcb41a788e9529989e89b94ad4caae3ceead8c3562e141
                                  • Instruction Fuzzy Hash: B6F0FE71901208FFDB00AFA4DD49AADFBB6FF08305F104139E512A22A0DB70A925DF59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0039848E Relevance: 6.2, APIs: 4, Instructions: 181windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00398495
                                  • std::_Hash_bytes.LIBCPMT ref: 003984D6
                                  • SendMessageW.USER32(00000000,0000102B,00000000,?), ref: 0039858C
                                  • SendMessageW.USER32(00000001,0000102B,?,?), ref: 003986AB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3Hash_bytesstd::_
                                  • String ID:
                                  • API String ID: 3883825213-0
                                  • Opcode ID: f30e4b578b139cb8fe08b06405f6f8e102c6cb67d09f283df06780b6dbbaeb98
                                  • Instruction ID: 051d2cfa2bdbc69121fc92a730aa6a8dde496a14ce79bb1fa526351735965d82
                                  • Opcode Fuzzy Hash: f30e4b578b139cb8fe08b06405f6f8e102c6cb67d09f283df06780b6dbbaeb98
                                  • Instruction Fuzzy Hash: C0718C71A00606EFCF19DFA4C8D5BADB7B5FF49304F154118E9199B291DB30E954CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B21B9 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003B21C0
                                  • SystemParametersInfoW.USER32(00000030,00000000,005027BC,00000000), ref: 003B220F
                                  • __Init_thread_footer.LIBCMT ref: 003B237E
                                    • Part of subcall function 0045AFEB: EnterCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045AFF6
                                    • Part of subcall function 0045AFEB: LeaveCriticalSection.KERNEL32(004FE6B0,?,?,?,0038D372,004FF2C8,00000000,0038D932,00000004,00427572,?,00000008,004274FF,00000000,00000000), ref: 0045B033
                                  • __Init_thread_footer.LIBCMT ref: 003B23BC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CriticalInit_thread_footerSection$EnterH_prolog3InfoLeaveParametersSystem
                                  • String ID:
                                  • API String ID: 3919417012-0
                                  • Opcode ID: 0a9faa1966741d6f986531e97a08b21a0f144b58b7b164cff6af10b62de08ab9
                                  • Instruction ID: 30b94291f5af8e339cf9e4b6a686ff74a5b6012356c9db02bc8176b3ccfb2173
                                  • Opcode Fuzzy Hash: 0a9faa1966741d6f986531e97a08b21a0f144b58b7b164cff6af10b62de08ab9
                                  • Instruction Fuzzy Hash: D451B171610601CFC716CF38D999B9AB7B5FBA8315F15832EE504EB2A2C770A889CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D4818 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID:
                                  • API String ID: 4168288129-0
                                  • Opcode ID: 76e67bd9543c0dd8b807fbac1317d0dbfd9fb0850bcef194db4f3a8bf382542c
                                  • Instruction ID: 3cd1f580a912356b2e44b45108021d18c6a55da4421d5d673e3cef840210c089
                                  • Opcode Fuzzy Hash: 76e67bd9543c0dd8b807fbac1317d0dbfd9fb0850bcef194db4f3a8bf382542c
                                  • Instruction Fuzzy Hash: E0518B2281DF44DBC603DF35A85142BB7A8BFAA394F104B0FF8DA3A111EB31C5959686
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A2EC4 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003A2ECB
                                  • GetDC.USER32(00000000), ref: 003A2F72
                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A2F84
                                  • DeleteDC.GDI32(00000000), ref: 003A304A
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: CapsDeleteDeviceH_prolog3
                                  • String ID:
                                  • API String ID: 842384874-0
                                  • Opcode ID: f7b516e17921a43cfcb79b1e4b8998fd6efee0defb061fa58fe0615485e43daf
                                  • Instruction ID: 56b7824389bb1745be99769ad44fe43069e471959b93215ea33780f203e56a49
                                  • Opcode Fuzzy Hash: f7b516e17921a43cfcb79b1e4b8998fd6efee0defb061fa58fe0615485e43daf
                                  • Instruction Fuzzy Hash: 7741E570910F418EC737DB3A8551737F7E6AFA6781B10871EA45BE2912EB30B4828F00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00472BB0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,C2E85006,00461C2D,00000000,00000000,00462EBA,0038CF06,00462EBA,?,00000001,00461C2D,C2E85006,00000001,00462EBA,00462EBA), ref: 00472BFD
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00472C86
                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00472C98
                                  • __freea.LIBCMT ref: 00472CA1
                                    • Part of subcall function 0046E6D9: RtlAllocateHeap.NTDLL(00000000,00000000,00000004,?,0046F7AA,?,00000000,?,0046379C,00000000,00000004,004FF2F0,00000000,004FF2EC,?,0046DC89), ref: 0046E70B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                  • String ID:
                                  • API String ID: 2652629310-0
                                  • Opcode ID: fbf41dc54d9c6fcaf418cfa732da4405a01114f670986007d5135fbb07847334
                                  • Instruction ID: 94ccd35e3c8d5a329550e899c3e5bee2e9b6ac9f90fc32394346e20f5223d7c1
                                  • Opcode Fuzzy Hash: fbf41dc54d9c6fcaf418cfa732da4405a01114f670986007d5135fbb07847334
                                  • Instruction Fuzzy Hash: 4731EE72A0020AAFDB258F75CD85EEF7BA5EB10310F04422AFC08DA251E739DD54CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B6AC1 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003B6AC8
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  • SendMessageW.USER32(?,00001202,00000000,00000000), ref: 003B6B2B
                                  • SendMessageW.USER32(?,00001200,00000000,00000000), ref: 003B6B3D
                                  • SendMessageW.USER32(?,00001202,00000000,00000000), ref: 003B6B51
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3__wcslen
                                  • String ID:
                                  • API String ID: 3738440473-0
                                  • Opcode ID: 56dca1c4af6217223d4749c3d8e0e3d43d3df6c936667a381c09d780e5cebc77
                                  • Instruction ID: 2ab4e3c00c57c4e46b08ef93dd4fc0c1520cc73c8d842b55b2375d8fd135a5ef
                                  • Opcode Fuzzy Hash: 56dca1c4af6217223d4749c3d8e0e3d43d3df6c936667a381c09d780e5cebc77
                                  • Instruction Fuzzy Hash: CE418431A0060AABDB05EFB8C98AFEDF7B4EF04305F108165E611A7192DB746954CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BEB9B Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003BEBA5
                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 003BEBDD
                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 003BEBF5
                                  • PostMessageW.USER32(00000000), ref: 003BECA4
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Message$Send$H_prolog3_Post
                                  • String ID:
                                  • API String ID: 2832366284-0
                                  • Opcode ID: 89ebc35850fb979aada78823edf4b2bfaac1fca5470dcadc462fa88449edfe27
                                  • Instruction ID: 11893ea39bc2516c518cd4d5dd040f1de6df5905710743e0a8cd28e60f172188
                                  • Opcode Fuzzy Hash: 89ebc35850fb979aada78823edf4b2bfaac1fca5470dcadc462fa88449edfe27
                                  • Instruction Fuzzy Hash: 01418170A00214EFDB14EF74C849B9DBBB5FF48315F104298E55A9B6E1CB71AE45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003D0713 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003D071A
                                  • GetWindowDC.USER32(00000000,0000002C,003D05C8), ref: 003D0724
                                  • GetWindowRect.USER32(00000000,0039B7BC), ref: 003D0741
                                    • Part of subcall function 003D07EE: IsWindowEnabled.USER32(00000001), ref: 003D0802
                                    • Part of subcall function 003D07EE: GetFocus.USER32 ref: 003D0810
                                  • DeleteDC.GDI32(?), ref: 003D07E0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$DeleteEnabledFocusH_prolog3_Rect
                                  • String ID:
                                  • API String ID: 3745549862-0
                                  • Opcode ID: a3d0aedba05e5547eae50b0f50d78ad5270596708e5ed73d9c8bb16da1e92314
                                  • Instruction ID: effe98343fd8d6d9b23d16d76b3d6238cc319f83ad84f981107276a87a4dcb13
                                  • Opcode Fuzzy Hash: a3d0aedba05e5547eae50b0f50d78ad5270596708e5ed73d9c8bb16da1e92314
                                  • Instruction Fuzzy Hash: 46311671D10208AFDB00DFA5DD89BEDBBF9EF18301F244169E401B6261C7759A54DB29
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0039E55F Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 0039E566
                                    • Part of subcall function 0039EA0F: __EH_prolog3_GS.LIBCMT ref: 0039EA16
                                  • SendMessageW.USER32(?,00001304,00000000,00000000), ref: 0039E591
                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039E5A7
                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0039E5EB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3_H_prolog3_catch_
                                  • String ID:
                                  • API String ID: 804459026-0
                                  • Opcode ID: c47a90fe249825f4bd49f77781c759a32589c61f6085f9c3297a8304117170aa
                                  • Instruction ID: 7ffb49da39a7de224b0ea239dfcf446d00ac1bba266b6a5c4ca9ed862c2f469e
                                  • Opcode Fuzzy Hash: c47a90fe249825f4bd49f77781c759a32589c61f6085f9c3297a8304117170aa
                                  • Instruction Fuzzy Hash: 68110430650304AADF26DFB98C95BAE7BA0FB49705F210439E11ADB2D1EA30CD018614
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003909F1 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 00390A45
                                  • SelectObject.GDI32(?,?), ref: 00390A50
                                  • DeleteObject.GDI32(?), ref: 00390A63
                                  • DeleteDC.GDI32(00000000), ref: 00390A7F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DeleteObject$Select
                                  • String ID:
                                  • API String ID: 207189511-0
                                  • Opcode ID: 3d10e8a413e40e3990e060a78a9b6798269cdfa9524132682b8584609cfdc114
                                  • Instruction ID: 0dc367f82eccb1eb923e7e46f0b80be949071b17890ee4389f23d1773be4218b
                                  • Opcode Fuzzy Hash: 3d10e8a413e40e3990e060a78a9b6798269cdfa9524132682b8584609cfdc114
                                  • Instruction Fuzzy Hash: D0117F75900701EFDB358FA8CD48F56BBF9FF08710F108A1DE892825A0C771A550DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00470061 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004FF2F0,00000000,00000000,?,00470008,004FF2F0,00000000,00000000,00000000,?,00470272,00000006,FlsSetValue), ref: 00470093
                                  • GetLastError.KERNEL32(?,00470008,004FF2F0,00000000,00000000,00000000,?,00470272,00000006,FlsSetValue,004AC778,004AC780,00000000,00000364,?,0046E65C), ref: 0047009F
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00470008,004FF2F0,00000000,00000000,00000000,?,00470272,00000006,FlsSetValue,004AC778,004AC780,00000000), ref: 004700AD
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 9fc220755d4640ab4a286e0e64417193d061cefdb44d2598a08e1b1bdbfde8a8
                                  • Instruction ID: ab902f843ce86e06b3763f1634b38a843cc6e1f4ef641a96ff5e4e238aaffa13
                                  • Opcode Fuzzy Hash: 9fc220755d4640ab4a286e0e64417193d061cefdb44d2598a08e1b1bdbfde8a8
                                  • Instruction Fuzzy Hash: C501D43670B262DBC7314A78BC48B977B98AF457B17104631F90EE3380D624D805C6E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AC9D7 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003AC9DE
                                  • GetWindowDC.USER32(?,00000000,003AC2E5,?,?,0000001C,003A6D28,?,?,?,?,?,?,?,?,?), ref: 003AC9F8
                                  • GetWindowDC.USER32(?,00000000,003AC2E5,?,?,0000001C,003A6D28,?,?,?,?,?,?,?,?,?), ref: 003ACA21
                                  • DeleteDC.GDI32(00000000), ref: 003ACA4F
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$DeleteH_prolog3
                                  • String ID:
                                  • API String ID: 3204656323-0
                                  • Opcode ID: 5369528d42d2c9e634b6132b46ff5bb770cdf604382b2baf2858104c4f18cfd9
                                  • Instruction ID: 50f9b79e7ac2b32c847f3dfb0b40b7e034160fcc77011f6b670c8fbb32867849
                                  • Opcode Fuzzy Hash: 5369528d42d2c9e634b6132b46ff5bb770cdf604382b2baf2858104c4f18cfd9
                                  • Instruction Fuzzy Hash: 9611E571900209EFD711CF54D889B69BBB5FF05711F10C02DF9098B190CBB08A40DBD0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0038A73E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetClientRect.USER32(?,?), ref: 0038A767
                                  • BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0038A78E
                                  • DeleteDC.GDI32(?), ref: 0038A795
                                  • ReleaseDC.USER32(?,?), ref: 0038A7A2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ClientDeleteRectRelease
                                  • String ID:
                                  • API String ID: 2015589292-0
                                  • Opcode ID: 792d1abf08832ac886bcc15c0525fdb64378c3786dfa6c2a2fb3bb2ff52d4c40
                                  • Instruction ID: 9881f263a1454bd879e7b6e4f7ca446a15bc2fad9081033464ee3a01cdbc2634
                                  • Opcode Fuzzy Hash: 792d1abf08832ac886bcc15c0525fdb64378c3786dfa6c2a2fb3bb2ff52d4c40
                                  • Instruction Fuzzy Hash: 4A012932900208EFDB11DFA9CD48FAEBBB9FF48710F104569F902A2250CB70A915DB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E8540 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: *** Stack Trace (x86) ***$'Xh6
                                  • API String ID: 176396367-448393192
                                  • Opcode ID: c528ee0131864488df54541c95d4002688af4b7871251f3250f136a27d8e48a3
                                  • Instruction ID: ce29ca5555cb5df78dbc4a5bb97d632e18f61c663ff81cd7d2a0e47965cc3458
                                  • Opcode Fuzzy Hash: c528ee0131864488df54541c95d4002688af4b7871251f3250f136a27d8e48a3
                                  • Instruction Fuzzy Hash: 02F11171D002549FCB15CFA5C884BAEBBB5FF44324F20472EE82A976D1DB34AA44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003DEDB0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 421COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _strcspn
                                  • String ID: 'Xh6
                                  • API String ID: 3709121408-479216549
                                  • Opcode ID: 24174f2e130bbace8709ea2f702fd9341847fb9b35f377c6b627950fd740565e
                                  • Instruction ID: 2f8ce1c927e0f7019a366b6a5e89c0cea86cb312ad9ab3f6c0c43c7928946f83
                                  • Opcode Fuzzy Hash: 24174f2e130bbace8709ea2f702fd9341847fb9b35f377c6b627950fd740565e
                                  • Instruction Fuzzy Hash: 7EF17B72A00249DFDF15DFA8D884AEEBBB9FF48304F24412AE805EB351D735A945CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E68A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 301COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID: iostream stream error
                                  • API String ID: 4218353326-3252602735
                                  • Opcode ID: 03dadce5ff7da0aa698f155855e35889e2bfe7213cb0ef9085326c4bf38e5946
                                  • Instruction ID: d9643b6d3d231d603a18efd3e11288211d0e7d8393b18fc0eca57b9eec7f97d0
                                  • Opcode Fuzzy Hash: 03dadce5ff7da0aa698f155855e35889e2bfe7213cb0ef9085326c4bf38e5946
                                  • Instruction Fuzzy Hash: 86915971A002558FCB258F66C8C2B5EB7E8EB54360F20473EF865CB7C2D774A9448795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436A0A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00436A14
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 0042ECFA: __EH_prolog3.LIBCMT ref: 0042ED01
                                    • Part of subcall function 00436150: __EH_prolog3_GS.LIBCMT ref: 0043615A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_$H_prolog3_wcslen
                                  • String ID: ALL$Feature
                                  • API String ID: 428691021-4032536534
                                  • Opcode ID: fd777796d563d8e378f5e56fe10fa396d6ca5171f771bf8ec8757185166c2bfa
                                  • Instruction ID: e9438abb057671886202cbcb213331bb956bd8b34a75e95369193882e24b0693
                                  • Opcode Fuzzy Hash: fd777796d563d8e378f5e56fe10fa396d6ca5171f771bf8ec8757185166c2bfa
                                  • Instruction Fuzzy Hash: 5B817D71D00229EFDF15EFA8C842BDDB7B0AF09310F20819AE45967282DB786E45CF94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C8CA2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003C8CAC
                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C8CC4
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 0042ECFA: __EH_prolog3.LIBCMT ref: 0042ED01
                                  Strings
                                  • MsiSelectionTreeSelectedPath, xrefs: 003C8E7E
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3_MessageSend_wcslen
                                  • String ID: MsiSelectionTreeSelectedPath
                                  • API String ID: 2228947392-3962453653
                                  • Opcode ID: 23a51e026d3df25361ef0add00686f35de1f1440cd0081ea0e485d3ffa520416
                                  • Instruction ID: 754a9af45b4c644ece72bbe8f9ce806168a1685a9281607cd4e153ca5c690521
                                  • Opcode Fuzzy Hash: 23a51e026d3df25361ef0add00686f35de1f1440cd0081ea0e485d3ffa520416
                                  • Instruction Fuzzy Hash: 0581AD30A01304DFDB15EB68C94ABADBBB5BF45315F2042DDE046AB292CB745F49CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003B264D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: MsiRMFilesInUse${&^&}
                                  • API String ID: 2427045233-75527770
                                  • Opcode ID: 50bfd0d29ab8bf6fa1f7fc5ce7b8ef13c5ab8d441c5a4fe8430ac49150a6bd1a
                                  • Instruction ID: a446f3c48f720c991d53ae64fe60f344f8c8cb73486aa8a7f000a2449578e183
                                  • Opcode Fuzzy Hash: 50bfd0d29ab8bf6fa1f7fc5ce7b8ef13c5ab8d441c5a4fe8430ac49150a6bd1a
                                  • Instruction Fuzzy Hash: 3A519D31904348DFCB16EFA4C885BDEFBB4BF14304F5442A9E545AB292EB705A88CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0039EA0F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: AiStopPageChange$AiTabPagePreChange
                                  • API String ID: 2427045233-2957746484
                                  • Opcode ID: 38d3b4ce04ef42da01ec291d758de80815d7cf957d78563a86b725bda33d3eab
                                  • Instruction ID: f4936c5da1b6545296e75332759d71daa994de0c9ea6f55c6ee4a7c076cfc43e
                                  • Opcode Fuzzy Hash: 38d3b4ce04ef42da01ec291d758de80815d7cf957d78563a86b725bda33d3eab
                                  • Instruction Fuzzy Hash: F6517130905649DFCB05EFA8C995BDDFBB0BF19314F54819DE005AB2A1DB742B09CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00436E74 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00436E7B
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 0039CBED: __EH_prolog3.LIBCMT ref: 0039CBF4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3__wcslen
                                  • String ID: PIDKEY$PIDTemplate
                                  • API String ID: 1523997010-3823902873
                                  • Opcode ID: b2adc178c1aa9f5f3bd42712ed1e65b13e83f7c8f28939dc7705705a977c92dc
                                  • Instruction ID: 74ea573a8562fb9ee0409af0fb960c3dbb2d7f1008e32d95ff7ef21c61725b12
                                  • Opcode Fuzzy Hash: b2adc178c1aa9f5f3bd42712ed1e65b13e83f7c8f28939dc7705705a977c92dc
                                  • Instruction Fuzzy Hash: FF519031900209DECF14DFD4C4949EDBBB5FF58310FA5945AE002AB195E738AE86CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AADE5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003AADEC
                                    • Part of subcall function 0039ACDF: __EH_prolog3_catch.LIBCMT ref: 0039ACE6
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                  Strings
                                  • AI_COLLAPSIBLE_GROUP_ADJUST_HOST, xrefs: 003AAF0E
                                  • AI_COLLAPSIBLE_GROUP_ANIMATE, xrefs: 003AAEA9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_H_prolog3_catch_wcslen
                                  • String ID: AI_COLLAPSIBLE_GROUP_ADJUST_HOST$AI_COLLAPSIBLE_GROUP_ANIMATE
                                  • API String ID: 4240092452-2952334163
                                  • Opcode ID: 084cf62db48f7de48ad8d0ce249d06e6d636b15d288bcadc9429332028025e20
                                  • Instruction ID: 11900dff1c823b8c549db24cbaa1b18c48e26bfc34789f3db4298b1bc916c915
                                  • Opcode Fuzzy Hash: 084cf62db48f7de48ad8d0ce249d06e6d636b15d288bcadc9429332028025e20
                                  • Instruction Fuzzy Hash: 4B5149B0901344DEDB45EFA8C58478DBBF0BF19304F1485ADE849DF296EB749A09CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: -----$[0x%.8Ix]
                                  • API String ID: 176396367-2239483656
                                  • Opcode ID: 7239f8877ff8d39cce648bc89069165b1e36d3fc35a0b321ea60035a52c756b9
                                  • Instruction ID: 37aeca36b230785e2e4fa9f370014411219b93b6147a18c98d7a6db9e8e52db6
                                  • Opcode Fuzzy Hash: 7239f8877ff8d39cce648bc89069165b1e36d3fc35a0b321ea60035a52c756b9
                                  • Instruction Fuzzy Hash: 8A4131B4A007099FCB24DFA9C984A9EB7F4FF48314F10052EE515E7391E7749A44CB65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AA168 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_catch_GS.LIBCMT ref: 003AA172
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3_catch_
                                  • String ID: OutOfDiskSpace
                                  • API String ID: 1329019490-45093717
                                  • Opcode ID: 6c3b3a09f4db450850e2f6379f498f9808211a953769d4730319ce8fd5b1ed97
                                  • Instruction ID: cb8a17e6d51e493109cb4918d853347f1a67da076ea1d96552a4538233bc0ce9
                                  • Opcode Fuzzy Hash: 6c3b3a09f4db450850e2f6379f498f9808211a953769d4730319ce8fd5b1ed97
                                  • Instruction Fuzzy Hash: 9741D331910A08EFCB16EF78C945BDCF7B4BF05304F14869EE44AA7282DB706A85CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418ECC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 00418ED3
                                    • Part of subcall function 003B8EC1: _wcsstr.LIBVCRUNTIME ref: 003B8EDB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3__wcsstr
                                  • String ID: ://$\/:*?"<>|
                                  • API String ID: 2439793542-159137041
                                  • Opcode ID: 7a51d3064904bf10798533bfc256586b15117f6638f21ef285a69f2998aa6aa5
                                  • Instruction ID: 72f3c4333eff8b1385aaabb0ae503980aa66d0fa64426ad956fe215e5e554c65
                                  • Opcode Fuzzy Hash: 7a51d3064904bf10798533bfc256586b15117f6638f21ef285a69f2998aa6aa5
                                  • Instruction Fuzzy Hash: DE319375B006298BDB01DB698881BFEB2E6AB98710F50406FE505F7340DB79DD428B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003BA727 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 003BA827
                                    • Part of subcall function 003BAB54: __EH_prolog3_GS.LIBCMT ref: 003BAB5B
                                    • Part of subcall function 003BAB54: IsWindow.USER32(?), ref: 003BAB79
                                    • Part of subcall function 003BAB54: IsWindow.USER32(?), ref: 003BAB86
                                    • Part of subcall function 003BAB54: CopyRect.USER32(?,?), ref: 003BABEB
                                    • Part of subcall function 003BAB54: IsRectEmpty.USER32(?), ref: 003BABF5
                                    • Part of subcall function 003BAB54: SendMessageW.USER32(?,00001104,00000001,?), ref: 003BAC4C
                                    • Part of subcall function 003BAB54: IsWindowEnabled.USER32(00000002), ref: 003BAC57
                                    • Part of subcall function 003BAB54: GetSysColor.USER32(0000000F), ref: 003BAC65
                                    • Part of subcall function 003BAB54: SendMessageW.USER32(?,00001200,00000000,00000000), ref: 003BAC7E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$MessageRectSend$ColorCopyEmptyEnabledH_prolog3_Redraw
                                  • String ID: @
                                  • API String ID: 1200408397-2766056989
                                  • Opcode ID: da606c860ed8748fbba314ed17fb747c2ad1bc184671fd3df696c96736a2b434
                                  • Instruction ID: 93157c6c31f60e2ad37c3a26f7b194364a4b84484a89d91ab260a01f4fb0bca0
                                  • Opcode Fuzzy Hash: da606c860ed8748fbba314ed17fb747c2ad1bc184671fd3df696c96736a2b434
                                  • Instruction Fuzzy Hash: 17318430604E109BDB26EF68C8D1AAEB7E6EF80714F50444DF7429AD91CB70AC45C7A3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0042687A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 00426881
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,00000014,00426877), ref: 00426893
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3ObjectSingleWait
                                  • String ID: *.*
                                  • API String ID: 2100491740-438819550
                                  • Opcode ID: 385a7a12fe75c9703362efbf92c97ef4e3180e470deedcd54b0a16252783ce52
                                  • Instruction ID: e36c2b0806c2b3d8b79ca48c3a5f2a89f6be7109643ceb292a24816a98d6e7cb
                                  • Opcode Fuzzy Hash: 385a7a12fe75c9703362efbf92c97ef4e3180e470deedcd54b0a16252783ce52
                                  • Instruction Fuzzy Hash: 81317EB0E0021ADFDF05DFA5C888BAEB7B4BF04315F55416DE011A7291CB7C9A44CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AA456 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003AA45D
                                  • SetTimer.USER32(000000FF,00000001,000001F4,00000000), ref: 003AA55D
                                    • Part of subcall function 00384285: _wcslen.LIBCMT ref: 0038429C
                                    • Part of subcall function 00395BC3: _wcslen.LIBCMT ref: 00395BEB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _wcslen$H_prolog3_Timer
                                  • String ID: CostingComplete
                                  • API String ID: 3507170116-4108885746
                                  • Opcode ID: 5b4a1da85baa672c3bd217655a308ebd1798ddddcc78544654682b9424555205
                                  • Instruction ID: cb392e8eb9e32d254f530bb999e4e1db2b47030830c30ffff640ed23c5eccd58
                                  • Opcode Fuzzy Hash: 5b4a1da85baa672c3bd217655a308ebd1798ddddcc78544654682b9424555205
                                  • Instruction Fuzzy Hash: 8431CD71940B049FDB22DF74C885BECBB71AF16320F18465EE4526B2D2D7B46986CB05
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A4D33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003A4D3A
                                    • Part of subcall function 003899A5: __EH_prolog3.LIBCMT ref: 003899AC
                                    • Part of subcall function 003A5873: __EH_prolog3.LIBCMT ref: 003A587A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: P&9$=;
                                  • API String ID: 431132790-4084489139
                                  • Opcode ID: c23aa5252355760fd9557e2c0bf660c869592a931975409fe8a4d1553bfd0d8d
                                  • Instruction ID: c4b78b93d59b200a84db55a4feeaeeedef1bcc06263199d63408bd94bccbbc51
                                  • Opcode Fuzzy Hash: c23aa5252355760fd9557e2c0bf660c869592a931975409fe8a4d1553bfd0d8d
                                  • Instruction Fuzzy Hash: 864103B0905B84DED711CF69C184389FFF0BF59308F24859EC0989B352D776A646CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C4E1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003C4E26
                                    • Part of subcall function 003B8E07: SendMessageW.USER32(?,0000113E,00000000,?), ref: 003B8E34
                                    • Part of subcall function 003B8E66: SendMessageW.USER32(?,00001127,?,0000F000), ref: 003B8E78
                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003C4EE5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSend$H_prolog3_
                                  • String ID: AiRefreshCost
                                  • API String ID: 3491702567-1756256600
                                  • Opcode ID: 2088a79de949b1c93bd89113326a593d21407c6e11a9f28ee78371e9936a109f
                                  • Instruction ID: d9ff8936a1e5c6d3adec7981d003166c16da237e66c69f78b03a4d46c7096bdb
                                  • Opcode Fuzzy Hash: 2088a79de949b1c93bd89113326a593d21407c6e11a9f28ee78371e9936a109f
                                  • Instruction Fuzzy Hash: 57218B30A00309ABDF06BBA4C86BFED7B65AF45314F20416DF502AE1D6DBB49E44CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00390F2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: 'Xh6$BoostrapperProgressImpl
                                  • API String ID: 431132790-1455324155
                                  • Opcode ID: f346b94eb3ade9163d4735ad0ac6ae011f8afb0007a744263f50af93c39da1c6
                                  • Instruction ID: 56402c99d87bb42c90a6b604d06b4291151feee50a0b6844c5431ced98da81f2
                                  • Opcode Fuzzy Hash: f346b94eb3ade9163d4735ad0ac6ae011f8afb0007a744263f50af93c39da1c6
                                  • Instruction Fuzzy Hash: CB1166726043059FDB14FF90D884A6EB3A8EFC0321F10466EF4119F2D2DBB0AA09CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0045A82F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetLastError.KERNEL32(0000000D,?,?,?,00458BC0,00000000,003E7136,0050267C,00000000,?,003E6CA4,00502678,003E6C70,0050267C,003E7136,00000000), ref: 0045A8B3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ErrorLast
                                  • String ID: PA8
                                  • API String ID: 1452528299-1386033528
                                  • Opcode ID: 5cb08dc25323fb3dc523d2ae53e7f6e4aa38065c2fe9565817b2ea7e5af15977
                                  • Instruction ID: 58246564fedcc4afa0040e7b7bae32c917325ccb7cb12228391560c2c99677e7
                                  • Opcode Fuzzy Hash: 5cb08dc25323fb3dc523d2ae53e7f6e4aa38065c2fe9565817b2ea7e5af15977
                                  • Instruction Fuzzy Hash: 8D11C632204116AFCF166FA0EC4466BBB65FF48752B00453AFD0596211DA309C26CBD7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003A0B3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3_GS.LIBCMT ref: 003A0B48
                                  • _wcslen.LIBCMT ref: 003A0B82
                                    • Part of subcall function 003A0DCA: __EH_prolog3.LIBCMT ref: 003A0DD1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3H_prolog3__wcslen
                                  • String ID: DirectUIHost
                                  • API String ID: 1523997010-2262032592
                                  • Opcode ID: 008f5d00f609bc075f0e82c9e38bd91fbd3aa11b2559eba2943d2b67ffd34efe
                                  • Instruction ID: e73885864b07368e8bd33d19963688fb1d749e49908067552b3ed969180e1eab
                                  • Opcode Fuzzy Hash: 008f5d00f609bc075f0e82c9e38bd91fbd3aa11b2559eba2943d2b67ffd34efe
                                  • Instruction Fuzzy Hash: 89216D71D00268DBCB25EF68C941BDDB7B4AF54304F1081EAE849AB281DBB45F88CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003AC398 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(80000000,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,00000000), ref: 003AC3EC
                                  • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,003AB695,00000000,?,?,?,0000008C,003A9A55,00000000), ref: 003AC401
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: Window$Create
                                  • String ID: tooltips_class32
                                  • API String ID: 870168347-1918224756
                                  • Opcode ID: 092af04fa1922aaf1fc9f0e460fd6d65ccedbaf728cf71ce31abca79c7ef7ac6
                                  • Instruction ID: b66dec0d632b0c7fd4e7de341a5e953ca37a77235e04eeaec06814fccda513aa
                                  • Opcode Fuzzy Hash: 092af04fa1922aaf1fc9f0e460fd6d65ccedbaf728cf71ce31abca79c7ef7ac6
                                  • Instruction Fuzzy Hash: 19F02D723500523EE724862ACC1DFF3BAADDBC2B12F12823EB500C60D0D2658802C234
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041C866 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0041C86D
                                    • Part of subcall function 003870E1: __EH_prolog3.LIBCMT ref: 00387141
                                  • _wcslen.LIBCMT ref: 0041C8B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3$_wcslen
                                  • String ID: bin
                                  • API String ID: 821321042-2854705901
                                  • Opcode ID: 274a8f9c8287c54495dc83640a6c48caa838d82fb0a05936817634381660ab44
                                  • Instruction ID: 0a260cc5080a3188c08e26a4c54931932aef5d366acb077b6f61db44fb7f5fb6
                                  • Opcode Fuzzy Hash: 274a8f9c8287c54495dc83640a6c48caa838d82fb0a05936817634381660ab44
                                  • Instruction Fuzzy Hash: 45016270B00A146BDF15BF6E8895A7FB6E9BF84700B40405FF415DF351CB784A424799
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CE037 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003CE075
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003CE084
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$CreateLong
                                  • String ID: BUTTON
                                  • API String ID: 4015368215-3405671355
                                  • Opcode ID: d3ffc3ef562473f5d09c817ab09e45e9625183da6619cb7b4d00e06fe57085d3
                                  • Instruction ID: 145031bdb638b5a8d966cd15331acfb862a4e3ccfcb36da3af3e3315f83797d6
                                  • Opcode Fuzzy Hash: d3ffc3ef562473f5d09c817ab09e45e9625183da6619cb7b4d00e06fe57085d3
                                  • Instruction Fuzzy Hash: 89014B72610228BBCB169F89DC45DEF3FA9EB0D790F104059FA0A9B260C6B19D10DBF4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CE4F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003CE536
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003CE545
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$CreateLong
                                  • String ID: COMBOBOX
                                  • API String ID: 4015368215-1136563877
                                  • Opcode ID: 8f126111b852fb795aed3453bd112f0a669508e69359b74ef33962ad611b2bc6
                                  • Instruction ID: 785c657473770a0d9ad3e481625f60637cdeb7e265c28ec15439d6fc23b7faed
                                  • Opcode Fuzzy Hash: 8f126111b852fb795aed3453bd112f0a669508e69359b74ef33962ad611b2bc6
                                  • Instruction Fuzzy Hash: D3014B72610228BBCB169F99DC45DDF3FA9EB0D790F104059FA099B260C6719D10DBF4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CE600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0038716B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 003871AF
                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003CE63E
                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003CE64D
                                    • Part of subcall function 0038889A: SetWindowLongW.USER32(?,000000FC,00000000), ref: 003888D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: MessageSendWindow$CreateLong
                                  • String ID: EDIT
                                  • API String ID: 4015368215-3080729518
                                  • Opcode ID: 75f8acc4a072d87113fc2381dfdc16c9638e5148e2ec6441848b4cf7e3656e8e
                                  • Instruction ID: 631cd79eca4c4fa67e44909673f40fee1d970f9c0163032459d8e2f75b59047a
                                  • Opcode Fuzzy Hash: 75f8acc4a072d87113fc2381dfdc16c9638e5148e2ec6441848b4cf7e3656e8e
                                  • Instruction Fuzzy Hash: 34014B72611228BBCB159F89DC46DDF3FA9EB09790F104059FA099B261C6719D10DBF4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047EB62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 0047EB69
                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000237,?,00000002,?,00000004,?,00000004,003A29D1), ref: 0047EBC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3Window
                                  • String ID: p)P
                                  • API String ID: 616115145-2224914269
                                  • Opcode ID: d2d130eec018b6d7f294ba3f2888f9c7841fe966af92171c119db9609dce4c9a
                                  • Instruction ID: 73da9a32d71f518a4fc2540a124f33e3c711c14e51eabddd17efb2f59e7107d0
                                  • Opcode Fuzzy Hash: d2d130eec018b6d7f294ba3f2888f9c7841fe966af92171c119db9609dce4c9a
                                  • Instruction Fuzzy Hash: 07F090B0940204DEEB10DB669D0ABBD3BA0EF58300F00866AF695AB2E1CB750905DB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00470364 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,00473817,?,00000055,00000050), ref: 004703AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: DefaultUser
                                  • String ID: GetUserDefaultLocaleName$PA8
                                  • API String ID: 3358694519-2447365336
                                  • Opcode ID: 617089506448a0517d60c3d5421f2643c037c65b4370158f2755990446453e34
                                  • Instruction ID: 14bf6964bcf5ebc65fa28e0db6e80eceaed7d4139ca7147f614d422eddb53cab
                                  • Opcode Fuzzy Hash: 617089506448a0517d60c3d5421f2643c037c65b4370158f2755990446453e34
                                  • Instruction Fuzzy Hash: 92F0F031601218BBCB606F61DC46FAF7F61EB05710F108067BD085A291DA7959109ACD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0047042D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,0046A664,00000000,00000001,?,?,0046A664,?,?,0046A044,?,00000004), ref: 00470479
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$PA8
                                  • API String ID: 1901932003-1236809712
                                  • Opcode ID: 6e169fa38a9df2bad7e49147ce723ca4fe02c5b58b7fd28cce16f72aed7e10e4
                                  • Instruction ID: 3307ca9415be7b0a0f6c5932b8ed4aa2e577d533c2d0c7fd4e61d08b9478a6d0
                                  • Opcode Fuzzy Hash: 6e169fa38a9df2bad7e49147ce723ca4fe02c5b58b7fd28cce16f72aed7e10e4
                                  • Instruction Fuzzy Hash: 17F09E32645308F7CB206B20DC42FAE7F95DB11B00F10806BFE09662C1DE780D1099CD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C212D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003C2134
                                    • Part of subcall function 003CF6C4: __EH_prolog3.LIBCMT ref: 003CF6CB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: K <$w(;
                                  • API String ID: 431132790-715501438
                                  • Opcode ID: 661c9738f1e5a4542d2627d3e2e781ebe856aaf5a991b72f302315c315ed09c0
                                  • Instruction ID: d40d06aa0c677e53163db2374c789e99611e373d7e109c12bdab43c44e7e45c6
                                  • Opcode Fuzzy Hash: 661c9738f1e5a4542d2627d3e2e781ebe856aaf5a991b72f302315c315ed09c0
                                  • Instruction Fuzzy Hash: C7F0E7B4901205EFCB04EF69C444588BBF0FF59328B64C16FA4589B391C7B99A16CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003E6C90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: _abort
                                  • String ID: PA8$|&P
                                  • API String ID: 1888311480-836921290
                                  • Opcode ID: b7a6678b29f9e0f04044cd7c7cdf46cc5ea4aeaf4b49d273f40e53b94370d530
                                  • Instruction ID: ea67926620c67ec0d270811d856ffd1fd3849289de0f6a364def3faac344969c
                                  • Opcode Fuzzy Hash: b7a6678b29f9e0f04044cd7c7cdf46cc5ea4aeaf4b49d273f40e53b94370d530
                                  • Instruction Fuzzy Hash: 9CF0A7B1641314ABC711AB719D0AB1E7BA0AF94B15F14C18EF844673D2DF789C009B9B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003C69C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003C69CB
                                    • Part of subcall function 003CDF08: __EH_prolog3.LIBCMT ref: 003CDF0F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: Qm<$Ym<
                                  • API String ID: 431132790-2071212101
                                  • Opcode ID: 76cb1b5266ed9e9e1e3a82b1d9376f8097dc84aadd0e5d7ea4a836eebb9cade3
                                  • Instruction ID: 82a100f296c9ecefe170a6e8b3d78bb80ae5f3a937cf1ba182bb0d1a2c7fcebd
                                  • Opcode Fuzzy Hash: 76cb1b5266ed9e9e1e3a82b1d9376f8097dc84aadd0e5d7ea4a836eebb9cade3
                                  • Instruction Fuzzy Hash: 0AF01C70501B84DEC761EFA9880868ABEE0FF48310F10865EE4A98B391C7B456048798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 003CE561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 003CE568
                                    • Part of subcall function 003927B5: __EH_prolog3.LIBCMT ref: 003927BC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: H_prolog3
                                  • String ID: 7<$?<
                                  • API String ID: 431132790-2558826197
                                  • Opcode ID: c526e23e517ea35c63006d1fbcddd6494087c07bccd267fff47fba2c06d0ef18
                                  • Instruction ID: f24402d98e3d562caad178880ee118840d0bccffcd7e5a5a80c7c81652a104fd
                                  • Opcode Fuzzy Hash: c526e23e517ea35c63006d1fbcddd6494087c07bccd267fff47fba2c06d0ef18
                                  • Instruction Fuzzy Hash: 65E09271800700ABDB20AF95C88579E7AA0EF04325F00C60EF0981E2E2C3B846048F9C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004706CD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,36685827,00000000,00000000,00000000,00000000,003DFCC2,003DFCC2,00000000,00000000,00000000,36685827), ref: 00470763
                                  • GetLastError.KERNEL32(?,003DFCC2), ref: 00470771
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,36685827,00000000,?,003DFCC2), ref: 004707CC
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.676313580.0000000000381000.00000020.00000001.01000000.00000007.sdmp, Offset: 00380000, based on PE: true
                                  • Associated: 00000010.00000002.676294588.0000000000380000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676721810.00000000004FC000.00000004.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676745940.0000000000504000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  • Associated: 00000010.00000002.676816733.000000000053D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_380000_DLC3A4.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: bcfe4ca03dab21d032ce51418169211112e22cfb321914d6a43809ef82a48f3b
                                  • Instruction ID: c8ed61860dfc20de7f7e5e3589dace2dbf59bb9a4bbbe98ec52ec4ade595ec3d
                                  • Opcode Fuzzy Hash: bcfe4ca03dab21d032ce51418169211112e22cfb321914d6a43809ef82a48f3b
                                  • Instruction Fuzzy Hash: 4A41E731602205EFCF259F64C844BEB7BA4EF41320F15816BF85D9B291E7349C01CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%